Alex, This is a very general answer. When dealing with worms I have found it usefull to look at the source of the original Internet worm. It's available on the Net. IMHO the 10's of thousands of worms, viruses, etc often borrow from the predicesor. For example they will try and crack the passwd file, they will try and send info from critical systems files (ie. the original one sent the UNIX hosts and/or hosts.equiv file; newer varients, like the iloveyou virus 3 years ago use Outlooks address book), like that. When I spotted the iloveyou script/virus in my Outlook inbox I saved it to a floppy, and read it on my linux box in vi. Cheers, David David Hawley, CISSP UNIX & NT NET SECURITY, LLC 714-697-8000 --- Alex 'CAVE' Cernat <caveat_private> wrote: > On Mon, 4 Aug 2003 09:53:53 -0400 > "att13543" <skidat_private> wrote: > > > I'd be interested if anyone can correlate what > I've seen: we have 2 > > MX records, one weighted at 10 (primary) and one > at 20 (secondary). > > Of the 200 or so MiMail's we've seen 100% have > come through our > > SECONDARY mail server. Maybe the SMTP engine was > written poorly, or > > maybe it was this way on purpose? > > if the virus send emails throught local smtp > connection, it's a dns > problem; > but if the virus connects directly to the 'backup' > smtp server, then, > lamerish, the virus programmer probably believed > that bigger value > associated with mx meens 'prefered server', which is > the exactly > opposite as the rfc or any documentation available > :-) > > Alex > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 15:55:13 PDT