August 22, 2003

Sobig.F virus and spam

[The context of this was a mailing list thread about an expected wave of Sobig.F virus attacks from certain sites in the virus data]

I ran the list of Sobig.F attack addresses through Google searches, both by address and by resolved name, to see if anything interesting could be found. The data and results confirmed what Rich Kulawiec had written about the connection to spamming systems. That is, there is a connection to spam systems.

At least eight of the sites appeared in various spam-denying log files from one place which makes such logs public.

Sites found:

12-232-104-221.client.attbi.com
218.147.164.29
cpe-024-033-066-038.cinci.rr.com
ip-24-197-143-132.spart.sc.charter.com
modemcable043.91-202-24.mtl.mc.videotron.ca
modemcable081.207-131-66.nowhere.mc.videotron.ca
pcp04447100pcs.verona01.nj.comcast.net
pcp694043pcs.anaprd01.md.comcast.net

Detailed data below

http://mailhost1.tudelft.nl/disnorm/ or http://mailhost2.tudelft.nl/disnorm/

[The last number is the number of hits of the site from that day, I think]

mailhost1-grep.2003-07-26 pcp694043pcs.anaprd01.md.comcast.net (blacklist) 1
mailhost1-grep.2003-07-29 ip-24-197-143-132.spart.sc.charter.com (blacklist) 1
mailhost1-grep.2003-07-30 12-232-104-221.client.attbi.com (proxies) 1
mailhost1-grep.2003-07-31 12-232-104-221.client.attbi.com (proxies) 1
mailhost1-grep.2003-08-02 218.147.164.29 (proxies) 2
mailhost1-grep.2003-08-02 218.147.164.29 (blacklist) 2
mailhost1-grep.2003-08-02 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost1-grep.2003-08-03 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 3
mailhost1-grep.2003-08-03 218.147.164.29 (proxies) 2
mailhost1-grep.2003-08-05 218.147.164.29 (proxies) 1
mailhost1-grep.2003-08-10 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost1-grep.2003-08-11 modemcable081.207-131-66.nowhere.mc.videotron.ca (blacklist) 1
mailhost1-grep.2003-08-12 modemcable081.207-131-66.nowhere.mc.videotron.ca (blacklist) 2
mailhost1-grep.2003-08-12 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost1-grep.2003-08-13 12-232-104-221.client.attbi.com (proxies) 1
mailhost1-grep.2003-08-13 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost1-grep.2003-08-14 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 2
mailhost1-grep.2003-08-15 218.147.164.29 (proxies) 7
mailhost1-grep.2003-08-15 cpe-024-033-066-038.cinci.rr.com (proxies) 5
mailhost1-grep.2003-08-15 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost1-grep.2003-08-16 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 2
mailhost1-grep.2003-08-16 218.147.164.29 (proxies) 1
mailhost1-grep.2003-08-17 218.147.164.29 (proxies) 9
mailhost1-grep.2003-08-17 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 2
mailhost1-grep.2003-08-17 ip-24-197-143-132.spart.sc.charter.com (blacklist) 2
mailhost2-grep.2003-07-24 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-25 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-26 pcp694043pcs.anaprd01.md.comcast.net (blacklist) 8
mailhost2-grep.2003-07-27 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-28 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-30 12-232-104-221.client.attbi.com (blacklist) 2
mailhost2-grep.2003-07-31 12-232-104-221.client.attbi.com (blacklist) 7
mailhost2-grep.2003-08-01 218.147.164.29 (blacklist) 1
mailhost2-grep.2003-08-02 218.147.164.29 (blacklist) 3
mailhost2-grep.2003-08-03 218.147.164.29 (proxies) 4
mailhost2-grep.2003-08-04 12-232-104-221.client.attbi.com (proxies) 2
mailhost2-grep.2003-08-11 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 3
mailhost2-grep.2003-08-11 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost2-grep.2003-08-12 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost2-grep.2003-08-15 cpe-024-033-066-038.cinci.rr.com (proxies) 2
mailhost2-grep.2003-08-15 218.147.164.29 (proxies) 2
mailhost2-grep.2003-08-15 12-232-104-221.client.attbi.com (proxies) 1
mailhost2-grep.2003-08-16 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost2-grep.2003-08-16 218.147.164.29 (proxies) 1
mailhost2-grep.2003-08-17 218.147.164.29 (proxies) 4
mailhost2-grep.2003-08-17 ip-24-197-143-132.spart.sc.charter.com (blacklist) 2
mailhost2-grep.2003-08-17 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1

By Seth Finkelstein | posted in security , spam | on August 22, 2003 07:18 PM (Infothought permalink) | Followups
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage