J
John Coutts
Mydoom appears to operate in 2 distinct phases.
Our filtering service quarantined 2 virus's from IP address (142.59.237.54)
directed to one of our customers with a very uncommon UserID (at 12:26:11 MST
and 12:26:21 MST). Coincidently there are 2 MX records for the filtering
service. For several hours after that (starting at 13:00:17 MST), both the
lower priority servers and our unadvertised server were inundated by mail
requests to unknown but common UserIDs (dave, brenda, mike, linda, stan etc).
In each case the EHLO was the domain name used in the MAIL FROM:, but otherwise
everything else looked random.
The 35 minute delay between sending the first 2 messages and the dictionary
type messages sent later must be as the virus runs out of real addresses and
switches to made up ones using the info that it has created while running the
first phase.
Does anyone have any information that would either support or discredit this
theory? I am just trying to figure out where they got the IP address from for
the unadvertised server (no MX record). It must come from the InBox with the
rest of the name and domain information. Fortunately, my new DNSbl seems to
have blocked every one of them.
J.A. Coutts
Systems Engineer
MantaNet/TravPro
Our filtering service quarantined 2 virus's from IP address (142.59.237.54)
directed to one of our customers with a very uncommon UserID (at 12:26:11 MST
and 12:26:21 MST). Coincidently there are 2 MX records for the filtering
service. For several hours after that (starting at 13:00:17 MST), both the
lower priority servers and our unadvertised server were inundated by mail
requests to unknown but common UserIDs (dave, brenda, mike, linda, stan etc).
In each case the EHLO was the domain name used in the MAIL FROM:, but otherwise
everything else looked random.
The 35 minute delay between sending the first 2 messages and the dictionary
type messages sent later must be as the virus runs out of real addresses and
switches to made up ones using the info that it has created while running the
first phase.
Does anyone have any information that would either support or discredit this
theory? I am just trying to figure out where they got the IP address from for
the unadvertised server (no MX record). It must come from the InBox with the
rest of the name and domain information. Fortunately, my new DNSbl seems to
have blocked every one of them.
J.A. Coutts
Systems Engineer
MantaNet/TravPro