Educause Security Discussion mailing list archives
Re: Novarg/MyDoom/MiMail observations
From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Wed, 28 Jan 2004 16:52:37 -0600
Maybe Symantec updated their page at http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a () mm html because I don't see any mention of edu exceptions. They mention the prepending but McAfee seems to differentiate the prepended "local part" (before the @ sign to harvested domains) AND the attempt to find intermediary e-mail servers by prepending mx., mail., smtp., etc. on the host name. See http://vil.nai.com/vil/content/v_100983.htm The random brute force "local parts" is especially interesting because it might create a flood of error messages. In fact, some of our users said they opened the attachment because this was a bounce/error message from our server so they figured it must be ok. ;-( Marty ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 28)
- <Possible follow-ups>
- Re: Novarg/MyDoom/MiMail observations Brian Davis (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Craig W. Drake (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Marty Hoag (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 29)