Does MyDoom Mix'Match To Spoof Email Addresses?

[Martin Harran]

I am receiving my share of MyDoom messages at the moment, only an
irritation, not a major problem as my antivirus is picking them all up ok.

There is one thing I have noticed that I have not seen documented.

I have email forwarding on my domain and have a number of specific email
addresses set up on my domain ( name1 @ mydomain, name2 @ mydomain, etc) ,
which I use for various purposes such as tracking spam, anything else drops
into myname @ mydomain.

Very few of the emails I am getting returned purporting to have been sent by
me originally use any of these valid email addresses, but a lot of them have
email addresses that I have never used joe @ mydomain, mary @ mydomain, etc.

It looks as if Mydoom has randomly mixed names and addresses on the computer
where this mail has originated. I also notice that a lot of the stuff I get
returned is due to "recipient unknown" which would suggest the same thing.

Is this a recognised characteristic of MyDoom or is it some other virus
that is doing this?

Martin Harran

 

[Beauregard T. Shagnasty]

Quoth the raven named Martin Harran:

I am receiving my share of MyDoom messages at the moment, only an
irritation, not a major problem as my antivirus is picking them all
up ok.

After the first few, you should be recognizing them and just deleting
them. No need to scan or open them. Each is also around 33-34KB in
size (so far).

There is one thing I have noticed that I have not seen documented.

I have email forwarding on my domain and have a number of specific
email addresses set up on my domain ( name1 @ mydomain, name2 @
mydomain, etc) , which I use for various purposes such as tracking
spam, anything else drops into myname @ mydomain.

Since mydoom also has an internal set of fairly common first names,
your domain's catch-all is including them with your main address.

(e-mail address removed) (e-mail address removed) (e-mail address removed)

This page lists them.
http://vil.nai.com/vil/content/v_100983.htm

Very few of the emails I am getting returned purporting to have
been sent by me originally use any of these valid email addresses,
but a lot of them have email addresses that I have never used joe @
mydomain, mary @ mydomain, etc.

See above.

It looks as if Mydoom has randomly mixed names and addresses on the
computer where this mail has originated. I also notice that a lot
of the stuff I get returned is due to "recipient unknown" which
would suggest the same thing.

It also directly sends messages that look like bounces. Social
engineering tactic. "What did I send?" Click!

Is this a recognised characteristic of MyDoom or is it some other
virus that is doing this?

Yes it is. Much like many of the other recent worms and viruses.