[Dshield] MyDoom Part 2

Micheal Patterson micheal at tsgincorporated.com
Tue Feb 3 22:18:05 GMT 2004



----- Original Message ----- 
From: "John Sage" <jsage at finchhaven.com>
To: "General DShield Discussion List" <list at dshield.org>
Cc: <micheal at tsgincorporated.com>
Sent: Tuesday, February 03, 2004 1:53 PM
Subject: Re: [Dshield] MyDoom Part 2


> Micheal:
>
> On Tue, Feb 03, 2004 at 12:41:46PM -0600, Micheal Patterson wrote:
> > From: "Micheal Patterson" <micheal at tsgincorporated.com>
> > To: "dshield" <list at dshield.org>
> > Date: Tue, 3 Feb 2004 12:41:46 -0600
> > Subject: [Dshield] MyDoom Part 2
> >
> > Has anyone been able to do any type of assessment on how much of an
> > increase of internet traffic has resulted from the MyDoom variants?
>
> Check out the Internet Traffic Report, 7 days:
>
> http://www.internettrafficreport.com/7day.htm
>
> Things really look pretty normal, with the exception of spikes in
> response time and packet loss overnight 01/31-02/01, and again
> 02/02-02-03 -- spikes that are hardly noticible as a dips in the
> overall Traffic Index.
>
> I'd say not much has happened. The big issue is email bounces, which
> you address, below:

Cool, I'll check it out. Thanks for the link.

> I'd say 50% or more of the MyDoom-releated email I'm receiving is now
> of the form:
>
> Date: Tue, 3 Feb 2004 18:02:51 +0100
> From: Mail Delivery Subsystem <MAILER-DAEMON at mail6.mc2.net>
> To: <alice at finchhaven.com>
> Subject: Returned mail: see transcript for details
> Auto-Submitted: auto-generated (failure)
>
> [-- Attachment #1 --]
> [-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]
>
> The original message was received at Tue, 3 Feb 2004 17:49:54 +0100
> from mailrelay1.ornis.com [195.101.197.41]
>
>    ----- The following addresses had permanent fatal errors -----
> <andrew at gallimard.fr>
>     (reason: 550 RCPT TO:<andrew at gallimard.fr> User unknown)
>
>    ----- Transcript of session follows -----
> ... while talking to [10.180.49.32]:
> >>> RCPT To:<andrew at gallimard.fr>
> <<< 550 RCPT TO:<andrew at gallimard.fr> User unknown
> 550 5.1.1 <andrew at gallimard.fr>... User unknown
>
> /* snip */
>
>
> I now have over 625 individual pieces of MyDoom-specific crap in all
> its forms, totaling over 15 meg..
>
>
>
> - John
> -- 
> "Mad cow? You'd be mad too, if someone was trying to eat you."

I wish I only had 625 pieces. I'm sitting on approx 2500 pieces in my
virusmail quarantine folder and it's just getting larger as time goes by.  I
was concerned about this in respect to my own MTA's and got to checking in
on this a bit further after my initial email about this, and discovered an
interesting, totally unexpected, yet very welcome side effect. With
delay_check enabled and using amavis with a dual sendmail.cf config ,
there's a good chance you won't pass the trojan / virus in a bounce message.

BTW, I like your tag line. :)

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.




More information about the list mailing list