Snort mailing list archives

Previous By Date Next
Previous By Thread Next

MyDoom Outbound Impossible Detects

From: "McCash, John" <John.McCash () andrew com>
Date: Fri, 6 Feb 2004 12:52:59 -0600
Hi Everyone,
        I'm about to throw up my arms in disgust. I'm seeing outbound SMTP traffic from one of my mail filter machines 
which looks like MyDoom. However I can't account for the combination of SMTP to/from addresses and the actual origin 
and destination of the packets that snort is flagging.

The SMTP From: address is an external address

The destination SMTP address is an (invalid) internal address user () andrew com. The mail filter has no way of knowing 
that it's invalid, however.

The source IP address of the packets is my mail filter (Surfcontrol E-Mail Filter). Note that I'm not virus filtering 
outbound traffic. That's something I intend to remedy as soon as I have budget for doing so.

The destination IP address of the packets is one of a number of external Internet email servers.

I've manually verified that these external servers are not actually accepting email for the destination email addresses 
that I'm seeing in the snort traces.

The mail filter is NOT infected with MyDoom.

The mail filter is (of course) configured to send mail to addresses such as user () andrew com to my internal mail 
servers, and all other email to outgoing external servers as determined by MX record lookups.

Strangely, I see no references to the destination email addresses in my surfcontrol logs at all.

No traffic that I've been able to devise is able to make the mail filter route mail this way on command. It's 
definitely rejecting source routed and % forwarded messages. If I telnet to port 25 on it, and type the exact mail 
headers I'm seeing on the outbound traffic, it quietly disappears, presumably being properly forwarded to the internal 
mail server and rejected there. It's definitely not getting sent out to the external mail server that the original 
outbound traffic went to, as attested by tcpdump traces.
        Help!!? :-(
                John McCash
                Security Analyst - Andrew Corp.
------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: