Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Sudden spate of German email spam.

Is it just me?



11:25 pm on May 16, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I seldom get German language spam, but in the last week I've gotten 20 or 30 all of a sudden.

Anyone else notice this? It not, it could just be my address. My site gets mentioned on foreign
blogs sometimes, and the Deutcher spammers may
have phished it out from there. -Larry.


11:57 pm on May 16, 2005 (gmt 0)

10+ Year Member

I've been getting it all day. It seems to be mostly links to sites that deal with German politics.


3:07 am on May 17, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

From Editor and Publisher:
Your E-mail Suddenly FIlled with German Hate Messages? Here's Why

Published: May 16, 2005 2:30 PM ET
NEW YORK -- A new variant of the Sober spam worm is being blamed for the deluge of German spam messages carrying right-wing or neo-Nazi messages flooding in-boxes around the world this week. Once the attachment is opened, the worm uses its own e-mail engine to send itself to addresses harvested from the infected computer.

Some messages link to right-wing German sites. This be linked to the 60th anniversary commemorations of the end of World War II in Europe.

Sober-P grabbed attention at the beginning of the month, in Germany and around the world, offering soccer tickets to the 2006 World Cup, but this is a new political variant.

Der Spiegel Online mentioned as a suspect today the NPD (German National Party), a neo-Nazi, anti-Semitic party that has advanced in some parts of the country lately. Last year, the NPD shook Germany when it got 9.2% of the vote in elections in Saxony, winning representation in the parliament there for the first time ever.


3:59 am on May 17, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

OK that explains everything so far. The emails had clear inications of German Politik.

NOW. I never open attachments from such stuff, but sometimes read the cover email text only.

Can I presume I'm uninfected? No odd nasty signs from the computer yet.

Unrelated question: Why does it take longer for FOO messages to appear on the Recent Posts list? -Larry


8:26 am on May 17, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

They started here last Thursday. I got over a 1000 of those e-mails on Saturday night. Our web host email was set up to use the catchall feature(?), basically, you could reach me by sending a message to anyone@mydomain.com

The catchall was turned off and the messages dropped dramatically. A few have still managed to come thru, but the bulk of them, to addresses we would never use, have stopped.


11:20 am on May 17, 2005 (gmt 0)

WebmasterWorld Senior Member macguru is a WebmasterWorld Top Contributor of All Time 10+ Year Member

>>Why does it take longer for FOO messages to appear on the Recent Posts list?

By default, FOO threads dont show up on the Recent Posts list anymore. The rare ones that do, are manually set so by our friendly Mods or Admins.


7:39 pm on May 17, 2005 (gmt 0)

10+ Year Member


You most likely are correct to assume you are not infected. Most of the sites that delivered the payload had no payload to dump by the time it hit the US. Also this strain does not propiagate via attachemnts. It delivers through a link in the e-mail which needs clicked.

Just check to see if your AV defs are up to date and do a full system scan. Just an aside Symantec lists this as Trojan.Ascetic.C.

Been an annoyance here for our user base at best as we blocked teh payload sites for the time being.

Take care,



1:25 am on May 20, 2005 (gmt 0)

10+ Year Member

jesus.... thought it was just us! We've been getting 50 a day..all spoofing the sender and using non-existant e-mail addresses at our domain as the recipient...we have catch-all disabled...I dug a little further and found the actual recpient was a real e-mail address we enabled...

All the mails come from the same IP...I did a dns search and found and notified the ip block owner ( bellsouth) ....

Same time we've also been getting virus attempts with the subject " your e-mail account has been disabled" or " Your email account has been suspended"...

troels nybo nielsen

8:55 am on May 22, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

The newsletter from a-squared warns that Sober.Q may be expected to attack Monday 23rd. Beware.

Sometimes it's really an advantage to be in an obscure corner of the Internet. Very few of these nasties get around to where I am.


Featured Threads

Hot Threads This Week

Hot Threads This Month