Re: latest MIMAIL is bypassing MX hosts

[Marty Hoag <Marty.Hoag () NDSU NODAK EDU>]

Liudvikas Bukys wrote:

> FYI, I noticed that my most recent virus email senders
> (shipping attachments identified as MIMAIL.R by Trend Micro)
> are ignoring DNS MX records and sending directly to hosts
> pointed to by DNS A records.
   I noticed that today too but looking at the time on Monday
just before we slapped in the EXTRA.DAT, it seemed this was
just a small subset of the mydoom/novarg/mimail.r e-mail.
Our major mail hosts have no A records but we have a few
for which we provide anti-virus scanning that also have an
A record (e.g. for web access). If you look at how mydoom
(and apparently now mydoom.b discovered today) randomly
create mail handler host names maybe this is just one of
the variations (to use the mail domain directly).

   We are considering changing the mail transfer agent on
at least one of those to only accept e-mail from our vaccine
systems. Does anyone know of any really broken mail programs
that ignore MXes? I don't recall if the MX records MUST be
used if present (e.g. in RFC821 or whatever).

   Marty


> This may be of interest to those who point their MX record
> toward SMTP antivirus gateways.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.