RE: Novarg
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 01/31/04
- Previous message: Glenn Forbes Fleming Larratt: "Re: exact signature for mydoom / novarg"
- Next in thread: Smith, David: "RE: Novarg"
- Maybe reply: Smith, David: "RE: Novarg"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 31 Jan 2004 17:31:26 +1300 To: incidents@securityfocus.com
steve bernacki <virus@f.copacetic.net> wrote:
> > I also have backup MX using DynDNS (www.dyndns.org). I
> > notice that *all* the copies of the Novarg email are coming in via the
> > backup MX, then being forwarded to my box, despite all other emails (spam,
> > virii/worms and real stuff) all going direct to my box...
>
> I don't recall which of the many recent mailer virii/worms also did this,
Probably Sobig.
I mean, Sobig did it and it was probably discussion of this "feature"
in Sobig that you are recalling (I think it was discussed here).
> but it was theorized that this was done intentionally under the hope
> that a site's backup MX server may not have the same level of A/V scanning
> that the primary has. Such a scenario could allow the virus to enter
> through the side door rather than the more heavily guarded main entrance.
Indeed. Many secondary (or lower) MX handlers are "out of domain" and
thus, acting as relays, have to accept all mail for the domains they
are secondaries for. The theory was, IIRC, that in some cases the
lower priority MX handlers would have direct access to the "internal"
mail servers, some of which have been configured with the expectation
that virus scanning will be done at the primary MX (usually a relay in
the DMZ). As secondary MX service is something of a "courtesy
function", and usually a fairly bare-bones option "included in the
price" offered by service providers, it would generally be expected
that the secondary servers would not have content scanning, etc
(because this is usually an added price or "premium" option). What
proportion of sites would actually be "open" through such design
decisions I have no idea.
Regards,
Nick FitzGerald
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Glenn Forbes Fleming Larratt: "Re: exact signature for mydoom / novarg"
- Next in thread: Smith, David: "RE: Novarg"
- Maybe reply: Smith, David: "RE: Novarg"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
