February 3rd, 2004

hair

mydoom update

Well I finally got around to configuring my mail server to send all mail addressed to Mydoom's set of 47 forged addresses, straight to the bit bucket.

Since sometime last night, I received 1415 incoming messages that were detected by my Mydoom filter and sent off to a specific folder. Only 183 of those were directly addressed to <greg@hewgill.com>, the rest were to addresses such as <ted@hewgill.com>, <maria@hewgill.com>, etc., which don't exist and were therefore sent to my own mailbox.

In the last two minutes my mail server has received 10 messages for linda, brent, jose, jack, ted, anna, michael, dave, serg, and sandra.

After having some trouble with my greylisting implementation over the weekend, I've turned it back on and the Mydoom activity may be subsiding. It might be too early to tell for sure though.

The conclusion for this morning is that delivering all misaddressed mail to your own mailbox amplifies the Mydoom problem significantly. (Yes, that's obvious. It's early, give me a break.)
hair

mydoom gets around

I subscribed to a couple of mailing lists at http://www.us-cert.gov today. This involved writing an email message to majordomo at their site, and then replying to a confirmation message they send to you. Because I have greylisting set up, I had expected to wait a while before receiving the first confirmation message. However, to my surprise I received the confirmation message almost right away! That meant that the mail server at CERT had already contacted mine sometime within the last five days.

I began to think how ironic it would be to have received a Mydoom message from CERT themselves, and if they had an infected computer there. I quickly scanned through mail logs looking for their IP address, and sure enough I found that their server had sent me a message early monday morning.

I did find it, but it turned out to be fairly unexciting. Some other computer out there on the internet somewhere had forged a Mydoom message from <brenda@hewgill.com> to <majordomo@us-cert.gov>, and their mail server dutifully responded back to brenda with a confirmation message. I don't have that confirmation message anymore (I've been deleting a lot of mail lately), but it would have been interesting to see where it came from in the first place.

Oh, how I was hoping to see something fun like an original Mydoom message from CERT.