I've been getting it all day. It seems to be mostly links to sites that deal with German politics.
From Editor and Publisher:
Your E-mail Suddenly FIlled with German Hate Messages? Here's Why
Published: May 16, 2005 2:30 PM ET
NEW YORK -- A new variant of the Sober spam worm is being blamed for the deluge of German spam messages carrying right-wing or neo-Nazi messages flooding in-boxes around the world this week. Once the attachment is opened, the worm uses its own e-mail engine to send itself to addresses harvested from the infected computer.
Some messages link to right-wing German sites. This be linked to the 60th anniversary commemorations of the end of World War II in Europe.
Sober-P grabbed attention at the beginning of the month, in Germany and around the world, offering soccer tickets to the 2006 World Cup, but this is a new political variant.
Der Spiegel Online mentioned as a suspect today the NPD (German National Party), a neo-Nazi, anti-Semitic party that has advanced in some parts of the country lately. Last year, the NPD shook Germany when it got 9.2% of the vote in elections in Saxony, winning representation in the parliament there for the first time ever.
OK that explains everything so far. The emails had clear inications of German Politik.
NOW. I never open attachments from such stuff, but sometimes read the cover email text only.
Can I presume I'm uninfected? No odd nasty signs from the computer yet.
Unrelated question: Why does it take longer for FOO messages to appear on the Recent Posts list? -Larry
They started here last Thursday. I got over a 1000 of those e-mails on Saturday night. Our web host email was set up to use the catchall feature(?), basically, you could reach me by sending a message to email@example.com
The catchall was turned off and the messages dropped dramatically. A few have still managed to come thru, but the bulk of them, to addresses we would never use, have stopped.
>>Why does it take longer for FOO messages to appear on the Recent Posts list?
By default, FOO threads dont show up on the Recent Posts list anymore. The rare ones that do, are manually set so by our friendly Mods or Admins.
You most likely are correct to assume you are not infected. Most of the sites that delivered the payload had no payload to dump by the time it hit the US. Also this strain does not propiagate via attachemnts. It delivers through a link in the e-mail which needs clicked.
Just check to see if your AV defs are up to date and do a full system scan. Just an aside Symantec lists this as Trojan.Ascetic.C.
Been an annoyance here for our user base at best as we blocked teh payload sites for the time being.
jesus.... thought it was just us! We've been getting 50 a day..all spoofing the sender and using non-existant e-mail addresses at our domain as the recipient...we have catch-all disabled...I dug a little further and found the actual recpient was a real e-mail address we enabled...
All the mails come from the same IP...I did a dns search and found and notified the ip block owner ( bellsouth) ....
Same time we've also been getting virus attempts with the subject " your e-mail account has been disabled" or " Your email account has been suspended"...
|troels nybo nielsen|
The newsletter from a-squared warns that Sober.Q may be expected to attack Monday 23rd. Beware.
Sometimes it's really an advantage to be in an obscure corner of the Internet. Very few of these nasties get around to where I am.