Re: Novarg

From: Skip Carter (skip_at_taygeta.com)
Date: 01/30/04

  • Next message: Steve Bremer: "Re: Novarg"
    To: Stephen Warren <swarren-d-1077942001.8a5a89@wwwdotorg.org>
    Date: Thu, 29 Jan 2004 18:33:39 -0800
    
    
    

    > I notice someting interesting about the SMTP route that all the
    > Novarg/Mydoom emails are taking to get to my box.
    >
    > I have a personal Linux machine that runs my SMTP server and is MX for
    > wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I
    > notice that *all* the copies of the Novarg email are coming in via the
    > backup MX, then being forwarded to my box, despite all other emails (spam,
    > virii/worms and real stuff) all going direct to my box...
     ...
     
    > trying to load-balance the multiple records I believe) So, it appears that
    > Novarg actually sorts the DNS responses and sends via the lowest priority MX?

    ...

    > So, I guess to stop all the Novarg messages, one could create an extra MX
    > record with a lower priority than anything else, and point it at some bad
    > IP (reserved, localhost, some other IP you own that has no SMTP server...)

       I tried this by setting up a honeypot on the lowest priority MX for
    a domain. I only ran this configuration for a couple of hours, but...
    not only did it seem to work, but it grabbed lots of 'normal' SPAM as well.

    Skip

    -- 
     Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
     Taygeta Scientific Inc.        INTERNET: skip@taygeta.com
     1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
     Monterey, CA. 93940            
    
    



  • Next message: Steve Bremer: "Re: Novarg"