-
December 17th, 2005, 07:42 PM
#1
Junior Member
Sober Issue
Hi there!
Well, I thought for my first post I would ask some of you more knowledgable folk for some assistance.
Anyway, the Sober worm is pounding our mail servers insanely. Luckily 99.9% of the mail is being stopped, which is awesome! The issue resides with that last 0.1%.
One of our users has info@ourdomain.com as an alias, for various reasons. For some reason, he continually gets rejected and bounced emails, all relating to the Sober.X worm. Observe:
Code:
-----Original Message-----
From: Mail Error Handler [mailto:MAILER-DAEMON@ibuyhouses.com]
Sent: Saturday, December 17, 2005 3:13 AM
To: info
Subject: Undeliverable Mail Returned to Sender
*** This message was automatically generated by the MailMax Error Responder ***
Sorry, your message from <info@ourdomain.com> to <mike.ochsner@gmail.com> could not be delivered. The specific error is:
552 5.7.0 Illegal Attachment i38si6000307wxd
This is permanent error, and the message will not be retried any further.
=== The Original Message Follows ===
Received: from [151.199.126.160] by ibuyhouses.com [192.168.1.100] with SmartMax MailMax for lexi-outbound@ibuyhouses.com; Sat, 17 Dec 2005 04:12:19 -0500
Return-Path: <info@ourdomain.com>
X-SmartMax-AuthUser:
From: info@ourdomain.com
To: usbmis_news@ibuyhouses.com
Date: Sat, 17 Dec 2005 08:53:18 GMT
Subject: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <684b28de1669c6bbe@ourdomain.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=b80bafc1c.3a3348f3b"
Content-Transfer-Encoding: 7bit
--=b80bafc1c.3a3348f3b
Account and Password Information are attached!
--=b80bafc1c.3a3348f3b
Content-Type: application/octet-stream; name=reg_pass.zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="reg_pass.zip"
UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZXhlTVqQ
AAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
yAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu
DQ0KJAAAAAAAAABd+8faGZqpiRmaqYkZmqmJmoaniRiaqYlwhaCJHJqpiQmFpIkYmqmJUmljaBma
qYkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEDAOVIXUMAAAAAAAAAAOAADwELAQYAANAA
AAAQAAAAQAIA0BkDAABQAgAAIAMAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAAAwAwAAEAAA
AAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAEAiAwCcAAAAACADAEACAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAC
AAAQAAAAAAAAAAQAAAAAAAAAAAAAAAAAAIAAAOAAAAAAAAAAAADQAAAAUAIAAMwAAAAEAAAAAAAA
AAAAAAAAAABAAADgLnJzcmMAAAAAEAAAACADAAAEAAAA0AAAAAAAAAAAAAAAAAAAQAAAwAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAkCCnSdYzjcuU7oefgCAM3JAAAAAAMAJgQA8f8hKpAA
JQAUAGzOQABsloM9cweQEgj1zGyaZbf8AwrNGdxZzsvmC7JlPyd75cquac52A4PlP9B67yO5XC67
9gMEz+LQdtFi0qZpmmZwhpKexWXTLJvxINNmchPUdZtmkB9eZT/Vh9bTNE2zAyVEUGmEslk2TZuy
ute/Xtia5mRz/wvZLzvcs2wGaej0KdpVB2maZQjbRebyBdw2TdMsMZ/O0ALdmqZpTj1EUFloLJum
aYG79QbeFNc0TdOJmKbi6RdN03RmFd8DmKS45pqmWTY24FJpdZEgy6Zpn80d4ShNM0gzPVJXaHbm
ZNM0hJkR4lIZpBmQZ6iqwbJpmqbD1uv5KOO5TTPIZpTnFeRfQ9M0gwPe7fx08+SDnIxrFEBAIAAU
3bLrpugeEQdB5kgDVtM0gzRhdIqWzYA0Tai7vc/hxyGbNPhZXkCHt4XN7fHpHwHq6QS3jh1YFdN0
2+ZAABBc5wdjA3HOpGmaZSvoN0lXYzRNsxwA6X2awN47edLX6kvaJxDtGAe6rukGuF8qjHOTA6Eg
TbNsBOsWIic0gzTNQFVXam/TNM2AfZSgszNIM0i4yM3oaZqTTf8E7BRlfKRphqR+ipqmz57NBgmz
AMByDMCC5WAnv0DX2O7fB5AWy6brmgukM6sDuRbuMzNI0zRKWmZ0dkC4bNHuWyT3mvBP6ZZdc+AN
B0TvSwNZsmyapo3T9zzwX8sO0gxucJPwV+eeHJAsCPI4F9cHTdNsX/kn8QMOQIKhctnZNOMB8kci
a7rLDknzE4BHCnonsmmarpEDn6vaH/PI3iDNLDhEN+d0TXdyZPTIRwSqL7Ef5GTTv130Jv76QADX
Nc3J2/r4MNcj3gOmaZZN7A/1HUlZmmZAmmlume//TdOcbAT2d6f4CzRN07n3swNpmer9aZpm2QL4
HnJ52dI0zbI5+UVkh4yWTdMMmvX8f/qTAWmaQZ+vsXLTabDUyx5pjZMGQYOdbLQDUxgBA0UPbOdy
ExYUoEAvyQjnhVwunAgIGYcIJMvlZSfkCsgKMPsFOTmzChQAkQwngeCGZFh8E4d13dntMzEPnTAT
gCtbJOpplk3XI/ED/x0NLDikaZqmRlFjcn6zHKQZk5g4DlaWgzRNaaP2Dg8pIMumaUdfdhB72TRN
M4+dsOo9EQZpmmZXb4GDlmmaAWmnt8XKkKZpBt/r7flNM8hyCxIQLbO4NE0zJNLd7flpBmTZDBMR
KjaaZpCmSU5nf4+maQZpkaClp2kGaZqzxsvb3WkGaQbp7vDyNMtBBvQEFBcc0zTNkEFNZ4BI0zRN
l7LJ5Ps0TecOERUzAyg7QEjTNINTX3J3MyRNM4qWm6ZN0zRNsb3V5/r/mubkIAoWGDE2pmmaQUlV
eoxmkEGamaesuk2zbJrM4wIXEBst0wzSNDtAU2wzSDNIepGWoUjTNE28ytXj6KYZZDkDGAjQ3DSD
LJvzDhkTLjzNIE3TR1VaeTKapmmWGj5VcH6DpmmaQZ6st8UZkGaQyuXq9ZpmMLcDG3MDbXmQphmk
aauwy9ksB2ma5vT5BRwRTdMM0hYiLThDgzTNIFG6xt2QZtk0+BMdHyEZpBlkJkFPahmkGaR9lZeq
kKYZpKzJ5OnNIMtm9gQeCSs3M0jTNE5pbomWTTNIjsDWFB9hLgekaefsdiBAIdZtBllF5W8iryMD
uVwOcsmdJCclwSY5yLI5/IInvfEpaZbNcqEqukYsmbXTNMumwVUtaI6tDtI0TbnH2ubALiybplnM
7f4PLxvTNE3TdoKZrMeWzSBN09j6BjAdZpCmaSk1OkZpmmaQS215kJJBzl6YAAhAB2Sycx/KyEIY
HEYMLJhBzl5ye/A/N4A/N0AHMOTkyUHgPyRALgOL3Rk0A9xCRzsTg8DQNv8fcwePMZum6UxbA6TK
3kIykGbZLLAdMx+Ms2yaZpjCyTc0VWxPN0hXYwvVNQNcpFk2g8pCNkSqDLg3G8h/gZv8i3Vd16L3
wgPAD4Acr2foyQPBOjAgjw+yabplVDdbA2nXOzgGaZbNqRY5GIWYJM2yaa4cOjpGpCZNM1KTucIS
rlw3CFADeDdpzroDyEpjSoe4YaZpOrc/O0cDVGOJTbNsmpyoMzw/TWA2zZA0ZXiEJD1pmqZZU2aU
5P/TNM2yEj5AkKeyNs0gTb3U4vkRP64bpFkgJQ6+IANpBmmaLj0/XWjLpmkGbYCuAUGdIE3TNM3r
+v9pmmY5LkJBb7/a0yybpvH/PkOivbJZNk3Q/lFE8wZFTdM0zTSEtMb2BZqmaZZGCjlUa3kzyLJp
uBxHN1U2nTtIWg1IdwPhekoQpKFZhpKPoU8uD7mnoELqUtlSYCLplq0sUldLIwMxpmmapkBmcefz
zYA0ywFMFBkkUzZN0zRmlNLtAE1BmqZZLmyDmh2kaZqtv87T3k2aQTrTW04DIDdFpmkGaWF0ouZN
0zTLFk8pV5uyvdM0gzTC3uz7aZrmZABQECMvOmkGaQZdX4+7GaRpBsDY3evbNM2yKlGOoc8TUt9N
0zSdA0FvtsLROdMLo1JH7VTbA+nck1+PyCM+U9sDU4M0y6a3qVS1t8PkcsJmL0fIcuNx6ZbN8hAk
TUNVSgNY07nNshxW4BJXzwN/mmaQZQVYM2xxf7lNs2wRWi1NDVsz6dxm2QNvXH09XZcD2QyyHKT8
gl6wtWyaZtlPX2CWnW1gLJdNs3mchGRIZc5mkGbZOGY6pMSmWS6byZ5oJWmDmjTNIMsgakPJ7O7L
pjnZEWsWnSRsrtMsTzaDbSdvkadIc8llMXAZcTxBKwhNM5nF2D9UXNcscP9GR1zwEHAHIVwulaEe
ekQMRm+b5cnl4opaioAlSGhz5bLpDCcDfUF0BXXIsmmaN4SkKnZYWTZNM5GWpGR3ek0zyLIAeCOp
xsjOuoM05W9593oD85pls2xQfF4efTS6BnMHad1jfmMDljbNsmmkZn98geqBy2WzXHGCz1mDRIR/
GWTZNISShc3jIM1Zt22Gk4cDqcxk6zbN0d+6iL+JA5BoGKQZs7gQIzzlIQRpK08/XZNrguXJOJPA
JmA/i5tI0zSdA4+apctplk0z2ewajGTd0iybpuT8Eo0lMTRN0ww6TVlpbjSDNIONkqSp5SDNgMjN
GY4MsmyaRVhLj1BVgwxI09TW2+kZZNk09weQCRaaZpCmISY+WWSaQQZpaW6AnaZpBmmircvj0jQn
m/4DkYORkzNI0wyYpaq9aZqTTes1kk1obWwGaQbt7/QTk8sJYbIwn2WcMtc1y5OcYChFtSO8A2XT
NE3K3+v2GJRmkGaQjbTH7U3TNMsZlXJ9kMzTkKZZNgKWLjk7ZkCaZkdZXnUsB2maiJqfJZcxTdMM
0jZCTml8WTaDNIGuCZkcQZbLpkkbmgabC2kGaZpuen+Qp5pBmqa2wsTQ25DOdGzwm2ucAyp9sA9Y
AIAjKeUQcECamcLLdvQAuU8cQiI7QF9ZnlwepZ+bn8ApJLNsuq7HT84D3BqdKTSDNE0+UVxve9O5
TdPE2AKe4wMcTdM0TUFzf5G3vg5I0zTw+f4on6YZpFk3THaMCBRskI6Tm4edI7YDcCqvEosjBZqm
abagAxNJW7O1DNKcbA2hGx0pcTZN0z9huRGizxXghXeepE8DZ3SdgZrYFX8jYwNxWTZN05elsA6j
JqZpBqQ0Qq3FJ5tmkMrh+WmkjeRywmZfd1StL63Zds3yUCsp+icBpQMPs2yapqy/5R6miAZZNk2/
/hKnMNM2TbNsCqh4r+4CqaZpBlkgfbTzNM0gyweqJWOa2ZrmZNPtC6tJgL+zHaRp0/GUrK8nZ/HK
it/xrk8Ypum6kyyzJ7oDyNkg0zTLQ65KcN3wkCPcol3rD8hBvrLBV3PWR7JHYDETr2mapmvzA4WR
nak0J5um7PwBsB4sTdMM0jFLZY2d0gzSNKuwvvyaplkOCbEpNnnOLJumadnk8gKyDk0zIIMTH1Bj
=== End Original Message ===
*** This message was automatically generated by the MailMax Error Responder ***
Now, "reg_pass.zip" is a Sober payload, that much I know. But from what I have read about Sober, it will forge the senders address. This is all well and good, but the forged address (if I am reading this correctly) is one of our legitimate addresses! I had set up some rules on the users email client to automatically trash these messages, but it appears some are continually getting through. Apparently he got 30 of these just this morning. Anyway, I've done a full scan of every box on our network, and none of them are infected. I probably didn't need to do this, because if someone was infected, we'd be seeing tons of these messages on everyone's computer.
So I guess my question is, what can I do to stop this? I have no idea how this worm somewhere got one of our legitimate email addresses; it seems to me that the ibuyhouses.com guy has the info@ourdomain.com address stored in their client, and that he is infected? Am I right in assuming this? What the heck can I do?
-
December 17th, 2005, 08:33 PM
#2
There is not one whit of anything you can do about your legitimate address being forged in messages sent from infected machines. The problem is akin to a person in Malaysia telling people he knows you personally and that you vouche for his product...assuming you DO live in the USA as your profile suggests, and you've never been to Malaysia, met this person, or had any interaction with him.
You simply have to influence or control over that part of this problem.
As for the incoming bounce replies...do you have a bridgehead type server, scanning all incoming messages? Are they getting by that server? If so, you need to look at the configuration and block/drop rules on that server. If not...well, all I can suggest is you look into one.
Or you could look into a service provider to do it for your. Postino is a big player in this field. So is VeriSign. I'm sure there are many companies that would be happy to receive your email, and filter it before it hits your network...for a fee.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
December 17th, 2005, 09:59 PM
#3
I have no idea how this worm somewhere got one of our legitimate email addresses; it seems to me that the ibuyhouses.com guy has the info@ourdomain.com address stored in their client, and that he is infected? Am I right in assuming this?
actually it's more likely that both address were stored on a computer that became infected. virusses tend not to use the addresses of computers they infect in order to keep them infected. they take stored email addys and use one in the sender field and send to the rest
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
December 17th, 2005, 11:24 PM
#4
Junior Member
See, I wouldn't think so. The headers look like someone that uses the ibuyhouses.com mail server attempted to send an email to that gmail account. Which to me says that both my user's address and the gmail address are stored on the aforementioned computer.
-
December 18th, 2005, 02:08 AM
#5
god what i would give to be sober... read my mood
work it harder, make it better, do it faster, makes us stronger
-
December 18th, 2005, 07:56 AM
#6
sorry to say but something like this wont do it heh find somthing stronger
"When in doubt, use Brute Force."
Never argue with an idiot. They'll drag you down to their level, then beat you with experience.
-
December 18th, 2005, 11:56 PM
#7
Junior Member
sorry to say but something like this wont do it heh find somthing stronger
I have no idea what you are talking about.
-
December 19th, 2005, 12:05 AM
#8
Originally posted here by hexadecimal
god what i would give to be sober... read my mood
thats what i was talking about...it was a joke calm down son
"When in doubt, use Brute Force."
Never argue with an idiot. They'll drag you down to their level, then beat you with experience.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|