Quickie mail.python.org status

[Skip Montanaro]

(Posted via Google so some fraction of the c.l.py community sees
it. :-)

I noticed that python-related mail has been at best trickling in today,
so took a quick peek at mail.python.org. Since 4am today exim has
rejected over 15,000 messages because they contained executable
attachments or suspicious (sobig-style) subjects. I'm sure that's nothing
compared to sites like SourceForge or AOL, but it conspires to keep
useful mail from flowing through that machine.

They said it was going to be bad after everyone returned from the long
holiday and late-summer vacations. I guess they were right...

Skip

[Michael Hudson]

sk...@pobox.com (Skip Montanaro) writes:

> (Posted via Google so some fraction of the c.l.py community sees
> it. :-)
>
> I noticed that python-related mail has been at best trickling in today,
> so took a quick peek at mail.python.org. Since 4am today exim has
> rejected over 15,000 messages because they contained executable
> attachments or suspicious (sobig-style) subjects. I'm sure that's nothing
> compared to sites like SourceForge or AOL, but it conspires to keep
> useful mail from flowing through that machine.

What happened to the firewall hack? I didn't think exim was supposed
to be *seeing* the sobig stuff...

Cheers,
mwh

--
About the use of language: it is impossible to sharpen a
pencil with a blunt axe. It is equally vain to try to do
it with ten blunt axes instead.
-- E.W.Dijkstra, 18th June 1975. Perl did not exist at the time.

[Aahz]

In article <727daa7e.03090...@posting.google.com>,

Skip Montanaro <sk...@pobox.com> wrote:
>
>I noticed that python-related mail has been at best trickling in today,
>so took a quick peek at mail.python.org. Since 4am today exim has
>rejected over 15,000 messages because they contained executable
>attachments or suspicious (sobig-style) subjects. I'm sure that's nothing
>compared to sites like SourceForge or AOL, but it conspires to keep
>useful mail from flowing through that machine.

I'm now seeing some mail flowing, but it'll take quite a while to catch
up.
--
Aahz (aa...@pythoncraft.com) <*> http://www.pythoncraft.com/

This is Python. We don't care much about theory, except where it intersects
with useful practice. --Aahz

[Francois Pinard]

[Skip Montanaro]

> They said it was going to be bad after everyone returned from the long
> holiday and late-summer vacations. I guess they were right...

On the other hand, I've read somewhere (on the Symantec site, I think), that
at least some varieties of the virus will turn themselves off on September
9'th. I do not understand why the bad guys would have programmed such a
deadline within their code, but I still wish this deadline story is true!

--
François Pinard http://www.iro.umontreal.ca/~pinard

[Aahz]

In article <mailman.106270142...@python.org>,
Francois Pinard <pin...@iro.umontreal.ca> wrote:
>
>On the other hand, I've read somewhere (on the Symantec site, I think), t=
>hat
>at least some varieties of the virus will turn themselves off on Septembe=

>r
>9'th. I do not understand why the bad guys would have programmed such a
>deadline within their code, but I still wish this deadline story is true!

Actually, the date is Sept 10, and the presumption is that SoBig.G will
be released on Sept 11....

[Skip Montanaro]

Francois> I do not understand why the bad guys would have programmed
Francois> such a deadline within their code, but I still wish this
Francois> deadline story is true!

The speculation I've read is that the author was paid (or is going to be
paid) by spammers. The virus will propagate (and relay spam?) until the
agreed upon deadline.

Skip

[Tim Peters]

[Francois Pinard]

> I do not understand why the bad guys would have programmed

> such a deadline within their code, but I still wish this

> deadline story is true!

[Skip]

> The speculation I've read is that the author was paid (or is going to
> be paid) by spammers. The virus will propagate (and relay spam?)
> until the agreed upon deadline.

The best stuff I've read suggests Sobig.F was a victim of its success: it
contained a list of IP addresses for 20 compromised machines around the
world (infected by previous Sobig variants). Infected machines got
programmed to download new software from a random one of those boxes a while
ago, the speculation being that the new software would establish proxy
servers (presumably for use by spammers) on a veritable army of compromised
machines. OTOH, maybe it's just some sociopathic teen having fun.

Whatever, this final stage was apparently hard to reverse-engineer, but
because the worm caused so much damage so fast, a lot of effort got poured
into it. As a result, all the machines it was going to contact got pulled
off the net before the mystery downloads triggered.

Note that Sobig.F is already the sixth in a series. It's usually been the
case that the next in the series got released right after the "expiration
date" of its predecessor. This planned obsolescence may be its most
intriguing feature -- it certainly fuels some strained speculations!

The worst news for c.l.py readers is that python.org email addresses are
sitting in millions of browser caches, and when the worm spreads itself it
forges a sender email address pulled off the infected machine sending the
worm copy. That means mail.python.org is on the receiving end of gazillions
of complaints, most machine-generated by idiot email servers that think
they're complaining back to the entity who sent the email. So as much as by
the worm itself, mail.python.org gets hammered by brain-dead responses from
servers that recognize and block the worm.