Hi Rohny, Not to be picky (okay, so I probably am), but when you say you only have a primary (pref 10) and 'pentiary' (pref 50) mail server setup, what do you mean exactly? If you only have two MX records, then the one with a preference of 50 is no less a 'secondary' than if it had a preference of 20, or anything else higher than 10 for that matter. The numbers are not numerically significant, 10 is usually chosen for the primary followed by 20 as secondary, but this is just for general convenience and has simply become something of a habit-come-standard. Your primary MX record could quite easily have a preference of 50, so long as this is the lowest number of any of the MX records. To say that your mail server is a 'pentiary' mail server simply because of the numerical value of its MX preference is incorrect. It may well be that the virus was deliberately written to choose MX records with a preference of 20, as this is generally a secondary server, as mentioned. In my experience secondary mail servers are in many cases also a secondary consideration, and it may be that the virus writer was hoping to avoid anti-virus systems by avoiding primary email servers. Regards Lee -- Lee Evans > -----Original Message----- > From: Rohny Jotton [mailto:rohnyjottonat_private] > Sent: 04 August 2003 21:44 > To: incidentsat_private > Cc: skidat_private; jshenkat_private > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > This may explain why I haven't seen the virus come knocking > at our mail > server (nope, not one). We only have a primary MX (10) set up > and pentiary > (50) mail relay upstream which is maintained by our provider. > > Curious... > > John > > -----Original Message----- > From: Jerry Shenk [mailto:jshenkat_private] > Sent: Monday, August 04, 2003 11:43 AM > To: incidentsat_private > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > Ya know, I thought it was just a coincidence but I saw some > instances of this going through our mail scanner and it > seemed like it might have gone through a secondary MX also. > We hadn't really dug into it but seeing somebody else > mentioning it does make it look like it may be a design > issue. I'm gonna dig into this a little more. > > -----Original Message----- > From: att13543 [mailto:skidat_private] > Sent: Monday, August 04, 2003 9:54 AM > To: incidentsat_private > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > I'd be interested if anyone can correlate what I've seen: we > have 2 MX records, one weighted at 10 (primary) and one at 20 > (secondary). Of the 200 or so MiMail's we've seen 100% have > come through our SECONDARY mail server. Maybe the SMTP > engine was written poorly, or maybe it was this way on purpose? > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. > http://join.msn.com/?page=features/virus > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 17:28:51 PDT