MyDoom Countermeasures

[Rose, Bobby]

In this example, the virus source was med.wayne.edu [15.244.169.245].
Med.wayne.edu is in the 146.9-netblock.


Received: from media.cfhosting.net [64.118.64.98] by cfpop.cfhosting.net
with ESMTP
  (SMTPD32-8.02) id AB3F23480150; Tue, 27 Jan 2004 14:25:51 -0500
Received: from med.wayne.edu [15.244.169.245] by media.cfhosting.net
with ESMTP
  (SMTPD32-8.02) id AB4B827011A; Tue, 27 Jan 2004 14:26:03 -0500
From: claudia at med.wayne.edu
To: serg at telementor.org
Subject: HI
Date: Tue, 27 Jan 2004 12:26:01 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0003_7B029EE8.950B1227"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <200401271426515.SM04916 at med.wayne.edu>



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Chris Yuzik
Sent: Wednesday, January 28, 2004 6:46 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: MyDoom Countermeasures

Rose, Bobby wrote:

>You would think that the AV vendors would have posted this info when 
>they deconstructed it.  It also uses the domain name of the email 
>address that it's sending to as the source system hostname.
>
Are you sure about this? I'm seeing a lot of messages coming in that
don't look like that's the case.

Can you provide an example so I know I'm looking at the right stuff?

> I had a
>postmaster using Declude AV software email me about the virus coming 
>from us and I pointed out that the system hostname of the source 
>machine being used wouldn't resolve to the IP address of the source 
>machine.  I guess he wasn't doing reverse lookups.
>
>

Thanks,
Chris