Re: Novarg

From: Skip Carter (
Date: 01/30/04

  • Next message: Steve Bremer: "Re: Novarg"
    To: Stephen Warren <>
    Date: Thu, 29 Jan 2004 18:33:39 -0800

    > I notice someting interesting about the SMTP route that all the
    > Novarg/Mydoom emails are taking to get to my box.
    > I have a personal Linux machine that runs my SMTP server and is MX for
    > I also have backup MX using DynDNS ( I
    > notice that *all* the copies of the Novarg email are coming in via the
    > backup MX, then being forwarded to my box, despite all other emails (spam,
    > virii/worms and real stuff) all going direct to my box...
    > trying to load-balance the multiple records I believe) So, it appears that
    > Novarg actually sorts the DNS responses and sends via the lowest priority MX?


    > So, I guess to stop all the Novarg messages, one could create an extra MX
    > record with a lower priority than anything else, and point it at some bad
    > IP (reserved, localhost, some other IP you own that has no SMTP server...)

       I tried this by setting up a honeypot on the lowest priority MX for
    a domain. I only ran this configuration for a couple of hours, but...
    not only did it seem to work, but it grabbed lots of 'normal' SPAM as well.


     Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
     Taygeta Scientific Inc.        INTERNET:
     1340 Munras Ave., Suite 314    WWW:
     Monterey, CA. 93940            

  • Next message: Steve Bremer: "Re: Novarg"