Sober

Rick Cooper rcooper at DWFORD.COM
Thu May 5 17:51:36 IST 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Ken A
> Sent: Thursday, May 05, 2005 11:18 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Sober
>
>
> Same here. About 2000 W32/Sober.p at MM!zip stopped yesterday.
>
> Also a rise in undeliverable bounces of sober from other scanners that
> impolitley bounce back virus notices to the forged From address
> here...ugh.
>
> Wasn't SPF supposed to help with this? I suppose the same folks who
> bounce virus email probably don't use spf either though.
>

Actually I have received about 1000 erroneous bounces from Ford Motor
Company and they even state in their bounce that the messages was received
from [IP] sender xxx at mydomain.com (apparently forged). APPARENTLY FORGED!
(our SPF would be fail -all) so they are aware that it didn't come from an
authorized host and the *still* bounce the things back!

State of Ohio has sent us more than Ford. Their mail admin responded to my
complaint by basically stating the problem isn't theirs, so it must be ours
regardless of the origin.

What a day!

Rick



> Ken
> Pacific.Net
>
>
> Stephen Swaney wrote:
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >>Behalf Of Greg Deputy
> >>Sent: Thursday, May 05, 2005 11:51 AM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: Sober
> >>
> >>I've not been having trouble with sober getting through, but have
> >>noticed a HUGE jump in viruses attempting to get through in the last 4
> >>days or so, majority of them being the sober virus.
> >>
> >>Anyone else noticing a spike in viruses?
> >>
> >
> >
> > If going from and average of 200-300 viruses per day to average
> of almost
> > 2,000 per day is a spike, yes.
> >
> > Just read that Sober traffic was 4.5% of all internet traffic
> yesterday :(
> >
> > Steve
> >
> > Steve Swaney
> > President
> > Fortress Systems Ltd.
> > www.fsl.com
> > steve.swaney at fsl.com
> >
> >
> >>>-----Original Message-----
> >>>From: MailScanner mailing list
> >>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Martin Hepworth
> >>>Sent: Thursday, May 05, 2005 8:44 AM
> >>>To: MAILSCANNER at JISCMAIL.AC.UK
> >>>Subject: Re: Sober
> >>>
> >>>
> >>>Only thing I've seem amongst the lists I'm on is that it
> >>>effects people who upgrade to 0.84.
> >>>
> >>>so.. make sure DatabaseDirectory is consistant in
> >>>freshclam.conf and clamd.cong..
> >>>
> >>>--
> >>>Martin Hepworth
> >>>Snr Systems Administrator
> >>>Solid State Logic
> >>>Tel: +44 (0)1865 842300
> >>>
> >>>
> >>>Jim Coates wrote:
> >>>
> >>>>I apparently am suffering from something with this virus as well.
> >>>>
> >>>>My MailScanner/ClamAV setup had been working wonderfully until just
> >>>>the last couple of days when all of the sudden the Sober virus has
> >>>>been managing to get its ZIP files past without any problem at all.
> >>>>
> >>>>I looked back through the messaged regarding Sober here on
> >>>
> >>>the group,
> >>>
> >>>>but didn't see anything definite about how to stop this from
> >>>>happening.
> >>>>
> >>>>Seems I've seen some people who have the problem and some who don't.
> >>>>
> >>>>Has anyone found a solution to getting this stopped?
> >>>>
> >>>>Thanks,
> >>>>Jim Coates
> >>>>
> >
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list