W32.Mimail.A@mm

J

John Coutts

Here is an interesting one. I received the second copy of this virus (first one
didn't get recognized because it was so new) sent directly from a mail server
at (nr10-216-196-194-106.fuse.net [216.196.194.106]) to our server (no stops in
between). This is most unusual because:

a. It must have been proxied directly from the server.

b. It was sent directly to the third priority server.

SARC does not list this as one of its properties. Is this a deliberate attempt
to seed the virus?

J.A. Coutts
 
D

David H. Lipman

The mimail worm will use a SMTP server from a list of approx. 3 dozen servers. This list is
"not for public consumption."
I also can't explain any further so please ..don't ask.

Dave

| Here is an interesting one. I received the second copy of this virus (first one
| didn't get recognized because it was so new) sent directly from a mail server
| at (nr10-216-196-194-106.fuse.net [216.196.194.106]) to our server (no stops in
| between). This is most unusual because:
|
| a. It must have been proxied directly from the server.
|
| b. It was sent directly to the third priority server.
|
| SARC does not list this as one of its properties. Is this a deliberate attempt
| to seed the virus?
|
| J.A. Coutts
|
 
D

David H. Lipman

I was wrong..approx 1 dozen SMTP servers..sorry for the mistake.

Dave

| The mimail worm will use a SMTP server from a list of approx. 3 dozen servers. This list
is
| "not for public consumption."
| I also can't explain any further so please ..don't ask.
|
| Dave
 
N

Nick FitzGerald

John Coutts said:
Here is an interesting one. I received the second copy of this virus (first one
didn't get recognized because it was so new) sent directly from a mail server
at (nr10-216-196-194-106.fuse.net [216.196.194.106]) to our server (no stops in
between). This is most unusual because:

a. It must have been proxied directly from the server.

b. It was sent directly to the third priority server.

SARC does not list this as one of its properties. Is this a deliberate attempt
to seed the virus?
Click to expand...

I have seen several reports indicating that Mimail is being delivered through the
"lowest" (in MX terms -- i.e. "least desired") priority mail handler listed in the
DNS for the target domain. This is reputedly a trick commonly used by spammers.
It is, I guess, quite possible that Mimail is the work of a spammer (or someone
working for one) and is using a network of (possibly compromised) spam-specific
relays that either deliberately, or due to programmer error misinterpreting the
MX priority scheme, sends its mail via the domain's least preferred mail handler.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

W32.Sobig.E@mm 1
phishing 3
MyDoom Characteristics 1
W32.Sobig.E@mm question 1
Gibe.gen Virus 1
W32/Mydoom.ag@MM - Heads Up! 6
W32/Swen@MM virus attempts 3
Heads up--W32.Novarg.A@mm spreading rapidly 1

Top