Full Disclosure mailing list archives
RE: Partial protection against MyDoom
From: "ragdelaed" <ragdelaed () catholic org>
Date: Thu, 12 Feb 2004 23:35:16 -0500
If you look at the source, its not using mx records. Its guessing. It gets the domain name, then prepends mx., mail., smtp., mx1., mxs., mail1., relay., ns., and gate. to the domain name and send itself off. Since most companies call their smtp outbounds relay or smtp or mail, then it gets lucky. A lot. Sux, but its kinda smart. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Tomasz Grabowski Sent: Thursday, February 12, 2004 7:44 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Partial protection against MyDoom Hello. I have not been able to find simmilar information on the Internet, so I'm posting it here. Maybe someone will find it as a solution to MyDoom e-mails flood. But if it is already known, sorry for wasting your time. * * * It looks that MyDoom is not using the MX flag of particular domain. Look at the following example: $ host -t ANY domain.example.com [snip] 7200 ;retry refresh this often 3600000 ;expiration period 172800 ;minimum TTL ) domain.example.com mail is handled (pri=0) by mail.domain.example.com This is a common example of configuration of 'big' domain. You can see that MX for this domain is mail.domain.example.com. There is in fact no such host like domain.example.com. If you will try to lookup for such configured domain directly, you will end up with the "domain.example.com: Non-existent host". If you have simmilar situation and you are still suffering from enormous amount of MyDoom e-mails, you can configure your domain like this: $ host -t ANY domain.example.com [snip] 7200 ;retry refresh this often 3600000 ;expiration period 172800 ;minimum TTL ) domain.example.com has address 127.0.0.1 domain.example.com mail is handled (pri=0) by mail.domain.example.com It should not affect your domain (real SMTP servers will use MX flag and send e-mails to mail.domain.example.com) but MyDoom will be using this 127.0.0.1 address instead, thus your domain will be protected. Opinions are welcome. Regards, -- Tomasz Grabowski Technical University of Szczecin, +48 (91)4494234 Academic Centre of Computer Science www.man.szczecin.pl _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: W2K source "leaked"?, (continued)
- Re: Re: W2K source "leaked"? Mike Roetto (Feb 13)
- Re: W2K source "leaked"? Allen/gore/SlackWareWolf (Feb 13)
- Re: Re: W2K source "leaked"? Valdis . Kletnieks (Feb 13)
- Re: W2K source "leaked"? jim_walsh (Feb 13)
- RE: [inbox] W2K source "leaked"? Curt Purdy (Feb 13)
- RE: W2K source "leaked"? Drew Copley (Feb 12)
- RE: W2K source "leaked"? Paul O'Malley (Feb 13)
- Re: W2K source "leaked"? Gadi Evron (Feb 13)
- RE: RE: W2K source "leaked"? Andre Ludwig (Feb 12)
- Partial protection against MyDoom Tomasz Grabowski (Feb 12)
- RE: Partial protection against MyDoom ragdelaed (Feb 12)
- RE: Partial protection against MyDoom ragdelaed (Feb 12)
- Re: RE: W2K source "leaked"? wolvie (Feb 12)
- Partial protection against MyDoom Tomasz Grabowski (Feb 12)
- RE: W2K source "leaked"? tlarholm (Feb 12)
- Re: RE: W2K source "leaked"? Byron Copeland (Feb 12)
- RE: W2K source "leaked"? Nick Jacobsen (Feb 12)
- Re: W2K source "leaked"? gabriel rosenkoetter (Feb 12)
- Re: Re: W2K source "leaked"? Byron Copeland (Feb 12)
- Re: W2K source "leaked"? gabriel rosenkoetter (Feb 12)
- RE: W2K source "leaked"? Brad Griffin (Feb 12)
- Re: W2K source "leaked"? Lee (Feb 12)
- Re: RE: W2K source "leaked"? webheadport80 (Feb 12)
(Thread continues...)