Tracking SoBig Virus

  • Thread starter Thread starter TrailShredder
  • Start date Start date
T

TrailShredder

Anyone have any success on tracking down a computer that is known to have
the sobig virus? Our server is getting hit on the average of 100 times per
day trying to send to the same 5 people, the sobig virus. Since it spoofs
the email address of the sender, I am having a tough time trying to find out
who is infected so that I can have them remove it from their machine. Any
suggestions?
 
from the wonderful person said:
Anyone have any success on tracking down a computer that is known to have
the sobig virus? Our server is getting hit on the average of 100 times per
day trying to send to the same 5 people, the sobig virus. Since it spoofs
the email address of the sender, I am having a tough time trying to find out
who is infected so that I can have them remove it from their machine. Any
suggestions?
Click to expand...

Did you try putting the whole of one of these messages (including full
header) into spamcop.net? That usually resolves the real culprit (at
least as far as their ISP's abuse department), even with 'normal'
attempts to spoof the address.
 
On that special day, TrailShredder, ([email protected]) said...
Anyone have any success on tracking down a computer that is known to have
the sobig virus? Our server is getting hit on the average of 100 times per
day trying to send to the same 5 people, the sobig virus. Since it spoofs
the email address of the sender, I am having a tough time trying to find out
who is infected so that I can have them remove it from their machine. Any
suggestions?
Click to expand...

Examine the header of the sent mails. In the (normally topmost)
"Received:" line you will see a four part number, which identifies the
computer as long as it is connected to the internet. This number is
called the "IP number" (Internet Protocol).

Copy this number, and insert it into the "Do Stuff" entry field on the
site "http://www.samspade.org/". Click on the button, and check the
result. If you are lucky, there is an abuse address given for complaints
about Spam, viruses etc.

Send the header of the mail (not the attachment) to said abuse address
and ask the postmaster to have the infected machine cleaned or taken
offline.

HTH


Gabriele Neukam

(e-mail address removed)
 
Anyone have any success on tracking down a computer that is known to have
the sobig virus? Our server is getting hit on the average of 100 times per
day trying to send to the same 5 people, the sobig virus. Since it spoofs
the email address of the sender, I am having a tough time trying to find out
who is infected so that I can have them remove it from their machine. Any
suggestions?
Click to expand...
****************** REPLY SEPARATER ********************
Are they the real messages or returns from one of the biggies. A couple of our
customers were getting hammered (about 100/hour) some time ago. I checked the
header on the messages and blocked the originating IP (ADSL circuit) in our
mail server. But now one of them still gets about 100 bounced messages a day
from someone else who is infected and using his email address. For bounced
messages, you need to examine the body of the message, and there is really not
much you can do about it except to complain to the upstream provider.
 
Back
Top