RE: Novarg

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 01/31/04

  • Next message: lennons_at_comcast.net: "Re: Good Advice Re: Anti-Virus Companies had a Virus Update Almost Immediately for MyDoom"
    Date: Sat, 31 Jan 2004 17:31:26 +1300
    To: incidents@securityfocus.com
    
    

    steve bernacki <virus@f.copacetic.net> wrote:

    > > I also have backup MX using DynDNS (www.dyndns.org). I
    > > notice that *all* the copies of the Novarg email are coming in via the
    > > backup MX, then being forwarded to my box, despite all other emails (spam,
    > > virii/worms and real stuff) all going direct to my box...
    >
    > I don't recall which of the many recent mailer virii/worms also did this,

    Probably Sobig.

    I mean, Sobig did it and it was probably discussion of this "feature"
    in Sobig that you are recalling (I think it was discussed here).

    > but it was theorized that this was done intentionally under the hope
    > that a site's backup MX server may not have the same level of A/V scanning
    > that the primary has. Such a scenario could allow the virus to enter
    > through the side door rather than the more heavily guarded main entrance.

    Indeed. Many secondary (or lower) MX handlers are "out of domain" and
    thus, acting as relays, have to accept all mail for the domains they
    are secondaries for. The theory was, IIRC, that in some cases the
    lower priority MX handlers would have direct access to the "internal"
    mail servers, some of which have been configured with the expectation
    that virus scanning will be done at the primary MX (usually a relay in
    the DMZ). As secondary MX service is something of a "courtesy
    function", and usually a fairly bare-bones option "included in the
    price" offered by service providers, it would generally be expected
    that the secondary servers would not have content scanning, etc
    (because this is usually an added price or "premium" option). What
    proportion of sites would actually be "open" through such design
    decisions I have no idea.

    Regards,

    Nick FitzGerald

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: lennons_at_comcast.net: "Re: Good Advice Re: Anti-Virus Companies had a Virus Update Almost Immediately for MyDoom"