[66833] in North American Network Operators' Group
RE: in case nobody else noticed it, there was a mail worm released today
daemon@ATHENA.MIT.EDU (Wojtek Zlobicki)
Mon Jan 26 21:25:00 2004
From: "Wojtek Zlobicki" <wojtekz@idirect.com>
To: "'Paul Vixie'" <paul@vix.com>, <nanog@merit.edu>
Date: Mon, 26 Jan 2004 21:01:17 -0500
In-Reply-To: <20040127015211.9BDFD14C4F@sa.vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
The worm is being talked about on news.com and all the major virus vendors
already have advisories on their websites. The worm in my case masqueraded
as a Mailer Daemon bounce. Source email address appeared to be valid and
matching a domain of a website I visited recently (but have not for a long
time). Anyone know the worm generates the sending domain.
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Paul
Vixie
Sent: Monday, January 26, 2004 8:52 PM
To: nanog@merit.edu
Subject: in case nobody else noticed it, there was a mail worm released
today
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file
called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that
unless you need it for comparison or analysis). there's a high degree of
splay in the smtp/tcp peer address, and the sender is prepared to try backup
MX's if the primary rejects it, though it appears to try the MX's in
priority order.
