[Snort-users] MyDoom Outbound Impossible Detects

John York YorkJ at ...7109...
Fri Feb 6 14:18:49 EST 2004

I had the same problem.  I used the 4 rules that were posted here to
detect MyDoom outbound, and got quite "concerned" when I saw them alert
on email coming out of my mail server.  After I traced the messages in
the server logs and found that they were NDR answers to inbound MyDoom
messages, my blood pressure came back down.  I still have the rules in
place in case one of my workstations gets infected, but I ignore the
ones from my mailserver.

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Chris Keladis
> Sent: Friday, February 06, 2004 3:44 PM
> To: McCash, John
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] MyDoom Outbound Impossible Detects
> At 05:52 AM 2/7/2004, you wrote:
> Hi John,
> >         I'm about to throw up my arms in disgust. I'm seeing
> > SMTP traffic from one of my mail filter machines which looks like
> MyDoom.
> > However I can't account for the combination of SMTP to/from
> and
> > the actual origin and destination of the packets that snort is
> >The SMTP From: address is an external address. The destination SMTP
> >address is an (invalid) internal address user at ...11156... The mail
> >has no way of knowing that it's invalid, however.
> >The source IP address of the packets is my mail filter (Surfcontrol
> Mail
> >Filter). Note that I'm not virus filtering outbound traffic. That's
> >something I intend to remedy as soon as I have budget for doing so.
> >destination IP address of the packets is one of a number of external
> >Internet email servers.
> You could be seeing bounces (aka NDRs) when the worm tries to mail a
> non-existent account, and your mail server sends a bounce to the
> with a copy of the original email.
> Check your mail logs for a corresponding inbound entry, then an entry
> saying the user didn't exist, then an entry to deliver the NDR back to
> (forged) sender.
> If you use sendmail, you should (in theory) be able to grep for the
> id
> of an email in your mail log and see the whole process.
> Regards,
> Chris.

More information about the Snort-users mailing list