Topic: DOS Attack?

[ChrisG]

ClamAV has killed over 100 emails in the past hour containing the virus Worm.SCO.A. The emails come from a variety of hosts including AOL, etc but seem to have no other similarities. All emails are to bogus email addresses on my system - 'bob@foo.com' - when there is and has never been a 'bob' account on the system.

Any idea how I can combat this? What have some of you done in the past about such attacks - if that is what it is.

Thanks in advance...

Chris Gray

[raem]

I'm seeing the same thing on my server in Australia, 100 or so in the last 2 hours.
Just grin and be glad your scanner is working.
Regs
Ray

[webster]

we are getting hit real hard... had one client get over 4000 in a few hours but not sure if its the same virus...rav is reporting it as W32/Mydoom@MM
this is the norton info on it...wonder if its the same one... http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

I was a little worried my rav is going to expire in 1 month and since they aren't doing it any more i am looking at changing to ClamAV ... i hope it is more effective than rav... and rav is good

there are a few options you coud look at but it all depends on what version os you are using.
assp is probably your best bet but it doesnt suit my needs

hope this helps
T

[webster]

looks like it is the same virus... if infected a machine cand send 100 mails in 30 seconds....  

2 bits of nice reading
http://www.washingtonpost.com/wp-dyn/articles/A50977-2004Jan26.html
http://seattletimes.nwsource.com/html/nationworld/2001844459_worm27.html

[cc_skavenger]

CLAM AV calls it Worm SCO, It is the MYDOOM virus, clam AV catches it, very well I might add.  There really isnt a way to stop it, the addresses are spoofed & the users are spoofed.  Just let the AV software do its thing.  Saw about 10,000 e-mails go through my server today, all seemed to have been caught.  I started to blacklist IPs, but it didnt help, since they are being spoofed.  I just bandwidth limited the IP for the mail server and it hasn't really affected anything.

Just my $0.02

[RavenIV]

my network here is very small, 9 users and 5 win2k-clients.
the MYDOOM started at monday with 10 attacks and on tuesday we had 5 more hits.
my antivirus stopped all virus-mails and i think we are protected very well.
the actual versions of several virus-scanners for windows did not find any virus on the win2k-clients.

my antivir on the server is the avmailgate (AntiVir MailGate Linux) from antivir.de. there is somewhere a contrib for this, but i don't remember.

cheers klaus

[doc]

My main problem has been that these hoax, virus-laden emails are addressed to nonexistent users on my domain name, and the esmith mailserver keeps trying to bounce these back to their spoofed, nonexistent email addresses, which therefore bounce back to the esmith mailserver.  Eventually, the admin account is sent a message by the mailserver that return-to-sender emails can't reach the spoofed addresses.  This is using a lot of my server's bandwidth and resources.

=> Workaround solution ...

Create a new user account, and then in esmith-manager > configuration > email, make this: 1) the forwarding address for administrative notices, and  2) send email to unknown users to administrator NOT return to sender.

All these hoax emails then accumulate in new user account, and every so often you can check and delete them.

This will save a lot of your server's bandwidth and resources (and reduce Internet traffic for everyone).

-- doc

[cosy]

I got the same problem, my front line mail server is SME 5.6 Server (port forward to ex3k) and behind Exchange 2003. I found SMTP Queue are got some unknown domain trying to send mail.

And i'm getting virus alert in my trend mail scan. telling SMTP Router Mailbox Administrator sending mail?

How can i slove my problems.