[Dshield] MyDoom Part 2

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 4 00:16:40 GMT 2004


On Tue, 3 Feb 2004 12:41:46 -0600 "Micheal Patterson" wrote:
> Has anyone been able to do any type of assessment on how much of an
> increase of internet traffic has resulted from the MyDoom variants?

Some nice live stats are here: http://www.postini.com/stats/menu.html
(requires enabled Flash browser-plugin). Make sure to click "Detailed
Statistics", then "More maps", and "Enlarge Map" per area of interest.

>From what I know, only some got hit badly; last X-mas-present PC's are 
typically powerful but may have a limited number of email addresses on
disk to be found by any virus (bad luck if you're amongst them).

> Most MTA's, Sendmail, qmail, etc, are configured to bounce the
> original message to the sender upon non delivery. This includes the
> infected attachment in the event that the MTA isn't scanning for
> virus/trojan software.

IMO, the best current practice is to REJECT undeliverable mail at the
perimeter (Postfix does this by default since version 2). It aborts
before the message is transferred (thus prevents bouncing such mail to
someone else) and typically keeps your outgoing queues cleaner. If your
perimeter MTA doesn't have access to the user DB, you could use inbound
Recipient Address Verification (Google helps; details OT for DShield).

Because most virii (and spammers) directly submit from compromised PC's
to recipient MTA's this measure is quite effective.

One disadvantage of conditionally accepting mail is that anyone may
poll RCPT TO fast, without sending mail, in order to harvest addresses
(examples: http://www.arclab.com/products/amlv/works.html and
http://www.mailutilities.com/hsv/address-verification.html ). Large
"flat" domains may need to implement preventive measures. On the other
hand, dictionary attacks involving actual emails reportedly also do

Using XBL (spamhaus.org) or similar will likely block infected PC's
soon after an outbreak. I'm unaware of the current number of listed
IP's on (for example) http://cbl.abuseat.org , but I noted that quite
some were added on, or soon after, January 27. If the virii are being
submitted by a limited number of IP's you could block those yourself.

Though I dislike malware, I hope MyDoom wasn't an eye opener just for
you. Spammers have been forging sender addresses for quite some time,
causing lots of junk to be bounced to innocent (Joe-jobbed) third
parties. Unlike MyDoom, I don't expect spamrates to decrease. A page
describing the misery: http://www.ja.net/mail/junk/collateral.html

Erik van Straten

More information about the list mailing list