From: Seppo J Niemi (zaphod@rapid.lpt.fi)
Date: Thu Aug 28 2003 - 11:14:52 EEST
Hannu Kaikonen writes:
> It is a common practice that sender of an email is friendly adviced
> if the message one sent was infected or for some other reason blocked. Now
> some people somewhere in their infinite wisdom have decided to start
> warning the receiptents of infected emails as well (propably because of
> the nature of some viruses)... Since "To:rp-ml..."
> is distributed to over 1700 locations around the world, there are a lot of
> "content scanners" with this fancy new setup, and we are getting warnings
> of the same virus (or "possibly malicious emails") over and over again... That means that we
> will get significant amount of "warnings" in the near future.
That was good and educated guess, Hannu, but not entirely accurate.
The list has been getting these virus warnings and automated
acknowledgments of received emails as a result of a virus gone
wild. The virus is called Sobig.F and it has absolutely nothing to do
with rp-ml.
The virus infects Windows-machines and turns them into mail
servers. The virus then searches for files in the infected machine
that contain email addressess. Then it starts sending copies of itself
in email attachments to all the addresses it finds. This is fairly
normal and usually we need not worry about such emails since all
messages with potential virus contents are blocked from the list.
The problem with Sobig.F is that it uses fake sender addresses in the
emails it sends. It picks sender addressess as well as receiver
addresses randomly from the files in the infected machine. This means
that all possible error messages get bounced back to these forged
addressess.
In our case this means that there's a machine somewhere (or about a
thousand machines more likely) that has the Sobig.F -virus and it
finds the address 'rp-ml@rapid.lpt.fi' somewhere in the files of the
infected machine. Then it starts sending copies of itself using
rp-ml@rapid.lpt.fi as the address of the _sender_. Some of these mails
get blocked by content scanners (obviously since there's a virus) and
the error messages get sent to the sender's address, which happens to
be rp-ml@rapid.lpt.fi.
Since the virus started spreading on August 19th, I have received
probably more than 3000 (I stopped counting at 1500) email messages as
a result of Sobig.F. If I ever meet the guy who wrote the blasted
thing, I think I'll... er... not be very nice to him!
More information about the virus can be found in
http://www.f-secure.com/v-descs/sobig_f.shtml
> I'm turly sorry about this, and we will try to figure out how to filter
> out these unneccessary warnings.
That might be difficult, although probably not impossible. Hopefully
the virus dies out in a few more days and the traffic stops. But there
will be others like this one, and a solution should be found.
//zaphod
PS. And I hope you have all understood by now that you cannot get
viruses through rp-ml. All attachments that might potentially carry a
virus, are blocked.
PPS. The best way to avoid virus infections through email in general
is not to open any suspicious attachments.
This archive was generated by hypermail 2.1.7 : Sat Jan 17 2004 - 15:17:58 EET