[Dshield] Mail bombing by MyDoom, bouncing of infected emails, and a few other random thoughts

Micheal Patterson micheal at tsgincorporated.com
Thu Jan 29 17:33:18 GMT 2004

----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Thursday, January 29, 2004 10:53 AM
Subject: [Dshield] Mail bombing by MyDoom, bouncing of infected emails, and
a few other random thoughts

> Greetings:
> Wow! MyDoom has created a real mess... not so much the virus itself, but
the volume of email it is generating. In a normal day, we handle 5K to 25K
mail server connections per day (about 0.3 connections/sec) per MTA. Most of
this week, it has been 20K to 50K connections per day per MTA.
> The higher average connection rate is really not a problem in and of
itself -- the problem is that connections have been arriving in large
bursts -- as high as 100 new connections per second. At that point, sendmail
starts to have problems keeping up.
> Anyway, two real reasons for writing about MyDoom mail bombing:
>   1) Question: Has anyone else seen similar behavior -- meaning large
connection bursts?
>   2) Pass on some advice on how you can protect yourself from such high
connection rates.

A1: Yes. I'm seeing connection bursts. Generally, it's steady during normal
business hours. The last 3 days, this has not be the case. I may get 200 -
300 messages one hour, then 1800-2000 the next. Granted, it's difficult to
determine an exact match but I can see what appears to be a pattern forming
on my network at lease. Approx every other hour is higher on message inbound
than the hour before.

A2. I've got my servers set to throttle if over 40 connections per second.
This may or may not work for you depending on the normal load of your
server. Ours hasn't seemed to have much trouble. We generally pump in/out
around 15k - 19k messages every 24 hour period. Starting on the 26th, that
doubled. Yesterday, we handled around 33k messages.


> There are other performance tuning options available, but the above 5 are
probably the best place to start. In proper combination, they provide pretty
good protection against 'mail bombing' situations.

If necessary, and feasible in your situation, you may need to force rate

> One other oddity we have seen with MyDoom... the forged recipients and the
mail servers bouncing the viruses seem to be very local -- meaning that most
(>50%) of the MyDoom traffic originates for the local metropolitan area.
Usually, mail originating from our metropolitan area probably constitutes
less than 1% of all email traffic. Even with other email viruses, we have
never seen such a large local burst. Has anyone else seen such an occurrence
or are we just "lucky"?

It's because everyone that tries to hit your users has passed emails to them
in the past. The target addresses are pulled from the address book / contact
list of the infected system. That also makes this more of problem as you're
likely to see an infected message from someone that you communicate with,
and trust them and open the attachment.


Micheal Patterson
TSG Network Administration

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original

More information about the list mailing list