Re: Novarg

[Robin Sheat <robin () kallisti net nz>]

On Wed, Jan 28, 2004 at 08:19:57PM -0800, Stephen Warren wrote:
> wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I
> notice that *all* the copies of the Novarg email are coming in via the
> backup MX, then being forwarded to my box, despite all other emails (spam,
It seems to me that this would cause more bounce messages to be
generated, rather than the primary MX rejecting the worms connection,
it rejects the secondary MX connection which would cause the secondary
to then generate a bounce to the (forged) sender address. If all the 
connections were to the primary MX, then no (or very few) bounces would 
be generated.

If that is what is going on, it is a cunning ploy to get the worm 
instance to have another go at getting to a real persons inbox. It also 
explains why so many copies that I get are 'unknown user' bounces (as 
opposed to stupid virus scanner "you are infected, and here is a copy of 
what you sent for good measure" bounces). 

-- 
Robin <robin () kallisti net nz>                 JabberID: <eythian () jabber org>

Hostes alienigeni me abduxerunt. Qui annus est?

PGP Key 0x776DB663 Fingerprint=DD10 5C62 1E29 A385 9866 0853 CD38 E07A 776D B663

Attachment: _bin
Description: