Alex 'CAVE' Cernat [mailto:caveat_private] > if the virus send emails throught local smtp connection, it's a dns problem; > but if the virus connects directly to the 'backup' smtp server, then, > lamerish, the virus programmer probably believed that bigger value > associated with mx meens 'prefered server', which is the exactly > opposite as the rfc or any documentation available :-) This is not really lamerish IMO, it's more spammerish. Backup mail servers are often outside of the control of the mail admin - they are likely just store and forward servers. They are less likely to bounce messages, less likely to screen, and less likely to scan for viruses. Spammers love them. Virus distributors sometimes use spam techniques to get that first big bang from their worm. That's why I'm curious to know if Mimail-infected machines will use this same low-priority MX technique to send to the next round of victims, or if infected machines send via normal MX priorities. If infected machines use normal priorities, then incoming infected mail through low-priority MX hosts is likely an original distribution, which means the recipient is on the distributor's list of mail addresses and may be more likely to be a day zero recipient of the next email malware. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 12:05:11 PDT