Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Postfix and MyDoom virus problem

0 views
Skip to first unread message

Roberto Samarone Araújo (RSA)

unread,
Jan 29, 2004, 11:44:45 AM1/29/04
to
> > I have a Postfix+Amavis+ClamAV on my server. After the MyDoom blast on
> >the Internet, I'm receiving a lot of emails like the below. I don't have
on
> >my server the domains of the emails cited on the Virus Alert, so Why my
> >Postfix is trying to send this emails
>> (cla...@ulam.com->jo...@sandrabatista.com) ?
>
>Your postfix is not guilty...
>
>But the MTA which sends the bounce is, since it sends a boiunce to the
>envelope sender which the worm set to one address on your domain.

Is it possible to solve this ? The Mydoom virus has a own MTA on it code.

Robert


Erwan David

unread,
Jan 29, 2004, 11:52:29 AM1/29/04
to
Le Thu 29/01/2004, Roberto Samarone Ara=FAjo (RSA) disait
> > > I have a Postfix+Amavis+ClamAV on my server. After the MyDoom blast=
on
> > >the Internet, I'm receiving a lot of emails like the below. I don't =
have
> on
> > >my server the domains of the emails cited on the Virus Alert, so Why=

my
> > >Postfix is trying to send this emails
> >> (cla...@ulam.com->jo...@sandrabatista.com) ?
> >
> >Your postfix is not guilty...
> >
> >But the MTA which sends the bounce is, since it sends a boiunce to the
> >envelope sender which the worm set to one address on your domain.
>=20
> Is it possible to solve this ? The Mydoom virus has a own MTA on it cod=
e.

Alas no...
Except trying to discard the worm instaed of rejecting it...


--=20
Erwan David
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Trusted Logic Tel: +33 1 30 97 25 03
5 rue du Bailliage Std: +33 1 30 97 25 00
78000 Versailles Fax: +33 1 30 97 25 19
France

Jimmy Mensinger

unread,
Jan 29, 2004, 12:08:42 PM1/29/04
to
Not sure that this will help anyone, but it helped lead me in the right
direction. I downloaded SuperScan 3.0 (freeware) and scanned my entire
network for open tcp ports in the range 3127->3198. Anything listening on
those ports is very likely to be a variant of this worm. Then at least you
have the IP address of the guilty machines, hopefully you have a list that
you can cross reference that with. It also does name resolution, so that
you can get the windows machine name of all the computers, which may make
tracking down the worm a little easier. That=B9s just a suggestion...

Jimmy

Alex van den Bogaerdt

unread,
Jan 29, 2004, 5:09:44 PM1/29/04
to
On Thu, Jan 29, 2004 at 12:09:09PM -0500, Jimmy Mensinger wrote:
> Not sure that this will help anyone, but it helped lead me in the right
> direction. I downloaded SuperScan 3.0 (freeware) and scanned my entire
> network for open tcp ports in the range 3127->3198. Anything listening on
> those ports is very likely to be a variant of this worm.

Erm... you may not be aware but 3128 is commonly used for squid,
the web proxy.

When port 3128 is open together with port 137 or port 445, there's
a bigger chance of having found the worm. Still, this is not sure.

cheers,
Alex
--
begin sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags

0 new messages