LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L
Options: Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Parts/Attachments: text/plain (28 lines)
Print Reply
Sender:
LISTSERV list owners' forum <[log in to unmask]>
Date:
Mon, 2 Feb 2004 14:00:05 -0500
Reply-To:
LISTSERV list owners' forum <[log in to unmask]>
Content-Transfer-Encoding:
7bit
Subject:
Re: Monitoring of non-existent accounts?
From:
Paul Russell <[log in to unmask]>
Content-Type:
text/plain; charset=us-ascii; format=flowed
In-Reply-To:
<[log in to unmask]>
Organization:
University of Notre Dame
MIME-Version:
1.0
 
Pete Weiss wrote:

> something generated a "bounce" report perhaps sending to a bogus to: that
> made it appear that it came from the owner-listname.
>
> I have a bunch of bounces from FIRSTNAME@SOME_ISP that aren't subscribed.

The MyDoom virus forges sender addresses using addresses it finds in files
on the infected computer. It could have found 'owner-listname@listhost' in
list message saved by the owner of the infected system, and used that as
the forged return address on a virus carrier message which was sent to an
invalid address. Result: a delivery error message to owner-listname for an
address which is not subscribed to the list.

The MyDoom virus also randomly generates both sender and recipient addresses
using the following usernames, prepended to harvested domain names:

        adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian,
        claudia, dan, dave, david, debby, fred, george, helen, jack, james,
        jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda,
        maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra,
        serg, smith, stan, steve, ted, tom

--
Paul Russell
Senior Systems Administrator
University of Notre Dame

ATOM RSS1 RSS2