Security Incidents mailing list archives

RE: Novarg

From: Stephen Warren <swarren () wwwdotorg org>
Date: Wed, 28 Jan 2004 20:19:57 -0800

I notice someting interesting about the SMTP route that all the
Novarg/Mydoom emails are taking to get to my box.

I have a personal Linux machine that runs my SMTP server and is MX for
wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I
notice that *all* the copies of the Novarg email are coming in via the
backup MX, then being forwarded to my box, despite all other emails (spam,
virii/worms and real stuff) all going direct to my box...

I ran "dig -t mx wwwdotorg.org" on my box, where the resolver libraries
are pointing at my ISP's DNS server (Qwest in Santa Clara, CA, USA) with
no caching name server on my machine. I get back what I expect (see
below). I ran it a few times - sometimes the "MX 10" record is first in
the list, sometimes it's second (as expected - the DNS server is just
trying to load-balance the multiple records I believe) So, it appears that
Novarg actually sorts the DNS responses and sends via the lowest priority MX?

Am I missing something?

So, I guess to stop all the Novarg messages, one could create an extra MX
record with a lower priority than anything else, and point it at some bad
IP (reserved, localhost, some other IP you own that has no SMTP server...)
Sounds interesting.

; <<>> DiG 9.2.2 <<>> -t mx wwwdotorg.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1413
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 2

;; QUESTION SECTION:
;wwwdotorg.org.                 IN      MX

;; ANSWER SECTION:
wwwdotorg.org.          86383   IN      MX      20 mx2.mailhop.org.
wwwdotorg.org.          86383   IN      MX      10 thames.wwwdotorg.org.

;; AUTHORITY SECTION:
wwwdotorg.org.          86383   IN      NS      ns5.mydyndns.org.
wwwdotorg.org.          86383   IN      NS      ns1.mydyndns.org.
wwwdotorg.org.          86383   IN      NS      ns2.mydyndns.org.
wwwdotorg.org.          86383   IN      NS      ns3.mydyndns.org.
wwwdotorg.org.          86383   IN      NS      ns4.mydyndns.org.

;; ADDITIONAL SECTION:
thames.wwwdotorg.org.   86383   IN      A       65.113.35.91
mx2.mailhop.org.        24246   IN      A       63.209.15.214

;; Query time: 239 msec
;; SERVER: 205.171.3.65#53(205.171.3.65)
;; WHEN: Wed Jan 28 20:11:57 2004
;; MSG SIZE  rcvd: 213

-- 
Stephen Warren, Software Engineer, Parama Networks, San Jose, CA
swarren () wwwdotorg org                  http://www.wwwdotorg.org/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Novarg - Stopping .Zip Files, (continued)
- - - Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
  - RE: Novarg - Stopping .Zip Files jamesworld (Jan 28)
  - Re: Novarg - Stopping .Zip Files Bill Pennington (Jan 28)
    - RE: Novarg - Stopping .Zip Files Timmothy Posey (Jan 30)
    - Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- Re: Novarg Dave Laird (Jan 28)
- RE: Novarg Wayne S. Ackley (Jan 28)
- Re: Novarg James Riden (Jan 28)
- RE: Novarg Chris Aguilar (Jan 28)
- RE: Novarg Jeremy Strachan (Jan 28)
  - RE: Novarg Stephen Warren (Jan 29)
    - Re: Novarg Robin Sheat (Jan 30)
    - RE: Novarg steve bernacki (Jan 30)
    - Re: Novarg Skip Carter (Jan 30)
  - RE: Novarg Duston Sickler (Jan 29)
    - RE: Novarg sloppy seconds (Jan 30)
- RE: Novarg Robert Morales (Jan 28)
  - RE: Novarg Rickert Gerhard (rgerhard) (Jan 29)
- Re: Novarg Ivan Coric (Jan 29)
  - RE: Novarg Jeremy Hyland (Jan 30)
- RE: Novarg Ivan Coric (Jan 30)

(Thread continues...)