same sourc? sobig

  • Thread starter Thread starter Stephen Falken III
  • Start date Start date
S

Stephen Falken III

I've been getting hammered by w32.sobig.F@mm

It appears that they might be coming from the same machine
headers follow:

one:

Received: from acbdb2c8.ipt.aol.com (HELO MAROCAIN-66WCKD)
(172.189.178.200)
by iruvul.pair.com with SMTP; 2 Sep 2003 21:51:49 -0000
From: <[email protected]>
To: <[email protected]>
Subject: **JUNK** Re: That movie
Date: Tue, 2 Sep 2003 23:51:55 +0200
X-MailScanner: Found to be clean
Importance: Normal

another:

Received: from acb83148.ipt.aol.com (HELO MAROCAIN-66WCKD) (172.184.49.72)
by iruvul.pair.com with SMTP; 2 Sep 2003 12:16:32 -0000
From: <[email protected]>
To: <[email protected]>
Subject: **JUNK** Re: Wicked screensaver
Date: Tue, 2 Sep 2003 14:16:39 +0200
X-MailScanner: Found to be clean
Importance

Is my guess correct that this is likely the same machine?
If so, is AOL likely to do anything?
 
On that special day, Stephen Falken III, ([email protected]) said...
I've been getting hammered by w32.sobig.F@mm

It appears that they might be coming from the same machine
headers follow:

one:

Received: from acbdb2c8.ipt.aol.com (HELO MAROCAIN-66WCKD)
(172.189.178.200)
by iruvul.pair.com with SMTP; 2 Sep 2003 21:51:49 -0000
From: <[email protected]>
To: <[email protected]>
Subject: **JUNK** Re: That movie
Date: Tue, 2 Sep 2003 23:51:55 +0200
X-MailScanner: Found to be clean
Importance: Normal

another:

Received: from acb83148.ipt.aol.com (HELO MAROCAIN-66WCKD) (172.184.49.72)
by iruvul.pair.com with SMTP; 2 Sep 2003 12:16:32 -0000
From: <[email protected]>
To: <[email protected]>
Subject: **JUNK** Re: Wicked screensaver
Date: Tue, 2 Sep 2003 14:16:39 +0200
X-MailScanner: Found to be clean
Importance

Is my guess correct that this is likely the same machine?
If so, is AOL likely to do anything?

I found that the HELO (in your case: MAROCAIN-66WCKD) is always the
same, no matter whether the infected machine has a fixed IP number, or
is connected by a dial-up account. So yes, it is all from that one
infested computer, and you should contact the ISP. I believe AOL will
react to it. They are too big than that they could afford to have an
infected computer spewing worms for too long.


Gabriele Neukam

(e-mail address removed)
 
Back
Top