Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: WORM_MIMAIL.A Anyone have any info on what this does yet?
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: WORM_MIMAIL.A Anyone have any info on what this does yet?
  • From: Pete Phillips <[EMAIL PROTECTED]>
  • Date: Wed, 06 Aug 2003 04:58:26 -0500
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]>
  • Reply-to: [EMAIL PROTECTED]
.
 
On 4 Aug 2003 at 12:24, Frank Knobbe wrote:

> On Mon, 2003-08-04 at 10:57, Alex 'CAVE' Cernat wrote:
> > if the virus send emails throught local smtp connection, it's a dns
> > problem;
> > but if the virus connects directly to the 'backup' smtp server, then,
> > lamerish, the virus programmer probably believed that bigger value
> > associated with mx meens 'prefered server', which is the exactly
> > opposite as the rfc or any documentation available :-)
> 
> 
> No, not necessarily. There may be setups where the mail
> bagger does not include virus and spam scanners, thus
> offering a chance of "getting in" undetected.

I certainly see a lot of spam that targets my backup MXs explicitly.  
Sadly, it's an effective way for the spammers to bypass DNS 
Realtime Blackhole Lists for those domains for which the backup is 
contracted off-site. On my own backup MXs, I can configure the 
RBLs, but I cannot do that on my ISP's server (nor would I want 
them deciding for me what is spam).

If the virus author meant to bypass virus-scanning, though, his 
attempt is (one hopes) misguided. All mail routed through the 
backups should spool through the primary before reaching any 
client, and the primary should do the virus scanning.

> This is especially true if primary mail servers trust
> secondary mail baggers explicitly (i.e. allow them to
> relay regardless of recipient domain). 

If my primary trusts the secondary, I have a much more serious 
problem than receiving spam / virii. The combination becomes a 
multi-stage-open-relay. It will eventually be found by spammers and 
used to *send* spam, its IP block will wind up in the DNS RBLs, and 
I won't be able to send EMail at all.

One should never trust a backup MX (even one's own).
 
 
-- Pete Phillips
-- San Antonio, Texas
-- [EMAIL PROTECTED]



---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.