[Snort-users] Re: MyDoom Outbound Impossible Detects

McCash, John John.McCash at ...10979...
Wed Feb 11 08:42:02 EST 2004


Everyone,
	FYI, Here's an chop from the beginning of one of the snort packet analyses I'm talking about... This detect was picked up outbound from my mail filter to 212.227.126.164 (somewhere in Germany, I think)

EHLO gto.net.om..MAI
L FROM:&ltmspss at ...11186...
net.om>..RCPT TO:&
ltjim at ...10979...>.
.DATA..From: mspss at ...11187...
to.net.om..To: jim at ...1981...
ndrew.com..Subject: 
Error..Date: Wed, 11
Feb 2004 23:16:56 +
0800..MIME-Version: 
1.0..Content-Type: m
ultipart/mixed;...bo
undary="----=_NextPa
rt_000_0008_FB768B4C
.1EB23391"..X-Priori
ty: 3..X-MSMail-Prio
rity: Normal....This
is a multi-part mes
sage in MIME format.
....------=_NextPart
_000_0008_FB768B4C.1
EB23391..Content-Typ
e: text/plain;...cha
rset="Windows-1252".
.Content-Transfer-En
coding: 7bit....Mail
transaction failed.
Partial message is 
available.......----
--=_NextPart_000_000
8_FB768B4C.1EB23391.
.Content-Type: appli
cation/octet-stream;
...name="message.scr
"..Content-Transfer-
Encoding: base64..Co
ntent-Disposition: a
ttachment;...filenam
e="message.scr"....T
VqQAAMAAAAEAAAA//8AA
LgAAAAAAAAAQAAAAAAAA
AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA..AAA
AqAAAAAAAAAAAAAAAAAA 

		John

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]




More information about the Snort-users mailing list