w32.SoBig worn Where is coming from ?

  • Thread starter Thread starter Sang Leen
  • Start date Start date
S

Sang Leen

Hi.

I have win2k network and some user are getting
emails from different users and friend infected with sobig worn.

How can I know where the message is coming from, because
the worn dot not use the email address where realty is
coming from.

I have Norton Corporate Edition and delete the worn but
the user get the infected email continusly.

Thank you.
S.L
 
On our system when we get hit by sobig.f we see that the first line usually
contains the computer it is from. I'll cut and paste the line of a header
our mail server is blocking. Return email change to protect the innocent.
IP and From not because the moron is infected.

Return-Path: <[email protected]>
Received: from THE-WORKS (66.227.210.169.tvc.mi.chartermi.net
[66.227.210.169])

From addresses change but the received: line never changes for the one
person being emailed the virus. We instruct our mailserver to reject all
requests from 66.227.210.169. Its safe since that is a cable modem anyways
and should not be sending mail. Mail should go through one of chartermi.net
mail servers. So if you have control of your mail server tell it to reject
by network. If our ISP handled our mail I'd ask them to block it.
Especially if it was a lot of email.
 
Thank Jeremy

I will try it, we're using MDaemon as Mail server.

S.L


Jeremy said:
On our system when we get hit by sobig.f we see that the first line usually
contains the computer it is from. I'll cut and paste the line of a header
our mail server is blocking. Return email change to protect the innocent.
IP and From not because the moron is infected.

Return-Path: <[email protected]>
Received: from THE-WORKS (66.227.210.169.tvc.mi.chartermi.net
[66.227.210.169])

From addresses change but the received: line never changes for the one
person being emailed the virus. We instruct our mailserver to reject all
requests from 66.227.210.169. Its safe since that is a cable modem anyways
and should not be sending mail. Mail should go through one of chartermi.net
mail servers. So if you have control of your mail server tell it to reject
by network. If our ISP handled our mail I'd ask them to block it.
Especially if it was a lot of email.

--


Jeremy

Sang Leen said:
Hi.

I have win2k network and some user are getting
emails from different users and friend infected with sobig worn.

How can I know where the message is coming from, because
the worn dot not use the email address where realty is
coming from.

I have Norton Corporate Edition and delete the worn but
the user get the infected email continusly.

Thank you.
S.L
Click to expand...
Click to expand...
 
Back
Top