Re: WORM_MIMAIL.A Anyone have any info on what this does yet?

[Frank Knobbe <[EMAIL PROTECTED]>]

On Mon, 2003-08-04 at 10:57, Alex 'CAVE' Cernat wrote:
> if the virus send emails throught local smtp connection, it's a dns
> problem;
> but if the virus connects directly to the 'backup' smtp server, then,
> lamerish, the virus programmer probably believed that bigger value
> associated with mx meens 'prefered server', which is the exactly
> opposite as the rfc or any documentation available :-)


No, not necessarily. There may be setups where the mail bagger does not
include virus and spam scanners, thus offering a chance of "getting in"
undetected. This is especially true if primary mail servers trust
secondary mail baggers explicitly (i.e. allow them to relay regardless
of recipient domain).

Since a lot of setup use mail baggers at ISP's as secondary MX'es, which
most likely do not have virus and spam scanners installed, the chances
of slipping through the net of defenses are a bit better.

Furthermore, setups involving secondary mail servers are a bit more
complex (not technologically, but there is more to configure),
increasing the chances for misconfigurations (such as above mentioned
relay override, or virus scanner bypass). So the added complexity works
against security and in favor of those trying to circumvent it.

The ideal virus would want to try to inject itself through MX records
farther away from the target, preferably hosts with different domains
names (as would be the case with ISPs).


Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part