Snort mailing list archives

RE: MyDoom Outbound Impossible Detects

From: "John York" <YorkJ () brcc edu>
Date: Fri, 6 Feb 2004 16:27:21 -0500

I had the same problem.  I used the 4 rules that were posted here to
detect MyDoom outbound, and got quite "concerned" when I saw them alert
on email coming out of my mail server.  After I traced the messages in
the server logs and found that they were NDR answers to inbound MyDoom
messages, my blood pressure came back down.  I still have the rules in
place in case one of my workstations gets infected, but I ignore the
ones from my mailserver.
Thanks
John

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Chris Keladis
Sent: Friday, February 06, 2004 3:44 PM
To: McCash, John
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] MyDoom Outbound Impossible Detects

At 05:52 AM 2/7/2004, you wrote:

Hi John,

        I'm about to throw up my arms in disgust. I'm seeing

outbound

SMTP traffic from one of my mail filter machines which looks like

MyDoom.

However I can't account for the combination of SMTP to/from

addresses

and

the actual origin and destination of the packets that snort is

flagging.

The SMTP From: address is an external address. The destination SMTP
address is an (invalid) internal address user () andrew com. The mail

filter

has no way of knowing that it's invalid, however.
The source IP address of the packets is my mail filter (Surfcontrol

E-

Mail

Filter). Note that I'm not virus filtering outbound traffic. That's
something I intend to remedy as soon as I have budget for doing so.

The

destination IP address of the packets is one of a number of external
Internet email servers.


You could be seeing bounces (aka NDRs) when the worm tries to mail a
non-existent account, and your mail server sends a bounce to the

sender,

with a copy of the original email.

Check your mail logs for a corresponding inbound entry, then an entry
saying the user didn't exist, then an entry to deliver the NDR back to

the

(forged) sender.

If you use sendmail, you should (in theory) be able to grep for the

SMTP

id
of an email in your mail log and see the whole process.




Regards,

Chris.




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- Message not available
  - Re: MyDoom Outbound Impossible Detects Chris Keladis (Feb 06)
- <Possible follow-ups>
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- RE: MyDoom Outbound Impossible Detects John York (Feb 06)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)