I just wanted to chime in and say that I have only gotten this worm through my 'primary' MX host, which has a pref of 10. My 'secondary' host has a pref of 20. On Tue, Aug 05, 2003 at 11:54:12PM +0100, Lee Evans wrote: > Hi Rohny, > > Not to be picky (okay, so I probably am), but when you say you only have > a primary (pref 10) and 'pentiary' (pref 50) mail server setup, what do > you mean exactly? If you only have two MX records, then the one with a > preference of 50 is no less a 'secondary' than if it had a preference of > 20, or anything else higher than 10 for that matter. The numbers are not > numerically significant, 10 is usually chosen for the primary followed > by 20 as secondary, but this is just for general convenience and has > simply become something of a habit-come-standard. Your primary MX record > could quite easily have a preference of 50, so long as this is the > lowest number of any of the MX records. To say that your mail server is > a 'pentiary' mail server simply because of the numerical value of its MX > preference is incorrect. > > It may well be that the virus was deliberately written to choose MX > records with a preference of 20, as this is generally a secondary > server, as mentioned. In my experience secondary mail servers are in > many cases also a secondary consideration, and it may be that the virus > writer was hoping to avoid anti-virus systems by avoiding primary email > servers. > > Regards > Lee > -- > Lee Evans > > > -----Original Message----- > > From: Rohny Jotton [mailto:rohnyjottonat_private] > > Sent: 04 August 2003 21:44 > > To: incidentsat_private > > Cc: skidat_private; jshenkat_private > > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > > > > This may explain why I haven't seen the virus come knocking > > at our mail > > server (nope, not one). We only have a primary MX (10) set up > > and pentiary > > (50) mail relay upstream which is maintained by our provider. > > > > Curious... > > > > John > > > > -----Original Message----- > > From: Jerry Shenk [mailto:jshenkat_private] > > Sent: Monday, August 04, 2003 11:43 AM > > To: incidentsat_private > > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > > Ya know, I thought it was just a coincidence but I saw some > > instances of this going through our mail scanner and it > > seemed like it might have gone through a secondary MX also. > > We hadn't really dug into it but seeing somebody else > > mentioning it does make it look like it may be a design > > issue. I'm gonna dig into this a little more. > > > > -----Original Message----- > > From: att13543 [mailto:skidat_private] > > Sent: Monday, August 04, 2003 9:54 AM > > To: incidentsat_private > > Subject: RE: WORM_MIMAIL.A Anyone have any info on what this does yet? > > > > > > I'd be interested if anyone can correlate what I've seen: we > > have 2 MX records, one weighted at 10 (primary) and one at 20 > > (secondary). Of the 200 or so MiMail's we've seen 100% have > > come through our SECONDARY mail server. Maybe the SMTP > > engine was written poorly, or maybe it was this way on purpose? > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 16:28:25 PDT