On that same subject, I wonder if the same computers affected with Sobig are the ones sending out Swen?
John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Charles Frolick > Sent: Thursday, September 25, 2003 9:52 AM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Sobig Remailer > > It appears the Sobig.F remailer capabilities are being used. I have > received 4 complaints in the last 2 days about spamming from my dial > pool with headers like these: > > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: x > Received: (qmail 14974 invoked by uid 88); 24 Sep 2003 03:39:33 -0000 > Received: from unknown (HELO 209?144?2?150.dr?tw211.du.argolink.net) > (209.144.2.150) > by mail5.safeserver.com with SMTP; 24 Sep 2003 03:39:33 -0000 > Received: from [188.207.43.80] by 209_144_2_150.dr_tw211.du.argolink.net > with ESMTP id > <940513-87248>; Wed, 24 Sep 2003 05:29:57 +0100 > Message-ID: <[EMAIL PROTECTED]> > From: "Donnell Childress" <[EMAIL PROTECTED]> > Reply-To: "Donnell Childress" <[EMAIL PROTECTED]> > To: x > Subject: Fw: x vali-um, xan-ax, am-bien, no dr visit shipped to ur door > amity z rlq nbw > Date: Wed, 24 Sep 03 05:29:57 GMT > X-Mailer: eGroups Message Poster > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="0_.FCE6ED9E.C" > X-Priority: 3 > X-MSMail-Priority: Normal > > Note the first received line is using one of my dial customers as the > outbound server. (du.argolink.net is the zone I use for my dial > customers) The HELO string is always the proper PTR hostname, although > it looks like some servers (like the one above) don't like the > underscores (2 of the reports have them correct, 2 have the question > marks). > > Thanks, > Chuck Frolick > ArgoNet, Inc. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
