From: Skip Carter (skip_at_taygeta.com)
To: Stephen Warren <email@example.com> Date: Thu, 29 Jan 2004 18:33:39 -0800
> I notice someting interesting about the SMTP route that all the
> Novarg/Mydoom emails are taking to get to my box.
> I have a personal Linux machine that runs my SMTP server and is MX for
> wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I
> notice that *all* the copies of the Novarg email are coming in via the
> backup MX, then being forwarded to my box, despite all other emails (spam,
> virii/worms and real stuff) all going direct to my box...
> trying to load-balance the multiple records I believe) So, it appears that
> Novarg actually sorts the DNS responses and sends via the lowest priority MX?
> So, I guess to stop all the Novarg messages, one could create an extra MX
> record with a lower priority than anything else, and point it at some bad
> IP (reserved, localhost, some other IP you own that has no SMTP server...)
I tried this by setting up a honeypot on the lowest priority MX for
a domain. I only ran this configuration for a couple of hours, but...
not only did it seem to work, but it grabbed lots of 'normal' SPAM as well.
-- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: firstname.lastname@example.org 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
- application/pgp-signature attachment: stored