From: Ian Gibson (igibson@hkucc.hku.hk)
Date: Fri Aug 29 2003 - 04:03:11 EEST
So that means that these messages are not actually coming from the rp-ml
server. Which also means that if you remove yourself from this mailing
list, you will still get the SoBig messages.
Nasty.
IG
At 11:14 AM 8/28/2003 +0300, you wrote:
>Hannu Kaikonen writes:
>
> > It is a common practice that sender of an email is friendly adviced
> > if the message one sent was infected or for some other reason
> blocked. Now
> > some people somewhere in their infinite wisdom have decided to start
> > warning the receiptents of infected emails as well (propably because of
> > the nature of some viruses)... Since "To:rp-ml..."
> > is distributed to over 1700 locations around the world, there are a lot of
> > "content scanners" with this fancy new setup, and we are getting warnings
> > of the same virus (or "possibly malicious emails") over and over
> again... That means that we
> > will get significant amount of "warnings" in the near future.
>
>That was good and educated guess, Hannu, but not entirely accurate.
>
>The list has been getting these virus warnings and automated
>acknowledgments of received emails as a result of a virus gone
>wild. The virus is called Sobig.F and it has absolutely nothing to do
>with rp-ml.
>
>The virus infects Windows-machines and turns them into mail
>servers. The virus then searches for files in the infected machine
>that contain email addressess. Then it starts sending copies of itself
>in email attachments to all the addresses it finds. This is fairly
>normal and usually we need not worry about such emails since all
>messages with potential virus contents are blocked from the list.
>
>The problem with Sobig.F is that it uses fake sender addresses in the
>emails it sends. It picks sender addressess as well as receiver
>addresses randomly from the files in the infected machine. This means
>that all possible error messages get bounced back to these forged
>addressess.
>
>In our case this means that there's a machine somewhere (or about a
>thousand machines more likely) that has the Sobig.F -virus and it
>finds the address 'rp-ml@rapid.lpt.fi' somewhere in the files of the
>infected machine. Then it starts sending copies of itself using
>rp-ml@rapid.lpt.fi as the address of the _sender_. Some of these mails
>get blocked by content scanners (obviously since there's a virus) and
>the error messages get sent to the sender's address, which happens to
>be rp-ml@rapid.lpt.fi.
>
>Since the virus started spreading on August 19th, I have received
>probably more than 3000 (I stopped counting at 1500) email messages as
>a result of Sobig.F. If I ever meet the guy who wrote the blasted
>thing, I think I'll... er... not be very nice to him!
>
>More information about the virus can be found in
>http://www.f-secure.com/v-descs/sobig_f.shtml
>
> > I'm turly sorry about this, and we will try to figure out how to filter
> > out these unneccessary warnings.
>
>That might be difficult, although probably not impossible. Hopefully
>the virus dies out in a few more days and the traffic stops. But there
>will be others like this one, and a solution should be found.
>
>
>//zaphod
>
>PS. And I hope you have all understood by now that you cannot get
> viruses through rp-ml. All attachments that might potentially carry a
> virus, are blocked.
>
>PPS. The best way to avoid virus infections through email in general
> is not to open any suspicious attachments.
Dr. Ian Gibson
Currently on study leave at
National University of Singapore,
Dept. Mechanical Engineering
9 Engineering Drive 1
Singapore 117576
Tel: +65 6874 1917
Mob: +65 9087 3512
"Everything really is stupidly simple, and yet all around is utter confusion,
don't look around to find the sound that's right beneath your feet"
This archive was generated by hypermail 2.1.7 : Sat Jan 17 2004 - 15:17:58 EET