[Dshield] MyDoom Part 2

John Sage jsage at finchhaven.com
Tue Feb 3 19:53:44 GMT 2004


On Tue, Feb 03, 2004 at 12:41:46PM -0600, Micheal Patterson wrote:
> From: "Micheal Patterson" <micheal at tsgincorporated.com>
> To: "dshield" <list at dshield.org>
> Date: Tue, 3 Feb 2004 12:41:46 -0600
> Subject: [Dshield] MyDoom Part 2
> Has anyone been able to do any type of assessment on how much of an
> increase of internet traffic has resulted from the MyDoom variants?

Check out the Internet Traffic Report, 7 days:


Things really look pretty normal, with the exception of spikes in
response time and packet loss overnight 01/31-02/01, and again
02/02-02-03 -- spikes that are hardly noticible as a dips in the
overall Traffic Index.

I'd say not much has happened. The big issue is email bounces, which
you address, below:

> Another thing that came to mind today, has anyone considered how
> their own MTA's while protecting their network extremely well
> against the onslaught of virus infected email, is in fact, assisting
> the author to spread this thing? It just occured to me, while going
> through my postmaster email, that we are all doing precisely
> that. Most MTA's, Sendmail, qmail, etc, are configured to bounce the
> original message to the sender upon non delivery. This includes the
> infected attachment in the event that the MTA isn't scanning for
> virus/trojan software. One in particular that caught my attention
> was Qmail.  You know, with it's friendly "Hi. This is the qmail-send
> program at @host@".  If these MTA's are detecting this thing,
> they're just passing it along to the innocent.

I'd say 50% or more of the MyDoom-releated email I'm receiving is now
of the form:

Date: Tue, 3 Feb 2004 18:02:51 +0100
From: Mail Delivery Subsystem <MAILER-DAEMON at mail6.mc2.net>
To: <alice at finchhaven.com>
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]

The original message was received at Tue, 3 Feb 2004 17:49:54 +0100
from mailrelay1.ornis.com []

   ----- The following addresses had permanent fatal errors -----
<andrew at gallimard.fr>
    (reason: 550 RCPT TO:<andrew at gallimard.fr> User unknown)

   ----- Transcript of session follows -----
... while talking to []:
>>> RCPT To:<andrew at gallimard.fr>
<<< 550 RCPT TO:<andrew at gallimard.fr> User unknown
550 5.1.1 <andrew at gallimard.fr>... User unknown

/* snip */

I now have over 625 individual pieces of MyDoom-specific crap in all
its forms, totaling over 15 meg..

- John
"Mad cow? You'd be mad too, if someone was trying to eat you."

More information about the list mailing list