Security Incidents mailing list archives
RE: Novarg
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 31 Jan 2004 17:31:26 +1300
steve bernacki <virus () f copacetic net> wrote:
I also have backup MX using DynDNS (www.dyndns.org). I notice that *all* the copies of the Novarg email are coming in via the backup MX, then being forwarded to my box, despite all other emails (spam, virii/worms and real stuff) all going direct to my box...I don't recall which of the many recent mailer virii/worms also did this,
Probably Sobig. I mean, Sobig did it and it was probably discussion of this "feature" in Sobig that you are recalling (I think it was discussed here).
but it was theorized that this was done intentionally under the hope that a site's backup MX server may not have the same level of A/V scanning that the primary has. Such a scenario could allow the virus to enter through the side door rather than the more heavily guarded main entrance.
Indeed. Many secondary (or lower) MX handlers are "out of domain" and thus, acting as relays, have to accept all mail for the domains they are secondaries for. The theory was, IIRC, that in some cases the lower priority MX handlers would have direct access to the "internal" mail servers, some of which have been configured with the expectation that virus scanning will be done at the primary MX (usually a relay in the DMZ). As secondary MX service is something of a "courtesy function", and usually a fairly bare-bones option "included in the price" offered by service providers, it would generally be expected that the secondary servers would not have content scanning, etc (because this is usually an added price or "premium" option). What proportion of sites would actually be "open" through such design decisions I have no idea. Regards, Nick FitzGerald --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Novarg Nick FitzGerald (Feb 02)
- <Possible follow-ups>
- Re: Novarg mgotts (Feb 02)
- RE: Novarg Smith, David (Feb 02)