[Snort-users] MyDoom Outbound Impossible Detects

Chris Keladis chris at ...6400...
Fri Feb 6 12:47:11 EST 2004

At 05:52 AM 2/7/2004, you wrote:

Hi John,

>         I'm about to throw up my arms in disgust. I'm seeing outbound 
> SMTP traffic from one of my mail filter machines which looks like MyDoom. 
> However I can't account for the combination of SMTP to/from addresses and 
> the actual origin and destination of the packets that snort is flagging.
>The SMTP From: address is an external address. The destination SMTP 
>address is an (invalid) internal address user at ...11156... The mail filter 
>has no way of knowing that it's invalid, however.
>The source IP address of the packets is my mail filter (Surfcontrol E-Mail 
>Filter). Note that I'm not virus filtering outbound traffic. That's 
>something I intend to remedy as soon as I have budget for doing so. The 
>destination IP address of the packets is one of a number of external 
>Internet email servers.

You could be seeing bounces (aka NDRs) when the worm tries to mail a 
non-existent account, and your mail server sends a bounce to the sender, 
with a copy of the original email.

Check your mail logs for a corresponding inbound entry, then an entry 
saying the user didn't exist, then an entry to deliver the NDR back to the 
(forged) sender.

If you use sendmail, you should (in theory) be able to grep for the SMTP id 
of an email in your mail log and see the whole process.



More information about the Snort-users mailing list