Seems like the behavior is pretty much universal. Since the posting, I've received two messages through the low weight / primary mail server; however, they were in quarantine. Thinking they might be the original spam message, I checked the SMTP header and found out they were actually forwarded from a user's outside account. I should have known, the sender wasn't admin@[domain.com]. -----Original Message----- From: James C. Slora, Jr. [mailto:Jim.Sloraat_private] Sent: Monday, August 04, 2003 11:56 AM To: att13543 Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? att13543 wrote Monday, August 04, 2003 9:54 AM > I'd be interested if anyone can correlate what I've seen: we have 2 MX > records, one weighted at 10 (primary) and one at 20 (secondary). Of the > 200 or so MiMail's we've seen 100% have come through our SECONDARY mail > server. Maybe the SMTP engine was written poorly, or maybe it was this > way on purpose? All of ours were sent to one specific mail server that is way down the priority list. This matches previous spammed email malware patterns, and I cannot recall any previous worm that looked up all the mail servers and used the lowest-priority one. I'm guessing that the ones we have received were sent by the worm distributors rather than from infected machines. I've dropped them all before the full headers were delivered, so I don't have any way to positively verify this theory. AV vendor descriptions say the worm takes SMTP server info from the infected computer, which is inconsistent with copies arriving through a low-priority mail server that user are not aware of. Has anyone examined the message headers to see if there is a detectable difference between messages coming from an infected system and those spammed by the worm author? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 15:53:24 PDT