Between 0900 and 1230 today, I received 14 identical emails, allegedly
from bellsouth account "Fletcher Schiller" at [email]milesend (AT) bellsouth (DOT) net[/email]
Each was a 722K file infected with W32/SirCam. I don't recall the exact
limit on our mailboxes (10MB?), but I'm sure this had the effect of
causing my legitimate email to bounce until I emptied my mailbox. Note
that I received two such identical emails yesterday from the same user.
There are a number of things that make this appear targeted, and not
normal Virus behavior. I referred to the Symantec site at
[url]http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.[EMAIL REMOVED][/url]
mm.html for info.
1) Sircam normally doesn't send to the same address repeatedly, but
rotates through many. During Sircam's heyday in summer 2001, I don't
recall ever getting more than one from the same address.
2) The payload seems unusually large for Sircam. It's been awhile since
Sircam was rampant, but I never recall payloads that large. This leads
me to think it may be an intentional "mailbox buster"
3) The intro message was identical on all 14. Normally Sircam rotated
through a number of different canned messages.
4) Sircam is old. Most folks defended against it long ago.
Anyhow- this struck me as weird and wanted to get thoughts from anyone
here.
PS- it sure would have been nice if Bellsouth had implemented the virus
protection in Mailguard as they had promised.
Thanks!
Dave
--
Email reply to [email]kupe (AT) NOSPAMbellsouth (DOT) net[/email] after removing the NOSPAM