[Dshield] Whatever it was (admin@) - it's expanding
sama at snowplow.org
Fri Aug 1 23:31:05 GMT 2003
That is the WORM_MIMAIL.A virus.
At my place of work we got many, MANY hits from all over the place.
Companies, saw lots of pacbell too, but fortunately only a small amount
Putting admin@<ourdomain>.com into access.db to DISCARD was a quick fix we
had in before noon which helped prevent many emails from getting in.
It doesn't seem to actually *do* anything other than propogate via smtp
(not even via network shares) so it seems relatively limited.
Seems like it was a homework assignment or something! Very simple, very
limited it seems.
On 1 Aug 2003, David Hart wrote:
> In the last two hours we rejected (thank you Postfix) 18 of these things
> - mostly connecting from a DSL on PacBell. Ironically our mail to
> PacBell abuse was rejected (Osirus has us as dynamic - we are not).
> Aug 1 18:46:48 mail postfix/smtpd: 462CF2C16F:
> Aug 1 18:46:51 mail postfix/smtpd: 462CF2C16F: reject: RCPT from
> adsl-64-172-199-53.dsl.lsan03.pacbell.net[18.104.22.168]: 550
> <admin at tqmcube.com>: Sender address rejected:
> Message-from-MailAdministrator-TQMcube: Forged address. You are NOT in
> our domain.; from=<admin at tqmcube.com> to=<exmachina at tqmcube.com>
> proto=SMTP helo=<localhost>
> Aug 1 18:46:55 mail postfix/smtpd: lost connection after RCPT
> from adsl-64-172-199-53.dsl.lsan03.pacbell.net[22.214.171.124]
> Aug 1 18:46:55 mail postfix/smtpd: disconnect from
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list