RE: the SoBig Worm - what should I expect to see.....
- From: "Amy Babinchak" <Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 22 Aug 2003 00:21:22 -0400
It's the fault of Symantec and the admin that installed the software. By
default the corporate edition has the option to send a notice selected;
dumb on Symantec's part. The admin should unselect this "feature".
Amy Babinchak
Technology Consultant
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, August 21, 2003 5:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: the SoBig Worm - what should I expect to see.....
http://www.ISAserver.org
I am seeing messages left and right from so called AV software that is
sending notices out to the forged from address.
This is well known for all variants of SoBig to do this, and therefore a
real testament to all those 2 bit worthless AV software that are sending
out these notices. I mean, come on Symantec, you should no better than
this. You yourself published that the virus forges the from address. Why
are you sending infected notices out to that forged address?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-----Original Message-----
From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx]
Sent: Thursday, August 21, 2003 3:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: the SoBig Worm - what should I expect to see.....
http://www.ISAserver.org
Hi Amy
I have now got a TS session and looking at it! You are right, it does
"Spoof" the Email address, and I think this is where the confusion is
leading to, because as I said there is no virus on the System, but they
are getting 400 Emails (just counted) so far!
Nasty piece of work!!
I know they are clean, so will leave it like this, but it is good to see
others are seeing the same things as me (although it is not pleasant)
Simon Weaver
Technical Consultant
MCSE+Internet / MCSE Windows 2000
Integrated Solutions Corp. Ltd
http://www.iscl.net
-----Original Message-----
From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: 21 August 2003 21:53
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: the SoBig Worm - what should I expect to see.....
http://www.ISAserver.org
Simon,
If you haven't seen it for yourself go over and have a look. I got lots
of reports of infections yesterday but it turned out to be just
"undeliverable" email notices bouncing back to them because their
address was used in the return. As you know this virus spoofs the return
email address so just because (or maybe even definitely because) reports
are coming in that the infection has their return email address on it
does not mean that they are the infected party.
Amy Babinchak
Technology Consultant
-----Original Message-----
From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx]
Sent: Thursday, August 21, 2003 5:44 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] the SoBig Worm - what should I expect to see.....
http://www.ISAserver.org
Hi everyone
I was in the process of getting a new client over to SBS2000, as they
are currently using Win2k / Exchange / Proxy 2.0
However I was called in due to the fact they "believe" they are infected
with the SoBig.f Virus.
However a complete scan of the Server / PC's and patching all machines
proved there was no trace of the virus.
However, they are getting inundated with hundreds upon hundreds of
emails that is being picked up by the AV Symantec Program and sending
the Emails out with a Quarantine Attachment.
However people are also saying they are "receiving" Emails from the
users in this LAN to external recipients with a virus attached!
I do not believe it - But is this the behaviour of this new virus.
Also, am I right in thinking if I get SBS2k / ISA up and running I can
filter out .scr / .exe / .pif files??
Any advise is welcome :-)
Simon Weaver
Technical Consultant
MCSE+Internet / MCSE Windows 2000
Integrated Solutions Corp. Ltd
http://www.iscl.net
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Simon.Weaver@xxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
