Anyone else seeing a huge spike in attempts to (ab)use loc-srv (135/tcp)?
Rich Holland
holland at guidancetech.com
Thu Aug 21 09:15:05 PDT 2003
I believe the port 135 probes are Blaster, and the spam bounces you're
seeing are the fallout from Sobig.F.
Blaster had a fix released in Mid june or july that nobody applied
(apparantly). About the time that was starting to get under control,
the new Sobig variant came out in typical fashon. Like Klez, it forges
sender information from your outlook address book, so anything that
bounces is (incorrectly) routed back to the faked sender...
I've gotten both infected messages as well as bounces. Spambayes has
handled both magnificently.
Rich
--
Rich Holland (913) 645-1950 SAP Technical Consultant
print unpack("u","92G5S\=\"!A;F]T:&5R(\'!E<FP\@:&%C:V5R\"\@\`\`");
> -----Original Message-----
> From: owner-baylisa at baylisa.org
> [mailto:owner-baylisa at baylisa.org] On Behalf Of J C Lawrence
> Sent: Thursday, August 21, 2003 9:15 AM
> To: David Wolfskill
> Cc: baylisa at baylisa.org
> Subject: Re: Anyone else seeing a huge spike in attempts to
> (ab)use loc-srv (135/tcp)?
>
>
> On Thu, 21 Aug 2003 05:38:01 -0700 (PDT)
> David Wolfskill <david at catwhisker.org> wrote:
>
> > Is this, perhaps, yet an additional manifestation of the
> virus-du-jour
> > for Microsoft-based machines (and thus, additional evidence
> that they
> > ought to be firewalled off from access to any resources
> about which a
> > reasonable person might care)?
>
> Without answering the question I'll note that I've been
> receiving almost 1,000 bounces or
> we-couldn't-deliver-your-message-coz-it-had-a-virus
> messages per day on my personal account for the last few days
> due to the Windows virus de jour. All the original messages
> are of course forgeries -- but the bouncing MTAs don't know that.
>
> "Tiresome" is not quite the word.
>
> --
> J C Lawrence
> ---------(*) Satan, oscillate my metallic sonatas.
> claw at kanga.nu He lived as a devil, eh?
> http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
>
>
More information about the Baylisa
mailing list