W32.Mimail.A@mm

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

Here is an interesting one. I received the second copy of this virus (first one
didn't get recognized because it was so new) sent directly from a mail server
at (nr10-216-196-194-106.fuse.net [216.196.194.106]) to our server (no stops in
between). This is most unusual because:

a. It must have been proxied directly from the server.

b. It was sent directly to the third priority server.

SARC does not list this as one of its properties. Is this a deliberate attempt
to seed the virus?

J.A. Coutts
 
The mimail worm will use a SMTP server from a list of approx. 3 dozen servers. This list is
"not for public consumption."
I also can't explain any further so please ..don't ask.

Dave

| Here is an interesting one. I received the second copy of this virus (first one
| didn't get recognized because it was so new) sent directly from a mail server
| at (nr10-216-196-194-106.fuse.net [216.196.194.106]) to our server (no stops in
| between). This is most unusual because:
|
| a. It must have been proxied directly from the server.
|
| b. It was sent directly to the third priority server.
|
| SARC does not list this as one of its properties. Is this a deliberate attempt
| to seed the virus?
|
| J.A. Coutts
|
 
I was wrong..approx 1 dozen SMTP servers..sorry for the mistake.

Dave

| The mimail worm will use a SMTP server from a list of approx. 3 dozen servers. This list
is
| "not for public consumption."
| I also can't explain any further so please ..don't ask.
|
| Dave
 
John Coutts said:
Here is an interesting one. I received the second copy of this virus (first one
didn't get recognized because it was so new) sent directly from a mail server
at (nr10-216-196-194-106.fuse.net [216.196.194.106]) to our server (no stops in
between). This is most unusual because:

a. It must have been proxied directly from the server.

b. It was sent directly to the third priority server.

SARC does not list this as one of its properties. Is this a deliberate attempt
to seed the virus?
Click to expand...

I have seen several reports indicating that Mimail is being delivered through the
"lowest" (in MX terms -- i.e. "least desired") priority mail handler listed in the
DNS for the target domain. This is reputedly a trick commonly used by spammers.
It is, I guess, quite possible that Mimail is the work of a spammer (or someone
working for one) and is using a network of (possibly compromised) spam-specific
relays that either deliberately, or due to programmer error misinterpreting the
MX priority scheme, sends its mail via the domain's least preferred mail handler.
 
Back
Top