> > I was looking over the MyDoom email messages that I received todayand found > > about 15 copies of the worm which came from postmasters in bounce messages. > > Some postmasters, when sending out a bounce message, include the original > > email message as an attachment. If a bounce message is for a > > MyDoom-infected message, the bounce message will sometimes includean intact > > copy of the MyDoom executable which can be run by mistake with a few mouse > > clicks. > > This is sometimes unavoidable. A lot of MyDoom's go to nonexistent > recipients, and when they are failed with a 5xx failure code, the sending > relay (quite reasonably) includes the original message in the bounce. > Not only do a lot of MyDoom's go to nonexistent recipients, they go to nonexistent recipients *by design*. These are intentional bounces where the worm is putting a simple but typically nonexistent email address in the "To:" and putting it's intended target address in the "From:". Then it uses the 5xx failures to deliver the worm via the bounce mechanism, so that the recipient gets an actual non-delivery report, not a faked one. It is a subtle distinction, but I don't recall this method of delivery being used previously. All those bounces/rejections you see in your mail-server logs for "bill@yourdomain.com", "jane@yourdomain.com", "john@yourdomain.com", and "sam@yourdomain.com", etc. are NOT really attempts to deliver the worm to those made-up addresses (though I doubt the worm author would mind if the addresses did exist...). They are meant to bounce to the *actual* intended recipient, who is listed in the "From:" I agree that the 5xx failures correctly bounce the complete message. But it is that predictable process that is being exploited by the worm author. -- Mark
