I am getting thousands of Mydoom messages per day now. Curiously, not all of them are addressed directly to me. I have the hewgill.com domain set up to route to me, any message that is not addressed to any existing account. This worm is also sending to the following addresses:
adam alex alice andrew anna bill bob brenda brent brian claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom
My theory is this: It grabs the <email@example.com> address from an infected machine. Probably via somebody who has visited my web site (my email address is listed on my web site), or is running xearth or the threat monitor (my email address is listed in the installed documentation). Then it bombards <firstname.lastname@example.org> with the worm, plus it uses the above account names to generate new addresses such as <email@example.com>, <firstname.lastname@example.org>, and so on.
When an unknown recipient is found, most mail servers will send back a bounce message to the purported sender, claiming that the sender sent a message to an account that doesn't exist at the destination. For example, picking one at random, apparently <email@example.com> tried to send a message to <firstname.lastname@example.org>. Joe doesn't exist there, so a bounce message is sent back to Matt. Matt doesn't exist either, so the bounce message ends up in my mailbox.
I don't know anybody who is getting quite as hammered as me with this one. My friends are sometimes getting one or two, often none at all. Whatever Mydoom does to collect email addresses, mine is a high visibility target.
I am currently using the following procmail rule to detect Mydoom messages:
:0B * ----=_NextPart_..._...._........\........[^0]The reason this works is that Mydoom attempts to construct an email message that looks exactly like it came from Outlook Express. It does a pretty good job, except for one little detail. Messages created by Outlook Express appear to always have a '0' at the end of the MIME boundary line. For example, an Outlook Express MIME boundary line might look like: ----=_NextPart_000_016B_01BFC670.696FBAB
This worm walks straight through greylisting. Symantec's report says that the worm attempts to send mail using its internal SMTP sender, but if that fails then it passes the message off to a "local mail server". Presumably the local mail server will retry correctly, and therefore greylisting will let the message through. See my greylisting status graphs to get an idea of the scale of the problem here. The green area indicates the number of distinct hosts that have successfully sent me email within the prior ten days. The blue line is the number that have only tried once within the prior six hours. About half the hosts that have sent me mail, have sent more than one message, and the current record is 186 from a single host.
I'm going to have to do some more effective filtering soon, I think. Two more weeks (Mydoom is supposed to shut itself off on February 12) of dealing with a clogged mailbox is going to make me very grumpy.