Security Basics mailing list archives
Re: virus mail ignores MX?
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Mon, 14 Jun 2004 13:53:33 -0700
* Burton M. Strauss III (BStrauss () acm org) wrote:
Read the relevant RFC (974)... The domain servers store information as a series of resource records (RRs), each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of datum, a domain name matched with relevant data, and stored with some additional type information to help systems determine when the RR is relevant. For the purposes of message routing, the system stores RRs known as MX RRs. Each MX matches a domain name with two pieces of data, a preference value (an unsigned 16-bit integer), and the name of a host. The preference number is used to indicate in what order the mailer should attempt deliver to the MX hosts, with the lowest numbered MX being the one to try first. Multiple MXs with the same preference are permitted and have the same priority. Emphasis on 'should', which has a specific meaning in RFCs - e.g. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications MUST be understood and carefully weighed before choosing a different course. From the bad guy's perspective, wanting to get the mail through without being filtered - in a perverse way - probably qualifies as a "valid reason...to ignore this item". -----Burton
And to further clarify Burton's excellant explaination for those who are not very clear about RFCs, even if the RFC had specified a MUST, there is no technical framework to enforce the compliance with the RFC on part of the spammer/virus-writer. Hence even if the RFC had specified a MUST, a virus writer could make an intelligent guess that a backup MX server is probably not as well protected as the primary server and hence better his/her chances by violating the RFC, and using the backup server. Any protection against such an attack would involve too much state tracking and is probably not worth the effort. Its much better to protect all servers equally.
-----Original Message----- From: Monty Ree [mailto:chulmin2 () hotmail com] Sent: Friday, June 11, 2004 3:41 AM To: security-basics () securityfocus com Subject: virus mail ignores MX? Hello, all. I have some question about virus mail. I have set viruswall about my domain and all mails should be sent first to viruswall. xxxxx.com. 86400 IN MX 0 viruswall.xxxxx.com. <-- viruswall xxxxx.com. 86400 IN MX 5 mail.xxxxx.com <-- mail server When I see virus mail header, like below. Received: from test.com ([211.117.47.1]) by mail.xxxxx.com (8.11.6/8.11.6) with ESMTP id i5B8DdW02504 for <chulmin2 () xxxxx com>; Fri, 11 Jun 2004 17:13:44 +0900 some virus mails are filtered well at viruswall. but other virus mails are not get through viruswall, and go directly to mail.xxxxx.com. I think. so I think some virus mail ignores MX, right? What's the problem and how can I solve this problem? Thanks in advance. _________________________________________________________________ Çà¿îÀÇ ÁÖÀΰøÀÌ À̹ø¿£ ³ªÀϲšŸß, ÁøÂ¥·ç... ÀÎÅÍ³Ý º¹±Ç http://www.msn.co.kr/money/interlotto/ ------------------------------------------------------------------ --------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------ ------------------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
-- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- virus mail ignores MX? Monty Ree (Jun 13)
- Re: virus mail ignores MX? Andrej Kacian (Jun 14)
- Re: virus mail ignores MX? Paul Kurczaba (Jun 14)
- Re: virus mail ignores MX? die tuere (Jun 14)
- Re: virus mail ignores MX? Pierre-Yves Bonnetain (Jun 14)
- RE: virus mail ignores MX? Burton M. Strauss III (Jun 14)
- Re: virus mail ignores MX? Ranjeet Shetye (Jun 21)
- <Possible follow-ups>
- RE: virus mail ignores MX? Joshua Vince (Jun 14)
- RE: virus mail ignores MX? Alan Greig (Jun 14)
- Re: virus mail ignores MX? Monty Ree (Jun 16)
- Re: virus mail ignores MX? Mircea MITU (Jun 18)
- RE: virus mail ignores MX? Keith T. Morgan (Jun 22)