On Mon, 2003-08-04 at 10:57, Alex 'CAVE' Cernat wrote: > if the virus send emails throught local smtp connection, it's a dns > problem; > but if the virus connects directly to the 'backup' smtp server, then, > lamerish, the virus programmer probably believed that bigger value > associated with mx meens 'prefered server', which is the exactly > opposite as the rfc or any documentation available :-) No, not necessarily. There may be setups where the mail bagger does not include virus and spam scanners, thus offering a chance of "getting in" undetected. This is especially true if primary mail servers trust secondary mail baggers explicitly (i.e. allow them to relay regardless of recipient domain). Since a lot of setup use mail baggers at ISP's as secondary MX'es, which most likely do not have virus and spam scanners installed, the chances of slipping through the net of defenses are a bit better. Furthermore, setups involving secondary mail servers are a bit more complex (not technologically, but there is more to configure), increasing the chances for misconfigurations (such as above mentioned relay override, or virus scanner bypass). So the added complexity works against security and in favor of those trying to circumvent it. The ideal virus would want to try to inject itself through MX records farther away from the target, preferably hosts with different domains names (as would be the case with ISPs). Regards, Frank
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 12:18:03 PDT