Security Incidents mailing list archives
RE: Novarg
From: Stephen Warren <swarren () wwwdotorg org>
Date: Wed, 28 Jan 2004 20:19:57 -0800
I notice someting interesting about the SMTP route that all the Novarg/Mydoom emails are taking to get to my box. I have a personal Linux machine that runs my SMTP server and is MX for wwwdotorg.org. I also have backup MX using DynDNS (www.dyndns.org). I notice that *all* the copies of the Novarg email are coming in via the backup MX, then being forwarded to my box, despite all other emails (spam, virii/worms and real stuff) all going direct to my box... I ran "dig -t mx wwwdotorg.org" on my box, where the resolver libraries are pointing at my ISP's DNS server (Qwest in Santa Clara, CA, USA) with no caching name server on my machine. I get back what I expect (see below). I ran it a few times - sometimes the "MX 10" record is first in the list, sometimes it's second (as expected - the DNS server is just trying to load-balance the multiple records I believe) So, it appears that Novarg actually sorts the DNS responses and sends via the lowest priority MX? Am I missing something? So, I guess to stop all the Novarg messages, one could create an extra MX record with a lower priority than anything else, and point it at some bad IP (reserved, localhost, some other IP you own that has no SMTP server...) Sounds interesting. ; <<>> DiG 9.2.2 <<>> -t mx wwwdotorg.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1413 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 2 ;; QUESTION SECTION: ;wwwdotorg.org. IN MX ;; ANSWER SECTION: wwwdotorg.org. 86383 IN MX 20 mx2.mailhop.org. wwwdotorg.org. 86383 IN MX 10 thames.wwwdotorg.org. ;; AUTHORITY SECTION: wwwdotorg.org. 86383 IN NS ns5.mydyndns.org. wwwdotorg.org. 86383 IN NS ns1.mydyndns.org. wwwdotorg.org. 86383 IN NS ns2.mydyndns.org. wwwdotorg.org. 86383 IN NS ns3.mydyndns.org. wwwdotorg.org. 86383 IN NS ns4.mydyndns.org. ;; ADDITIONAL SECTION: thames.wwwdotorg.org. 86383 IN A 65.113.35.91 mx2.mailhop.org. 24246 IN A 63.209.15.214 ;; Query time: 239 msec ;; SERVER: 205.171.3.65#53(205.171.3.65) ;; WHEN: Wed Jan 28 20:11:57 2004 ;; MSG SIZE rcvd: 213 -- Stephen Warren, Software Engineer, Parama Networks, San Jose, CA swarren () wwwdotorg org http://www.wwwdotorg.org/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Novarg - Stopping .Zip Files, (continued)
- Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- RE: Novarg - Stopping .Zip Files jamesworld (Jan 28)
- Re: Novarg - Stopping .Zip Files Bill Pennington (Jan 28)
- RE: Novarg - Stopping .Zip Files Timmothy Posey (Jan 30)
- Re: Novarg - Stopping .Zip Files Alvin Mills (Jan 30)
- Re: Novarg Dave Laird (Jan 28)
- RE: Novarg Wayne S. Ackley (Jan 28)
- Re: Novarg James Riden (Jan 28)
- RE: Novarg Chris Aguilar (Jan 28)
- RE: Novarg Jeremy Strachan (Jan 28)
- RE: Novarg Stephen Warren (Jan 29)
- Re: Novarg Robin Sheat (Jan 30)
- RE: Novarg steve bernacki (Jan 30)
- Re: Novarg Skip Carter (Jan 30)
- RE: Novarg Duston Sickler (Jan 29)
- RE: Novarg sloppy seconds (Jan 30)
- RE: Novarg Stephen Warren (Jan 29)
- RE: Novarg Robert Morales (Jan 28)
- RE: Novarg Rickert Gerhard (rgerhard) (Jan 29)
- Re: Novarg Ivan Coric (Jan 29)
- RE: Novarg Jeremy Hyland (Jan 30)
- RE: Novarg Ivan Coric (Jan 30)
(Thread continues...)