For the last week or so, we’ve been hit with a rash of spam mail in German. The mail was coming from 2 IP addresses, one on RoadRunners subnet and one on Comcasts network. I sent complaints to the respective abuse@ mail address and then blocked the senders at our Barracuda email filter. I figured there was a spyware program floating around which infected someones box and was being controlled by spammers. Looks like I was right. What is puzzling to me is how only certain zombie nodes had some of our users email addresses. From viewing the attacks from the Barracuda, it looks to me that the bots are just trying random pairs of email addresses, taking a common last name and adding an initial, ala jdoe@domain.com.
Update: It looks like the cause is a variant of the Sober virus.
