RE: WORM_MIMAIL.A Anyone have any info on what this does yet?

["Lee Evans" <[EMAIL PROTECTED]>]

Hi Rohny,

Not to be picky (okay, so I probably am), but when you say you only have
a primary (pref 10) and 'pentiary' (pref 50) mail server setup, what do
you mean exactly? If you only have two MX records, then the one with a
preference of 50 is no less a 'secondary' than if it had a preference of
20, or anything else higher than 10 for that matter. The numbers are not
numerically significant, 10 is usually chosen for the primary followed
by 20 as secondary, but this is just for general convenience and has
simply become something of a habit-come-standard. Your primary MX record
could quite easily have a preference of 50, so long as this is the
lowest number of any of the MX records. To say that your mail server is
a 'pentiary' mail server simply because of the numerical value of its MX
preference is incorrect.

It may well be that the virus was deliberately written to choose MX
records with a preference of 20, as this is generally a secondary
server, as mentioned. In my experience secondary mail servers are in
many cases also a secondary consideration, and it may be that the virus
writer was hoping to avoid anti-virus systems by avoiding primary email
servers.

Regards
Lee
-- 
Lee Evans

> -----Original Message-----
> From: Rohny Jotton [mailto:[EMAIL PROTECTED] 
> Sent: 04 August 2003 21:44
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> 
> This may explain why I haven't seen the virus come knocking 
> at our mail 
> server (nope, not one). We only have a primary MX (10) set up 
> and pentiary 
> (50) mail relay upstream which is maintained by our provider.
> 
> Curious...
> 
> John
> 
> -----Original Message-----
> From: Jerry Shenk [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 04, 2003 11:43 AM
> To: [EMAIL PROTECTED]
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> Ya know, I thought it was just a coincidence but I saw some 
> instances of this going through our mail scanner and it 
> seemed like it might have gone through a secondary MX also.  
> We hadn't really dug into it but seeing somebody else 
> mentioning it does make it look like it may be a design 
> issue.  I'm gonna dig into this a little more.
> 
> -----Original Message-----
> From: att13543 [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 04, 2003 9:54 AM
> To: [EMAIL PROTECTED]
> Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet?
> 
> 
> I'd be interested if anyone can correlate what I've seen:  we 
> have 2 MX records, one weighted at 10 (primary) and one at 20 
> (secondary).  Of the 200 or so MiMail's we've seen 100% have 
> come through our SECONDARY mail server.  Maybe the SMTP 
> engine was written poorly, or maybe it was this way on purpose?
> 
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
> http://join.msn.com/?page=features/virus
> 
> 
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
> 
> 


---------------------------------------------------------------------------
----------------------------------------------------------------------------