Date: 2004-01-28 08:44:00
Tags: spam
VIRUS (W32/Mydoom@MM) IN MAIL FROM YOU
The title of this post represents only some of what's wrong with email virus detection today. Obviously this virus checker (I don't know which it is) has been updated to identify W32/Mydoom@MM, but is not smart enough to realize that the name in the From field is not the actual sender. The return message admonishes me to "Please check your system for viruses." Well, I can assure you my system is not affected, I'm running FreeBSD. Please, vendors of email virus checkers: Quit sending crap to the unrelated third party in the From field!

I am getting thousands of Mydoom messages per day now. Curiously, not all of them are addressed directly to me. I have the hewgill.com domain set up to route to me, any message that is not addressed to any existing account. This worm is also sending to the following addresses:

adam alex alice andrew anna bill bob brenda brent brian claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom

My theory is this: It grabs the <greg@hewgill.com> address from an infected machine. Probably via somebody who has visited my web site (my email address is listed on my web site), or is running xearth or the threat monitor (my email address is listed in the installed documentation). Then it bombards <greg@hewgill.com> with the worm, plus it uses the above account names to generate new addresses such as <adam@hewgill.com>, <alex@hewgill.com>, and so on.

When an unknown recipient is found, most mail servers will send back a bounce message to the purported sender, claiming that the sender sent a message to an account that doesn't exist at the destination. For example, picking one at random, apparently <matt@hewgill.com> tried to send a message to <joe@worldpay.com>. Joe doesn't exist there, so a bounce message is sent back to Matt. Matt doesn't exist either, so the bounce message ends up in my mailbox.

I don't know anybody who is getting quite as hammered as me with this one. My friends are sometimes getting one or two, often none at all. Whatever Mydoom does to collect email addresses, mine is a high visibility target.

I am currently using the following procmail rule to detect Mydoom messages:
:0B
            
* ----=_NextPart_..._...._........\........[^0]
The reason this works is that Mydoom attempts to construct an email message that looks exactly like it came from Outlook Express. It does a pretty good job, except for one little detail. Messages created by Outlook Express appear to always have a '0' at the end of the MIME boundary line. For example, an Outlook Express MIME boundary line might look like: ----=_NextPart_000_016B_01BFC670.696FBAB0. Most of the digits in there are randomly generated, except the last one. I don't know why this is, but it works to our advantage. The above regex matches MIME boundary lines that fit the above pattern, but that have a digit other than '0' as the last character. The Mydoom worm appears to generate MIME boundary lines with a random last digit. This is not perfect because sometimes Mydoom will use a '0' as the last character, but it's working okay so far. I may have to add additional checks, because a sixteenth of thousands per day is still a heck of a lot of email.

This worm walks straight through greylisting. Symantec's report says that the worm attempts to send mail using its internal SMTP sender, but if that fails then it passes the message off to a "local mail server". Presumably the local mail server will retry correctly, and therefore greylisting will let the message through. See my greylisting status graphs to get an idea of the scale of the problem here. The green area indicates the number of distinct hosts that have successfully sent me email within the prior ten days. The blue line is the number that have only tried once within the prior six hours. About half the hosts that have sent me mail, have sent more than one message, and the current record is 186 from a single host.

I'm going to have to do some more effective filtering soon, I think. Two more weeks (Mydoom is supposed to shut itself off on February 12) of dealing with a clogged mailbox is going to make me very grumpy.
[info]cetan
2004-01-28T15:48:01Z
Man, you are getting killed on this.

I got my first emails to my cetan.com domain this morning. But I bounce everything that's not a valid mail box so perhaps more are being sent and I don't know it.

The odd thing is that the email was to "muon@cetan.com" which I had set up as a joke on one of my pets web pages. Any of my more public email addresses are not being hit (yet).
[info]decibel45
2004-01-28T18:18:09Z
Why don't you start dumping email to invalid addresses at your domains?
[info]ghewgill
2004-01-28T19:36:55Z
I may have to do that, at least until this flood lets up. However, I want to be careful to not become part of the problem and bounce the messages back to the fake sender address.

I might set up qmail to dump messages specifically to those adam, alex, etc. names to /dev/null.
[info]nugget
2004-01-28T19:52:25Z
Of all those canned names, only one is a valid @slacker.com email address. So I went ahead and created specific /dev/null aliases for the rest which will prevent mail to those addresses from generating a bounce. Can't hurt.
Greg Hewgill <greg@hewgill.com>