[Dshield] Mail bombing by MyDoom, bouncing of infected emails, and a few other random thoughts

David Hart DavidHart at TQMcube.com
Thu Jan 29 19:58:21 GMT 2004


On Thu, 2004-01-29 at 12:36, Bjorn Stromberg wrote:
> My tiny little network only received MyDoom from 2 different sources. One
> was from the local university and one was from the local competing ISP. The
> university only sent one, but the local ISP has done nothing about the IP I
> reported to it.

I should be so lucky. I had enough problems after VOL's misadventures
(two IP changes in three days).

One of my client's branches had a number of infected machines on their
LAN. Not only did I get flooded in bursts but the virus latched onto my
domain name as it sent out thousands and thousands of emails as moi.
Thousands of bounce messages created more of a flood.

=>I cannot fathom why AV software would send out messages. I suspect
that 99% of the time the sender domain is inconsistent with the
client.<= Yet they persist.

The only way I could restore sanity was to firewall block not only the
sending clients but some of the receiving hosts (like enhtech.com) which
insist on sending our terse, stern warning messages.
> 
> It does seem to burst, the sending times are extremely erratic, ranging from
> 2 minutes apart to 6 hours apart.
> 
> Bjorn Stromberg
> 
> ----- Original Message ----- 
> From: "Jon R. Kibler" <Jon.Kibler at aset.com>
> To: <list at dshield.org>
> Sent: Thursday, January 29, 2004 9:53 AM
> Subject: [Dshield] Mail bombing by MyDoom, bouncing of infected emails, and
> a few other random thoughts
> 
> <all kinds of kung-fu snipping>
> 
> > One other oddity we have seen with MyDoom... the forged recipients and the
> mail servers bouncing the viruses seem to be very local -- meaning that most
> (>50%) of the MyDoom traffic originates for the local metropolitan area.
> Usually, mail originating from our metropolitan area probably constitutes
> less than 1% of all email traffic. Even with other email viruses, we have
> never seen such a large local burst. Has anyone else seen such an occurrence
> or are we just "lucky"?
> 
> <shao-lin secret style snipping>
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
                               ---------
            Quality Management - A Commitment to Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040129/edabdf40/attachment.bin


More information about the list mailing list