Educause Security Discussion mailing list archives
Re: latest MIMAIL is bypassing MX hosts
From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Wed, 28 Jan 2004 16:36:42 -0600
Liudvikas Bukys wrote:
FYI, I noticed that my most recent virus email senders (shipping attachments identified as MIMAIL.R by Trend Micro) are ignoring DNS MX records and sending directly to hosts pointed to by DNS A records.
I noticed that today too but looking at the time on Monday just before we slapped in the EXTRA.DAT, it seemed this was just a small subset of the mydoom/novarg/mimail.r e-mail. Our major mail hosts have no A records but we have a few for which we provide anti-virus scanning that also have an A record (e.g. for web access). If you look at how mydoom (and apparently now mydoom.b discovered today) randomly create mail handler host names maybe this is just one of the variations (to use the mail domain directly). We are considering changing the mail transfer agent on at least one of those to only accept e-mail from our vaccine systems. Does anyone know of any really broken mail programs that ignore MXes? I don't recall if the MX records MUST be used if present (e.g. in RFC821 or whatever). Marty
This may be of interest to those who point their MX record toward SMTP antivirus gateways. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- latest MIMAIL is bypassing MX hosts Liudvikas Bukys (Jan 28)
- <Possible follow-ups>
- Re: latest MIMAIL is bypassing MX hosts Marty Hoag (Jan 28)