Thanks - I see the same in additional copies that arrived yesterday. It does look like the worm favors high-weight servers, whether by design or by mistake. Not a single one has come to the primary mail server. > -----Original Message----- > From: att13543 [mailto:skidat_private] > Sent: Tuesday, August 05, 2003 1:26 PM > To: James C. Slora, Jr.; incidentsat_private > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > Seems like the behavior is pretty much universal. Since the posting, > I've received two messages through the low weight / primary > mail server; > however, they were in quarantine. Thinking they might be the original > spam message, I checked the SMTP header and found out they > were actually > forwarded from a user's outside account. I should have known, the > sender wasn't admin@[domain.com]. > > -----Original Message----- > From: James C. Slora, Jr. [mailto:Jim.Sloraat_private] > Sent: Monday, August 04, 2003 11:56 AM > To: att13543 > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > att13543 wrote Monday, August 04, 2003 9:54 AM > > > I'd be interested if anyone can correlate what I've seen: we have 2 > MX > > records, one weighted at 10 (primary) and one at 20 (secondary). Of > the > > 200 or so MiMail's we've seen 100% have come through our SECONDARY > mail > > server. Maybe the SMTP engine was written poorly, or maybe it was > this > > way on purpose? > > All of ours were sent to one specific mail server that is way down the > priority list. > > This matches previous spammed email malware patterns, and I cannot > recall any previous worm that looked up all the mail servers and used > the lowest-priority one. I'm guessing that the ones we have received > were sent by the worm distributors rather than from infected machines. > I've dropped them all before the full headers were delivered, > so I don't > have any way to positively verify this theory. > > AV vendor descriptions say the worm takes SMTP server info from the > infected computer, which is inconsistent with copies arriving > through a > low-priority mail server that user are not aware of. > > Has anyone examined the message headers to see if there is a > detectable > difference between messages coming from an infected system and those > spammed by the worm author? > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 15:55:17 PDT