Snort mailing list archives

Re: MyDoom Outbound Impossible Detects

From: "McCash, John" <John.McCash () andrew com>
Date: Wed, 11 Feb 2004 10:40:18 -0600

Everyone,
        FYI, Here's an chop from the beginning of one of the snort packet analyses I'm talking about... This detect was 
picked up outbound from my mail filter to 212.227.126.164 (somewhere in Germany, I think)

EHLO gto.net.om..MAI
L FROM:&ltmspss@gto.
net.om>..RCPT TO:&
ltjim () andrew com>.
.DATA..From: mspss@g
to.net.om..To: jim@a
ndrew.com..Subject: 
Error..Date: Wed, 11
Feb 2004 23:16:56 +
0800..MIME-Version: 
1.0..Content-Type: m
ultipart/mixed;...bo
undary="----=_NextPa
rt_000_0008_FB768B4C
.1EB23391"..X-Priori
ty: 3..X-MSMail-Prio
rity: Normal....This
is a multi-part mes
sage in MIME format.
....------=_NextPart
_000_0008_FB768B4C.1
EB23391..Content-Typ
e: text/plain;...cha
rset="Windows-1252".
.Content-Transfer-En
coding: 7bit....Mail
transaction failed.
Partial message is 
available.......----
--=_NextPart_000_000
8_FB768B4C.1EB23391.
.Content-Type: appli
cation/octet-stream;
...name="message.scr
"..Content-Transfer-
Encoding: base64..Co
ntent-Disposition: a
ttachment;...filenam
e="message.scr"....T
VqQAAMAAAAEAAAA//8AA
LgAAAAAAAAAQAAAAAAAA
AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA..AAA
AqAAAAAAAAAAAAAAAAAA 

                John

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- Message not available
  - Re: MyDoom Outbound Impossible Detects Chris Keladis (Feb 06)
- <Possible follow-ups>
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 06)
- RE: MyDoom Outbound Impossible Detects John York (Feb 06)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)
- Re: MyDoom Outbound Impossible Detects McCash, John (Feb 11)