Educause Security Discussion mailing list archives

Re: Novarg/MyDoom/MiMail observations

From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Wed, 28 Jan 2004 16:52:37 -0600

   Maybe Symantec updated their page at

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a () mm html

because I don't see any mention of edu exceptions.

   They mention the prepending but McAfee seems to
differentiate the prepended "local part" (before the
@ sign to harvested domains) AND the attempt to find
intermediary e-mail servers by prepending mx., mail.,
smtp., etc. on the host name. See

http://vil.nai.com/vil/content/v_100983.htm

   The random brute force "local parts" is especially
interesting because it might create a flood of error
messages. In fact, some of our users said they opened
the attachment because this was a bounce/error message
from our server so they figured it must be ok. ;-(

   Marty

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 28)
- <Possible follow-ups>
- Re: Novarg/MyDoom/MiMail observations Brian Davis (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Craig W. Drake (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Marty Hoag (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 29)