[Dshield] MyDoom Part 2

MH procana at insight.rr.com
Tue Feb 3 22:32:28 GMT 2004


On Tue, Feb 03, 2004 at 11:53:44AM -0800, John Sage wrote:

> I'd say 50% or more of the MyDoom-releated email I'm receiving is now
> of the form:
> 
> Date: Tue, 3 Feb 2004 18:02:51 +0100
> From: Mail Delivery Subsystem <MAILER-DAEMON at mail6.mc2.net>
> To: <alice at finchhaven.com>
> Subject: Returned mail: see transcript for details
> Auto-Submitted: auto-generated (failure)
> 
> [-- Attachment #1 --]
> [-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]
> 
> The original message was received at Tue, 3 Feb 2004 17:49:54 +0100
> from mailrelay1.ornis.com [195.101.197.41]
> 
>    ----- The following addresses had permanent fatal errors -----
> <andrew at gallimard.fr>
>     (reason: 550 RCPT TO:<andrew at gallimard.fr> User unknown)
> 
>    ----- Transcript of session follows -----
> ... while talking to [10.180.49.32]:
> >>> RCPT To:<andrew at gallimard.fr>
> <<< 550 RCPT TO:<andrew at gallimard.fr> User unknown
> 550 5.1.1 <andrew at gallimard.fr>... User unknown
> 
> /* snip */
> - John

Hi John,  

I added the first names contained in the virus code to
the mta's blocked rcpt list.  My mta rejects the mail without ever
putting it into queue.  This has really cut down on the amount of 
this stuff. 

Hope this helps,
Mike




More information about the list mailing list