Re: virus mail ignores MX?

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

* Burton M. Strauss III (BStrauss () acm org) wrote:
> Read the relevant RFC (974)...
>
>    The domain servers store information as a series of resource records
>    (RRs), each of which contains a particular piece of information about
>    a given domain name (which is usually, but not always, a host).  The
>    simplest way to think of a RR is as a typed pair of datum, a domain
>    name matched with relevant data, and stored with some additional type
>    information to help systems determine when the RR is relevant.  For
>    the purposes of message routing, the system stores RRs known as MX
>    RRs. Each MX matches a domain name with two pieces of data, a
>    preference value (an unsigned 16-bit integer), and the name of a
>    host.  The preference number is used to indicate in what order the
>    mailer should attempt deliver to the MX hosts, with the lowest
>    numbered MX being the one to try first.  Multiple MXs with the same
>    preference are permitted and have the same priority.
>
> Emphasis on 'should', which has a specific meaning in RFCs - e.g.
>
>    SHOULD    This word, or the adjective "recommended", means that there
>              may exist valid reasons in particular circumstances to
>              ignore this item, but the full implications MUST be
>              understood and carefully weighed before choosing a
>              different course.
>
> From the bad guy's perspective, wanting to get the mail through without
> being filtered - in a perverse way - probably qualifies as a "valid
> reason...to ignore this item".
>
> -----Burton

And to further clarify Burton's excellant explaination for those who
are not very clear about RFCs, even if the RFC had specified a MUST,
there is no technical framework to enforce the compliance with the RFC
on part of the spammer/virus-writer.

Hence even if the RFC had specified a MUST, a virus writer could make
an intelligent guess that a backup MX server is probably not as well
protected as the primary server and hence better his/her chances by
violating the RFC, and using the backup server. Any protection against
such an attack would involve too much state tracking and is probably
not worth the effort. Its much better to protect all servers equally.

> > -----Original Message-----
> > From: Monty Ree [mailto:chulmin2 () hotmail com]
> > Sent: Friday, June 11, 2004 3:41 AM
> > To: security-basics () securityfocus com
> > Subject: virus mail ignores MX?
> >
> >
> > Hello, all.
> >
> > I have some question about virus mail.
> > I have set viruswall about my domain and all mails should be sent
> > first to
> > viruswall.
> >
> > xxxxx.com.               86400   IN      MX      0
> > viruswall.xxxxx.com. <--
> > viruswall
> > xxxxx.com.               86400   IN      MX      5 mail.xxxxx.com     <--
> > mail server
> >
> > When I see virus mail header, like below.
> >
> > Received: from test.com ([211.117.47.1])
> >     by mail.xxxxx.com (8.11.6/8.11.6) with ESMTP id i5B8DdW02504
> >     for <chulmin2 () xxxxx com>; Fri, 11 Jun 2004 17:13:44 +0900
> >
> > some virus mails are filtered well at viruswall.
> > but other virus mails are not get through viruswall,
> > and go directly to mail.xxxxx.com. I think.
> >
> > so I think some virus mail ignores MX, right?
> >
> > What's the problem and how can I solve this problem?
> >
> >
> > Thanks in advance.
> >
> > _________________________________________________________________
> > Çà¿îÀÇ ÁÖÀΰøÀÌ À̹ø¿£ ³ªÀϲšŸß, ÁøÂ¥·ç... ÀÎÅÍ³Ý º¹±Ç
> > http://www.msn.co.kr/money/interlotto/
> >
> >
> > ------------------------------------------------------------------
> > ---------
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get
> > $545 off
> > any course! All of our class sizes are guaranteed to be 10
> > students or less
> > to facilitate one-on-one interaction with one of our expert instructors.
> > Attend a course taught by an expert instructor with years of in-the-field
> > pen testing experience in our state of the art hacking lab.
> > Master the skills
> > of an Ethical Hacker to better assess the security of your organization.
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------
> > ----------
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------