brose at MED.WAYNE.EDU
Wed Jan 28 23:27:38 GMT 2004
You would think that the AV vendors would have posted this info when
they deconstructed it. It also uses the domain name of the email
address that it's sending to as the source system hostname. I had a
postmaster using Declude AV software email me about the virus coming
from us and I pointed out that the system hostname of the source machine
being used wouldn't resolve to the IP address of the source machine. I
guess he wasn't doing reverse lookups.
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Jeff Falgout
Sent: Wednesday, January 28, 2004 5:57 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: MyDoom Countermeasures
I added this list of names to my sendmail access file, and the number of
MyDoom's/hr dropped significantly.
# MyDoom countermeasures. It forges the username for email # address.
Here are some of the ones we've seen that don't # exist.
More information about the MailScanner