Sobig.F resurgence

John Rudd jrudd at UCSC.EDU
Fri Sep 5 06:23:32 IST 2003


I was the original author, and I'm still using sendmail 8.10.something.
  So I would expect it would work on 8.11.x.


On Thursday, Sep 4, 2003, at 20:38 US/Pacific, Nathan Johanson wrote:

>
> Actually, I remembering seeing this but glossed over it for some
> reason.
> Do you know if this will work specifically in only certain Sendmail
> versions... We're a little outdated with Sendmail 8.11.6, but would
> love
> to utilize it.
>
> Nathan
>
> -----Original Message-----
> From: Mike Kercher [mailto:mike at CAMAROSS.NET]
> Sent: Thursday, September 04, 2003 8:40 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sobig.F resurgence
>
>
> In sendmail.mc, I added this:
>
> <snip>
> LOCAL_RULESETS
>
> # Reject all mail with Sobig subjects.
> HSubject:               $>Check_subject
> D{Msobig1}That movie
> D{Msobig2}Wicked screensaver
> D{Msobig3}Your application
> D{Msobig4}Approved
> D{Msobig5}My details
> D{Msobig6}Details
> D{Msobig7}Thank you!
> D{Msobig8}Returned mail: see transcript for details
> D{Mmsg} Possible Sobig-F Virus - Please change subject
>
> SCheck_subject
> R${Msobig1} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig1} $*      $#error $: 550 ${Mmsg}
> R${Msobig2} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig2} $*      $#error $: 550 ${Mmsg}
> R${Msobig3} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig3} $*      $#error $: 550 ${Mmsg}
> R${Msobig4} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig4} $*      $#error $: 550 ${Mmsg}
> R${Msobig5} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig5} $*      $#error $: 550 ${Mmsg}
> R${Msobig6} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig6} $*      $#error $: 550 ${Mmsg}
> R${Msobig7} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig7} $*      $#error $: 550 ${Mmsg}
> R${Msobig8} $*          $#error $: 550 ${Mmsg}
> RRE: ${Msobig8} $*      $#error $: 550 ${Mmsg}
> </snip>
>
> This was suggested on the list several days back and has been working
> very
> well.
> May I remind you that the white gaps in text above are tabs and not
> simply
> spaces.
> Run your .mc through m4 and then restart MailScanner.
>
> Mike
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf
> Of Nathan Johanson
> Sent: Thursday, September 04, 2003 10:25 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sobig.F resurgence
>
>
> Mike,
>
> Just curious...
> What Sendmail rule are you using to block them?
> We've been rejecting the most offending IP addresses with the access
> database, but as you might expect... It's a little like a moving
> target.
>
> Nathan
>
> -----Original Message-----
> From: Mike Kercher [mailto:mike at CAMAROSS.NET]
> Sent: Thursday, September 04, 2003 8:19 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sobig.F resurgence
>
>
> The flow here has been trickling but steady.  I am blocking LOTS of
> tehm
> with a sendmail rule though, so they never even make it to MailScanner.
>
> Mike
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf
> Of David Hooton
> Sent: Thursday, September 04, 2003 10:02 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Sobig.F resurgence
>
>
> Hi All,
>
> A little off topic, but we've started noticing about a 10 fold increase
> in
> Sobig.F traffic over the last 48 hours.
>
> Is anyone else noticing this?
> --
> Regards,
>
> David Hooton
> Senior Partner
> Platform Hosting
> 1300 85 HOST
> www.platformhosting.com
>
>
> =======================================================================
> =
>    This message has been scanned for viruses and unsafe content by
>    Platform Mail Security
>
>    To report SPAM forward the message to:    spam at mailsecurity.net.au
>    To report incorrectly tagged messages: notspam at mailsecurity.net.au
>
>    Platform Mail Security                     www.mailsecurity.net.au
>    Platform Hosting                           www.platformhosting.com
>
> =======================================================================
> =



More information about the MailScanner mailing list