Maybe the virus programmer made a mistake, perhaps it was intentional. I knew of one installation that (mistakenly) believed that they shouldn't run virus scanning on their secondary MX so that if the primary MX gets bogged down or crashes, mail can still get through. Perhaps there are more installations set up like that than I'd expectedd. -----Original Message----- From: Alex 'CAVE' Cernat [mailto:caveat_private] Sent: Monday, August 04, 2003 11:57 AM To: incidentsat_private Subject: Re: WORM_MIMAIL.A Anyone have any info on what this does yet? On Mon, 4 Aug 2003 09:53:53 -0400 "att13543" <skidat_private> wrote: > I'd be interested if anyone can correlate what I've seen: we have 2 > MX records, one weighted at 10 (primary) and one at 20 (secondary). > Of the 200 or so MiMail's we've seen 100% have come through our > SECONDARY mail server. Maybe the SMTP engine was written poorly, or > maybe it was this way on purpose? if the virus send emails throught local smtp connection, it's a dns problem; but if the virus connects directly to the 'backup' smtp server, then, lamerish, the virus programmer probably believed that bigger value associated with mx meens 'prefered server', which is the exactly opposite as the rfc or any documentation available :-) Alex ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 12:19:36 PDT