MyDoom Countermeasures

Rose, Bobby brose at MED.WAYNE.EDU
Wed Jan 28 23:51:00 GMT 2004

In this example, the virus source was []. is in the 146.9-netblock.

Received: from [] by
with ESMTP
  (SMTPD32-8.02) id AB3F23480150; Tue, 27 Jan 2004 14:25:51 -0500
Received: from [] by
with ESMTP
  (SMTPD32-8.02) id AB4B827011A; Tue, 27 Jan 2004 14:26:03 -0500
From: claudia at
To: serg at
Subject: HI
Date: Tue, 27 Jan 2004 12:26:01 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <200401271426515.SM04916 at>

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Chris Yuzik
Sent: Wednesday, January 28, 2004 6:46 PM
Subject: Re: MyDoom Countermeasures

Rose, Bobby wrote:

>You would think that the AV vendors would have posted this info when 
>they deconstructed it.  It also uses the domain name of the email 
>address that it's sending to as the source system hostname.
Are you sure about this? I'm seeing a lot of messages coming in that
don't look like that's the case.

Can you provide an example so I know I'm looking at the right stuff?

> I had a
>postmaster using Declude AV software email me about the virus coming 
>from us and I pointed out that the system hostname of the source 
>machine being used wouldn't resolve to the IP address of the source 
>machine.  I guess he wasn't doing reverse lookups.


More information about the MailScanner mailing list