Snort mailing list archives
RE: MyDoom Outbound Impossible Detects
From: "John York" <YorkJ () brcc edu>
Date: Fri, 6 Feb 2004 16:27:21 -0500
I had the same problem. I used the 4 rules that were posted here to detect MyDoom outbound, and got quite "concerned" when I saw them alert on email coming out of my mail server. After I traced the messages in the server logs and found that they were NDR answers to inbound MyDoom messages, my blood pressure came back down. I still have the rules in place in case one of my workstations gets infected, but I ignore the ones from my mailserver. Thanks John John York Network Engineer Blue Ridge Community College 1 College Lane, Weyers Cave, VA 24486 540.453.2255
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Chris Keladis Sent: Friday, February 06, 2004 3:44 PM To: McCash, John Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] MyDoom Outbound Impossible Detects At 05:52 AM 2/7/2004, you wrote: Hi John,I'm about to throw up my arms in disgust. I'm seeing
outbound
SMTP traffic from one of my mail filter machines which looks likeMyDoom.However I can't account for the combination of SMTP to/from
addresses
andthe actual origin and destination of the packets that snort is
flagging.
The SMTP From: address is an external address. The destination SMTP address is an (invalid) internal address user () andrew com. The mail
filter
has no way of knowing that it's invalid, however. The source IP address of the packets is my mail filter (Surfcontrol
E-
Filter). Note that I'm not virus filtering outbound traffic. That's something I intend to remedy as soon as I have budget for doing so.
The
destination IP address of the packets is one of a number of external Internet email servers.You could be seeing bounces (aka NDRs) when the worm tries to mail a non-existent account, and your mail server sends a bounce to the
sender,
with a copy of the original email. Check your mail logs for a corresponding inbound entry, then an entry saying the user didn't exist, then an entry to deliver the NDR back to
the
(forged) sender. If you use sendmail, you should (in theory) be able to grep for the
SMTP
id of an email in your mail log and see the whole process. Regards, Chris.
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- Message not available
- Re: MyDoom Outbound Impossible Detects Chris Keladis (Feb 06)
- Message not available
- <Possible follow-ups>
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- RE: MyDoom Outbound Impossible Detects John York (Feb 06)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)