MyDoom Countermeasures
Rose, Bobby
brose at MED.WAYNE.EDU
Wed Jan 28 23:27:38 GMT 2004
You would think that the AV vendors would have posted this info when
they deconstructed it. It also uses the domain name of the email
address that it's sending to as the source system hostname. I had a
postmaster using Declude AV software email me about the virus coming
from us and I pointed out that the system hostname of the source machine
being used wouldn't resolve to the IP address of the source machine. I
guess he wasn't doing reverse lookups.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Jeff Falgout
Sent: Wednesday, January 28, 2004 5:57 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: MyDoom Countermeasures
I added this list of names to my sendmail access file, and the number of
MyDoom's/hr dropped significantly.
YMMV
# MyDoom countermeasures. It forges the username for email # address.
Here are some of the ones we've seen that don't # exist.
jane@ DROP
anna@ DROP
andrew@ DROP
brian@ DROP
david@ DROP
linda@ DROP
john@ DROP
kevin@ DROP
jerry@ DROP
maria@ DROP
jeff@ DROP
alice@ DROP
bob@ DROP
debby@ DROP
stan@ DROP
claudia@ DROP
bill@ DROP
ted@ DROP
james@ DROP
matt@ DROP
alex@ DROP
robert@ DROP
julie@ DROP
peter@ DROP
sandra@ DROP
joe@ DROP
jimmy@ DROP
sam@ DROP
helen@ DROP
smith@ DROP
leo@ DROP
jim@ DROP
george@ DROP
mike@ DROP
steve@ DROP
michael@ DROP
brent@ DROP
dave@ DROP
ray@ DROP
fred@ DROP
dan@ DROP
tom@ DROP
mary@ DROP
adam@ DROP
brenda@ DROP
jose@ DROP
jack@ DROP
srooney@ DROP
More information about the MailScanner
mailing list