[Snort-users] MyDoom Outbound Impossible Detects

McCash, John John.McCash at ...10979...
Fri Feb 6 10:54:07 EST 2004

Hi Everyone,
	I'm about to throw up my arms in disgust. I'm seeing outbound SMTP traffic from one of my mail filter machines which looks like MyDoom. However I can't account for the combination of SMTP to/from addresses and the actual origin and destination of the packets that snort is flagging.

The SMTP From: address is an external address

The destination SMTP address is an (invalid) internal address user at ...11157...... The mail filter has no way of knowing that it's invalid, however.

The source IP address of the packets is my mail filter (Surfcontrol E-Mail Filter). Note that I'm not virus filtering outbound traffic. That's something I intend to remedy as soon as I have budget for doing so.

The destination IP address of the packets is one of a number of external Internet email servers.

I've manually verified that these external servers are not actually accepting email for the destination email addresses that I'm seeing in the snort traces.

The mail filter is NOT infected with MyDoom.

The mail filter is (of course) configured to send mail to addresses such as user at ...10979... to my internal mail servers, and all other email to outgoing external servers as determined by MX record lookups.

Strangely, I see no references to the destination email addresses in my surfcontrol logs at all.

No traffic that I've been able to devise is able to make the mail filter route mail this way on command. It's definitely rejecting source routed and % forwarded messages. If I telnet to port 25 on it, and type the exact mail headers I'm seeing on the outbound traffic, it quietly disappears, presumably being properly forwarded to the internal mail server and rejected there. It's definitely not getting sent out to the external mail server that the original outbound traffic went to, as attested by tcpdump traces.
	Help!!? :-(
		John McCash
		Security Analyst - Andrew Corp.
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.

More information about the Snort-users mailing list