>> >> Can't we just hack the mailman configs to dump mails with X-sender >> value >> >> of outlook or outlook express? That would solve the problem, no;) >> > >> > Well, the only problem with that idea is that we explicitly do *NOT* >> have > a "Your clue must be ->THIS<- tall to ride the IETF list" >> policy... ;) >> >> The Sobig worm includes its own SMTP code, and places arbitrary values >> in the header fields. > > You mean to say that there is a full MTA tucked away in there? Yes. Maybe not a full MTA, but definitely enough to format messages and execute SMTP. The common assumption is that Sobig was written by one or several criminals, with the purpose of installing a network of mail relays "zombies", and then to sell the services of this network of zombies to spammers. The same SMTP agent is probably also used to send spam from the zombies. If you compare the headers of mail generated by the worm and those of random spam, you will find that they are very similar. There is another link between Sobig and spam. It appears that these networks of zombies are used in denial of service attacks against anti-spam services. By the way, the worm does not only include its own SMTP service. It seems to also include its own DNS code, probably in order to get the MX records of its targets. This DNS agent is parameterized to start any look-up at the A-root, with the side effect of overloading this root server. -- Christian Huitema