RE: Novarg

[Nick FitzGerald <nick () virus-l demon co uk>]

steve bernacki <virus () f copacetic net> wrote:

> > I also have backup MX using DynDNS (www.dyndns.org). I
> > notice that *all* the copies of the Novarg email are coming in via the
> > backup MX, then being forwarded to my box, despite all other emails (spam,
> > virii/worms and real stuff) all going direct to my box...
>
> I don't recall which of the many recent mailer virii/worms also did this,

Probably Sobig.

I mean, Sobig did it and it was probably discussion of this "feature" 
in Sobig that you are recalling (I think it was discussed here).

> but it was theorized that this was done intentionally under the hope
> that a site's backup MX server may not have the same level of A/V scanning
> that the primary has.  Such a scenario could allow the virus to enter
> through the side door rather than the more heavily guarded main entrance.

Indeed.  Many secondary (or lower) MX handlers are "out of domain" and 
thus, acting as relays, have to accept all mail for the domains they 
are secondaries for.  The theory was, IIRC, that in some cases the 
lower priority MX handlers would have direct access to the "internal" 
mail  servers, some of which have been configured with the expectation 
that virus scanning will be done at the primary MX (usually a relay in 
the DMZ).  As secondary MX service is something of a "courtesy 
function", and usually a fairly bare-bones option "included in the 
price" offered by service providers, it would generally be expected 
that the secondary servers would not have content scanning, etc 
(because this is usually an added price or "premium" option).  What 
proportion of sites would actually be "open" through such design 
decisions I have no idea.


Regards,

Nick FitzGerald


---------------------------------------------------------------------------
----------------------------------------------------------------------------