Bugtraq mailing list archives
Re: Hysterical first technical alert from US-CERT
From: Valdis.Kletnieks () vt edu
Date: Wed, 04 Feb 2004 09:31:15 -0500
On Tue, 03 Feb 2004 07:11:49 EST, Larry Seltzer <larry () larryseltzer com> said:
First, it's dated 1/28, the day MyDoom.B was discovered, and the message sent
field says
that too; other dates in the headers disagree.
Oh, like the fact that a lot of mail servers were getting pounded by MyDoom.*A* doesn't mean that there could be delays along the line? (Remember to add in the timezones - at least some of the boxes are running in GMT not EST5EDT).
Second, and more to the point, it takes an extreme view of MyDoom.B that nobody else is supporting, including the sources they cite. MyDoom.B is a flop.
OK. So let's see. We've got one highly successful virus (MyDoom.A) on the loose at the time of writing, another variant that's essentially identical except for the target, and no clear indication why this one *shouldn't* take off as well. Yes, it took an extreme view that nobody is supporting *NOW*. Now isn't last Wednesday night, when there wasn't a week's worth of hindsight. Yes, it fizzled. Please point us at the information available to the CERT guys *at the time* that proves there was *no* way that MyDoom.B could possibly ever be a real threat. What would you have the CERT guys do, *not* send the advisory just because they aren't 100% sure at the time? I suppose you also understand why MyDoom-A was huge and Dumaru-whatever that showed up 2 days before was a yawner. Also, note that I got more copies of Dumary in the first 2 hours of THAT one than I got *total* of MyDoom-A - so based on the first 2 hours from where *I* am, Dumaru was looking like a much bigger event.
Am I misreading something? Did anyone else get this on 1/28?
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id B5ECF8F5D0; Mon, 02 Feb 2004 12:27:56 -0700 (MST) Received: (qmail 11614 invoked from network); Thu, 29 Jan 2004 00:11:38 +0000 Date: Wed, 28 Jan 2004 19:12:09 -0500 Looks like some delay there. But it was already at SecurityFocus's qmail within seconds (the Date: is actually 31 seconds ahead of the Received: once you allow for timezones - somebody isn't using NTP ;)
Attachment:
_bin
Description:
Current thread:
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling], (continued)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] James A. Thornton (Feb 04)
- Re: getting rid of outbreaks and spam (junk) James Riden (Feb 04)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] der Mouse (Feb 05)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Georg Schwarz (Feb 06)
- Re: RFC: virus handling Sascha Wilde (Feb 02)
- Re: RFC: virus handling Pavel Levshin (Feb 02)
- Re: RFC: virus handling David F. Skoll (Feb 03)
- Re: RFC: virus handling Jeremy Mates (Feb 02)
- Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- RE: Hysterical first technical alert from US-CERT Larry Seltzer (Feb 05)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- Re: Hysterical first technical alert from US-CERT Stephen Samuel (Feb 06)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 06)
- Re: Hysterical first technical alert from US-CERT Shawn McMahon (Feb 10)
- Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)
- Re: Hysterical first technical alert from US-CERT Philip Rowlands (Feb 05)
- Re: Hysterical first technical alert from US-CERT Andreas Marx (Feb 06)
- Re: RFC: virus handling Matthew Dharm (Feb 03)