From: Kalkor (kalkor@kalkor.com)
Date: Thu Sep 11 2003 - 15:30:28 MDT
[Blunderov]
I've been getting about 3-4 per day lately. The majority claim to
emanate from US Military addresses.
[Kalkor]
I suspect that you're getting a majority of them from US Military addresses
because the military servers are more likely to be configured to assume that
what's in the "FROM" field in an email's header is actually where the
message came from, and not the "X-SENDER" field like most email servers do.
Since the messages sent by Sobig.F do not include any X-information such as
the X-SENDER, a lot of email servers will just drop them as they don't
actually have an origin at that point. However, it takes an act of congress
to change the way the military does things, and for now they go primarily on
what is listed in the "FROM" field... which is intentionally generated by
Sobig.F based on whatever the virus finds on the infected HDD... this is
where YOUR email address comes into the picture.
Anyone know for certain? This is all merely speculation on my part based on
my limited understanding of Sobig.F, and a few years' experience running
mail servers... If I'm wrong, speak up! hehehhehe
Kalkor
--- To unsubscribe from the Virus list go to <http://www.lucifer.com/cgi-bin/virus-l>
This archive was generated by hypermail 2.1.5 : Thu Sep 11 2003 - 15:32:14 MDT