Security Incidents mailing list archives
Re: Novarg
From: Robin Sheat <robin () kallisti net nz>
Date: Fri, 30 Jan 2004 12:54:12 +1300
On Wed, Jan 28, 2004 at 08:19:57PM -0800, Stephen Warren wrote:
wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I notice that *all* the copies of the Novarg email are coming in via the backup MX, then being forwarded to my box, despite all other emails (spam,
It seems to me that this would cause more bounce messages to be generated, rather than the primary MX rejecting the worms connection, it rejects the secondary MX connection which would cause the secondary to then generate a bounce to the (forged) sender address. If all the connections were to the primary MX, then no (or very few) bounces would be generated. If that is what is going on, it is a cunning ploy to get the worm instance to have another go at getting to a real persons inbox. It also explains why so many copies that I get are 'unknown user' bounces (as opposed to stupid virus scanner "you are infected, and here is a copy of what you sent for good measure" bounces). -- Robin <robin () kallisti net nz> JabberID: <eythian () jabber org> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0x776DB663 Fingerprint=DD10 5C62 1E29 A385 9866 0853 CD38 E07A 776D B663
Attachment:
_bin
Description:
Current thread:
- RE: Novarg - Stopping .Zip Files, (continued)
- RE: Novarg - Stopping .Zip Files jamesworld (Jan 28)
- Re: Novarg - Stopping .Zip Files Bill Pennington (Jan 28)
- RE: Novarg - Stopping .Zip Files Timmothy Posey (Jan 30)
- Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- Re: Novarg Dave Laird (Jan 28)
- RE: Novarg Wayne S. Ackley (Jan 28)
- Re: Novarg James Riden (Jan 28)
- RE: Novarg Chris Aguilar (Jan 28)
- RE: Novarg Jeremy Strachan (Jan 28)
- RE: Novarg Stephen Warren (Jan 29)
- Re: Novarg Robin Sheat (Jan 30)
- RE: Novarg steve bernacki (Jan 30)
- Re: Novarg Skip Carter (Jan 30)
- RE: Novarg Duston Sickler (Jan 29)
- RE: Novarg sloppy seconds (Jan 30)
- RE: Novarg Stephen Warren (Jan 29)
- RE: Novarg Robert Morales (Jan 28)
- RE: Novarg Rickert Gerhard (rgerhard) (Jan 29)
- Re: Novarg Ivan Coric (Jan 29)
- RE: Novarg Jeremy Hyland (Jan 30)
- RE: Novarg Ivan Coric (Jan 30)
- Re: Novarg Steve Bremer (Jan 30)