Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Novarg

From: Skip Carter <skip () taygeta com>
Date: Thu, 29 Jan 2004 18:33:39 -0800



I notice someting interesting about the SMTP route that all the
Novarg/Mydoom emails are taking to get to my box.

I have a personal Linux machine that runs my SMTP server and is MX for
wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I
notice that *all* the copies of the Novarg email are coming in via the
backup MX, then being forwarded to my box, despite all other emails (spam,
virii/worms and real stuff) all going direct to my box...

 ...
 

trying to load-balance the multiple records I believe) So, it appears that
Novarg actually sorts the DNS responses and sends via the lowest priority MX?


...


So, I guess to stop all the Novarg messages, one could create an extra MX
record with a lower priority than anything else, and point it at some bad
IP (reserved, localhost, some other IP you own that has no SMTP server...)



   I tried this by setting up a honeypot on the lowest priority MX for
a domain.  I only ran this configuration for a couple of hours, but...
not only did it seem to work, but it grabbed lots of 'normal' SPAM as well.



Skip




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: