Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    stu140103
    Guest

    Default Does this sound like the MyDoom virus?

    Hello every one

    I just got this e-mail X2 (copied from mail washer) (and I did NOT send any e-mail to the below e-mail address)

    Does this sounds like the MyDoom virus or another one of those ones which fakes the From headers?

    1.

    From:MDaemon@djw.biz

    To: my address, which is ************

    The attached message had PERMANENT fatal delivery errors!

    After one or more unsuccessful delivery attempts the attached message has
    been removed from the mail queue on this server. The number and frequency
    of delivery attempts are determined by local configuration parameters.

    YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!

    Failed address: bentley@beaufortcounty.com

    --- Session Transcript ---
    Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd50000025 111.msg>
    Sat 2004-02-07 18:32:02: From: ****************
    Sat 2004-02-07 18:32:02: To: bentley@beaufortcounty.com
    Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost
    Sat 2004-02-07 18:32:02: Message-ID: <wni6n3s$ykd5h-$-94@0wi.tyek2>
    Sat 2004-02-07 18:32:02: MX-record resolution of [beaufortcounty.com] in progress (DNS Server: 192.168.0.5)...
    Sat 2004-02-07 18:32:02: P=100 D=beaufortcounty.com TTL=(47) MX=[mail3.devilsplayground.net] {209.115.229.204}
    Sat 2004-02-07 18:32:02: Ignoring irrelevant RR, mail3.devilsplayground.net P=100
    Sat 2004-02-07 18:32:02: P=090 D=beaufortcounty.com TTL=(47) MX=[mail2.devilsplayground.net] {142.179.157.171}
    Sat 2004-02-07 18:32:02: P=080 D=beaufortcounty.com TTL=(47) MX=[mail1.devilsplayground.net] {209.115.229.208}
    Sat 2004-02-07 18:32:02: P=075 D=beaufortcounty.com TTL=(47) MX=[mail2.downhomehost.com]
    Sat 2004-02-07 18:32:02: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
    Sat 2004-02-07 18:32:02: Attempting MX: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
    Sat 2004-02-07 18:32:02: Attempting SMTP connection to [208.28.34.10 : 25]
    Sat 2004-02-07 18:32:02: Waiting for socket connection...
    Sat 2004-02-07 18:32:03: Socket connection established (209.115.229.204 : 3734 -> 208.28.34.10 : 25)
    Sat 2004-02-07 18:32:03: Waiting for protocol initiation...
    Sat 2004-02-07 18:32:03: <-- 220-downhomehost.com ESMTP MDaemon 7.0.0t; Sat, 07 Feb 2004 20:32:02 -0500
    Sat 2004-02-07 18:32:03: <-- 220--Unless you are trying to deliver mail to a legitimate
    Sat 2004-02-07 18:32:03: <-- 220--user on this system, then you are not welcome!
    Sat 2004-02-07 18:32:03: <-- 220--We DO NOT relay mail and any unauthorized attempt is
    Sat 2004-02-07 18:32:03: <-- 220--strictly prohibited. All transaction and IP addresses
    Sat 2004-02-07 18:32:03: <-- 220--are logged. All mail coming from known spammers or the
    Sat 2004-02-07 18:32:03: <-- 220--like thereof will be labeled as such and is subject to
    Sat 2004-02-07 18:32:03: <-- 220 -rejection and or non-delivery!
    Sat 2004-02-07 18:32:03: --> EHLO dsl-oak-209-115-229-i204-cgy.nucleus.com
    Sat 2004-02-07 18:32:03: <-- 250-downhomehost.com Hello dsl-oak-209-115-229-i204-cgy.nucleus.com, pleased to meet you
    Sat 2004-02-07 18:32:03: <-- 250-ETRN
    Sat 2004-02-07 18:32:03: <-- 250-AUTH=LOGIN
    Sat 2004-02-07 18:32:03: <-- 250-AUTH LOGIN CRAM-MD5
    Sat 2004-02-07 18:32:03: <-- 250-8BITMIME
    Sat 2004-02-07 18:32:03: <-- 250-STARTTLS
    Sat 2004-02-07 18:32:03: <-- 250 SIZE 0
    Sat 2004-02-07 18:32:03: --> MAIL From:<*************> SIZE=2511
    Sat 2004-02-07 18:32:04: <-- 250 <*******************>, Sender ok
    Sat 2004-02-07 18:32:04: --> RCPT To:<bentley@beaufortcounty.com>
    Sat 2004-02-07 18:32:04: <-- 550 <bentley@beaufortcounty.com>, Recipient unknown
    --- End Transcript ---
    : Message contains [1] file attachments

    -----------------------------------------------------------------------------------------

    2.

    From:MDaemon@djw.biz

    To: my address, which is ************

    The attached message had PERMANENT fatal delivery errors!

    After one or more unsuccessful delivery attempts the attached message has
    been removed from the mail queue on this server. The number and frequency
    of delivery attempts are determined by local configuration parameters.

    YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!

    Failed address: stormy@beaufortcounty.com

    --- Session Transcript ---
    Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd50000025 112.msg>
    Sat 2004-02-07 18:32:02: From: roboisnice@orcon.net.nz
    Sat 2004-02-07 18:32:02: To: stormy@beaufortcounty.com
    Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost
    Sat 2004-02-07 18:32:02: Message-ID: <wni6n3s$ykd5h-$-94@0wi.tyek2>
    Sat 2004-02-07 18:32:02: MX-record resolution of [beaufortcounty.com] in progress (DNS Server: 192.168.0.5)...
    Sat 2004-02-07 18:32:03: P=100 D=beaufortcounty.com TTL=(47) MX=[mail3.devilsplayground.net] {209.115.229.204}
    Sat 2004-02-07 18:32:03: Ignoring irrelevant RR, mail3.devilsplayground.net P=100
    Sat 2004-02-07 18:32:03: P=090 D=beaufortcounty.com TTL=(47) MX=[mail2.devilsplayground.net] {142.179.157.171}
    Sat 2004-02-07 18:32:03: P=080 D=beaufortcounty.com TTL=(47) MX=[mail1.devilsplayground.net] {209.115.229.208}
    Sat 2004-02-07 18:32:03: P=075 D=beaufortcounty.com TTL=(47) MX=[mail2.downhomehost.com]
    Sat 2004-02-07 18:32:03: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
    Sat 2004-02-07 18:32:03: Attempting MX: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
    Sat 2004-02-07 18:32:03: Attempting SMTP connection to [208.28.34.10 : 25]
    Sat 2004-02-07 18:32:03: Waiting for socket connection...
    Sat 2004-02-07 18:32:03: Socket connection established (209.115.229.204 : 3735 -> 208.28.34.10 : 25)
    Sat 2004-02-07 18:32:03: Waiting for protocol initiation...
    Sat 2004-02-07 18:32:03: <-- 220-downhomehost.com ESMTP MDaemon 7.0.0t; Sat, 07 Feb 2004 20:32:02 -0500
    Sat 2004-02-07 18:32:03: <-- 220--Unless you are trying to deliver mail to a legitimate
    Sat 2004-02-07 18:32:03: <-- 220--user on this system, then you are not welcome!
    Sat 2004-02-07 18:32:03: <-- 220--We DO NOT relay mail and any unauthorized attempt is
    Sat 2004-02-07 18:32:03: <-- 220--strictly prohibited. All transaction and IP addresses
    Sat 2004-02-07 18:32:03: <-- 220--are logged. All mail coming from known spammers or the
    Sat 2004-02-07 18:32:03: <-- 220--like thereof will be labeled as such and is subject to
    Sat 2004-02-07 18:32:03: <-- 220 -rejection and or non-delivery!
    Sat 2004-02-07 18:32:03: --> EHLO dsl-oak-209-115-229-i204-cgy.nucleus.com
    Sat 2004-02-07 18:32:03: <-- 250-downhomehost.com Hello dsl-oak-209-115-229-i204-cgy.nucleus.com, pleased to meet you
    Sat 2004-02-07 18:32:03: <-- 250-ETRN
    Sat 2004-02-07 18:32:03: <-- 250-AUTH=LOGIN
    Sat 2004-02-07 18:32:03: <-- 250-AUTH LOGIN CRAM-MD5
    Sat 2004-02-07 18:32:03: <-- 250-8BITMIME
    Sat 2004-02-07 18:32:03: <-- 250-STARTTLS
    Sat 2004-02-07 18:32:03: <-- 250 SIZE 0
    Sat 2004-02-07 18:32:03: --> MAIL From:<stuartw@orcon.net.nz> SIZE=2507
    Sat 2004-02-07 18:32:04: <-- 250 <roboisnice@orcon.net.nz>, Sender ok
    Sat 2004-02-07 18:32:04: --> RCPT To:<stormy@beaufortcounty.com>
    Sat 2004-02-07 18:32:04: <-- 550 <stormy@beaufortcounty.com>, Recipient unknown
    --- End Transcript ---
    : Message contains [1] file attachments

  2. #2
    Billy T
    Guest

    Default Re: Does this sound like the MyDoom virus?

    Yep, sure sounds and looks like it.

    I've had around 1500+ now on my son's account and just out of interest, that particular email address is one I have seen before. If the attachment is still there the MyDoom/SCO virus emails are usually between 31.1 and 32Kb.

    They are gradually reducing in daily numbers and bouncing them all is starting to showing up repeat sender. Initially I just deleted them in Mailwasher but decided I needed to fight back.

    I've had about 20 to my business account and bouncing all of them has reduced the traffic to next to nothing.

    Cheers

    Billy 8-{)

  3. #3
    Graham L
    Guest

    Default Re: Does this sound like the MyDoom virus?

    The ones you bounce are going to people who have the misfortune to be in an address list of someone who has the virus. This is fighting back?

    No wonder this damn virus is using a huge amount of the Internet bandwidth.

    Unless you [know who actually sent you a piece of email, bouncing it is irresponsible.

  4. #4
    metla
    Guest

    Default Re: Does this sound like the MyDoom virus?

    So far i have recieved it 3 times,actually the virus had been stripped from the first 2 but the 3rd contained a loaded payload.

  5. #5
    agent
    Guest

    Default Re: Does this sound like the MyDoom virus?

    > Unless you know who actually sent you a piece of email, bouncing it is irresponsible

    Agreed.

    But it makes some people feel better.

  6. #6
    stu140103
    Guest

    Default Re: Does this sound like the MyDoom virus?

    Thank every one for they reply

    Note to mod: Please check your e-mails in a few mins

  7. #7
    Billy T
    Guest

    Default Re: Does this sound like the MyDoom virus?

    > But it makes some people feel better.

    No, it doesn't make me feel better, but it has reduced the number of viruses I receive, and if there is not valid email address to bounce to, it doesn't go at all.

    Nine times out of ten it goes back to a valid address that belongs to somebody like me with a compromised email address. I check every time for known addresses so that I can pick which person(s) have been compromised, and they get notified separately, but in 1500+ messages I have only identified two that might be infected without knowing.

    What is irresponsible is ISPs who don't bother to filter their throughput for viruses. Say what you like about Xtra, but not one live virus has appeared here via an Xtra address.

    In a perfect world people wouldn't need or wish to bounce messages, but then, in a perfect world otherwise responsible people wouldn't post on PF1 admiring the work of virus writers. That kind of adulation is irresponsible too.

    Cheers

    Billy 8-{) :|


  8. #8
    agent
    Guest

    Default Re: Does this sound like the MyDoom virus?

    Well in your case it appears to be fine; but some people unwittingly bounce email to addresses that were forged as the source of spam and/or viruses.

    All it does in that case is cause headaches for other people.

  9. #9
    whiskeytangofoxtrot
    Guest

    Default Re: Does this sound like the MyDoom virus?

    Well we all know how much I like to rain on peoples parades so here we go again:

    1. Nice job of blurring your address with asterisks, of course you've left it in further down the track as well...

    2. So far it appears no one has bothered to read the actual error message. This looks nothing like the MyDoom virus. The headers as copied below quite clearly display the subject line of the message, which is related to "the best pills on the internet"

    It actually appears your address has been used as a spoofed addresss for spam, which has gone to a non-deliverable address, hence you receiving the bouncebacks.

    Reading the error messages would have told you (and anyone else that posted in this thread) that.

    ***********************************

    --- Session Transcript ---
    Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd50000025 111.msg>
    Sat 2004-02-07 18:32:02: From: ****************
    Sat 2004-02-07 18:32:02: To: bentley@beaufortcounty.com
    Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost
    Sat 2004-02-07 18:32:02: Message-ID: <wni6n3s$ykd5h-$-94@0wi.tyek2>

    *******************************************

    --- Session Transcript ---
    Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd50000025 112.msg>
    Sat 2004-02-07 18:32:02: From: roboisnice@orcon.net.nz
    Sat 2004-02-07 18:32:02: To: stormy@beaufortcounty.com
    Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost

  10. #10
    metla
    Guest

    Default Re: Does this sound like the MyDoom virus?

    Wtf,your miles away,what stu has posted is very close to the email i recieved loaded with the virus.


Similar Threads

  1. This sound like a virus?
    By Shortcircuit in forum PressF1
    Replies: 12
    Last Post: 05-03-2005, 05:45 PM
  2. Virus warning New Mydoom variant
    By fairway in forum PressF1
    Replies: 5
    Last Post: 12-10-2004, 12:29 AM
  3. MyDoom/SCO on the wane at last?
    By Billy T in forum PressF1
    Replies: 22
    Last Post: 16-02-2004, 11:38 PM
  4. MyDoom-C
    By forrest44 in forum PressF1
    Replies: 3
    Last Post: 10-02-2004, 03:25 PM
  5. More News: The Blame Game begins for writer of MyDoom Virus
    By Chilling_Silently in forum PressF1
    Replies: 5
    Last Post: 06-02-2004, 08:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •