Quickie mail.python.org status

[Tim Peters]

[Francois Pinard]
> I do not understand why the bad guys would have programmed
> such a deadline within their code, but I still wish this
> deadline story is true!

[Skip]
> The speculation I've read is that the author was paid (or is going to
> be paid) by spammers.  The virus will propagate (and relay spam?)
> until the agreed upon deadline.

The best stuff I've read suggests Sobig.F was a victim of its success:  it
contained a list of IP addresses for 20 compromised machines around the
world (infected by previous Sobig variants).  Infected machines got
programmed to download new software from a random one of those boxes a while
ago, the speculation being that the new software would establish proxy
servers (presumably for use by spammers) on a veritable army of compromised
machines.  OTOH, maybe it's just some sociopathic teen having fun.

Whatever, this final stage was apparently hard to reverse-engineer, but
because the worm caused so much damage so fast, a lot of effort got poured
into it.  As a result, all the machines it was going to contact got pulled
off the net before the mystery downloads triggered.

Note that Sobig.F is already the sixth in a series.  It's usually been the
case that the next in the series got released right after the "expiration
date" of its predecessor.  This planned obsolescence may be its most
intriguing feature -- it certainly fuels some strained speculations!

The worst news for c.l.py readers is that python.org email addresses are
sitting in millions of browser caches, and when the worm spreads itself it
forges a sender email address pulled off the infected machine sending the
worm copy.  That means mail.python.org is on the receiving end of gazillions
of complaints, most machine-generated by idiot email servers that think
they're complaining back to the entity who sent the email.  So as much as by
the worm itself, mail.python.org gets hammered by brain-dead responses from
servers that recognize and block the worm.