Sobig.F resurgence

Mike Kercher mike at CAMAROSS.NET
Fri Sep 5 04:55:56 IST 2003


Here's what a maillog entry looks like:

Sep  4 22:46:13 genesis sendmail[26183]: h853kBb26183:
ruleset=Check_subject, arg1=Re: Thank you!,
relay=adsl-65-69-4-238.dsl.hstntx.swbell.net [65.69.4.238], reject=550 5.0.0
Possible Sobig-F Virus - Please change subject

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Nathan Johanson
Sent: Thursday, September 04, 2003 10:39 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F resurgence


Actually, I remembering seeing this but glossed over it for some reason. Do
you know if this will work specifically in only certain Sendmail versions...
We're a little outdated with Sendmail 8.11.6, but would love to utilize it.

Nathan

-----Original Message-----
From: Mike Kercher [mailto:mike at CAMAROSS.NET] 
Sent: Thursday, September 04, 2003 8:40 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F resurgence


In sendmail.mc, I added this:

<snip>
LOCAL_RULESETS

# Reject all mail with Sobig subjects.
HSubject:               $>Check_subject
D{Msobig1}That movie
D{Msobig2}Wicked screensaver
D{Msobig3}Your application
D{Msobig4}Approved
D{Msobig5}My details
D{Msobig6}Details
D{Msobig7}Thank you!
D{Msobig8}Returned mail: see transcript for details
D{Mmsg} Possible Sobig-F Virus - Please change subject

SCheck_subject
R${Msobig1} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig1} $*      $#error $: 550 ${Mmsg}
R${Msobig2} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig2} $*      $#error $: 550 ${Mmsg}
R${Msobig3} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig3} $*      $#error $: 550 ${Mmsg}
R${Msobig4} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig4} $*      $#error $: 550 ${Mmsg}
R${Msobig5} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig5} $*      $#error $: 550 ${Mmsg}
R${Msobig6} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig6} $*      $#error $: 550 ${Mmsg}
R${Msobig7} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig7} $*      $#error $: 550 ${Mmsg}
R${Msobig8} $*          $#error $: 550 ${Mmsg}
RRE: ${Msobig8} $*      $#error $: 550 ${Mmsg}
</snip>

This was suggested on the list several days back and has been working very
well. May I remind you that the white gaps in text above are tabs and not
simply spaces. Run your .mc through m4 and then restart MailScanner.

Mike

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Nathan Johanson
Sent: Thursday, September 04, 2003 10:25 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F resurgence


Mike,

Just curious... 
What Sendmail rule are you using to block them?
We've been rejecting the most offending IP addresses with the access
database, but as you might expect... It's a little like a moving target.

Nathan

-----Original Message-----
From: Mike Kercher [mailto:mike at CAMAROSS.NET] 
Sent: Thursday, September 04, 2003 8:19 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F resurgence


The flow here has been trickling but steady.  I am blocking LOTS of tehm
with a sendmail rule though, so they never even make it to MailScanner.

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of David Hooton
Sent: Thursday, September 04, 2003 10:02 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Sobig.F resurgence


Hi All,

A little off topic, but we've started noticing about a 10 fold increase in
Sobig.F traffic over the last 48 hours.

Is anyone else noticing this?
--
Regards,

David Hooton
Senior Partner
Platform Hosting
1300 85 HOST
www.platformhosting.com


========================================================================
   This message has been scanned for viruses and unsafe content by
   Platform Mail Security

   To report SPAM forward the message to:    spam at mailsecurity.net.au
   To report incorrectly tagged messages: notspam at mailsecurity.net.au

   Platform Mail Security                     www.mailsecurity.net.au
   Platform Hosting                           www.platformhosting.com

========================================================================




More information about the MailScanner mailing list