[Dshield] Whatever it was (admin@) - it's expanding

Samantha Fetter sama at snowplow.org
Fri Aug 1 23:31:05 GMT 2003


That is the WORM_MIMAIL.A virus.
At my place of work we got many, MANY hits from all over the place.
Companies, saw lots of pacbell too, but fortunately only a small amount
got through.

Putting admin@<ourdomain>.com into access.db to DISCARD was a quick fix we
had in before noon which helped prevent many emails from getting in.

It doesn't seem to actually *do* anything other than propogate via smtp
(not even via network shares) so it seems relatively limited.
Seems like it was a homework assignment or something!  Very simple, very
limited it seems.

Cheers,
Samantha

On 1 Aug 2003, David Hart wrote:

> In the last two hours we rejected (thank you Postfix) 18 of these things
> - mostly connecting from a DSL on PacBell. Ironically our mail to
> PacBell abuse was rejected (Osirus has us as dynamic - we are not).
>
> Aug  1 18:46:48 mail postfix/smtpd[2181]: 462CF2C16F:
> client=adsl-64-172-199-53.dsl.lsan03.pacbell.net[64.172.199.53]
>
> Aug  1 18:46:51 mail postfix/smtpd[2181]: 462CF2C16F: reject: RCPT from
> adsl-64-172-199-53.dsl.lsan03.pacbell.net[64.172.199.53]: 550
> <admin at tqmcube.com>: Sender address rejected:
> Message-from-MailAdministrator-TQMcube: Forged address. You are NOT in
> our domain.; from=<admin at tqmcube.com> to=<exmachina at tqmcube.com>
> proto=SMTP helo=<localhost>
>
> Aug  1 18:46:55 mail postfix/smtpd[2181]: lost connection after RCPT
> from adsl-64-172-199-53.dsl.lsan03.pacbell.net[64.172.199.53]
>
> Aug  1 18:46:55 mail postfix/smtpd[2181]: disconnect from
> adsl-64-172-199-53.dsl.lsan03.pacbell.net[64.172.199.53]
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list