mail servers

[prev] [thread] [next] [lurker] [Date index for 2006/10/23]

From: John Sinteur
Subject: mail servers
Date: 06:55 on 23 Oct 2006

There's a worm out there, a new one in the Win32/Stration family. You  
can read about it here:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=58375

There's no new hate in yet another windows worm, of course.

This one mass-mails itself to e-mail addresses harvested from the  
affected machine. It fakes the "from" address from a handful of domains.

One of these domains is mine. Still no new hate, because this domain  
is a spam magnet. It is "niet.com", and "niet" is the dutch  
equivalent of "not", sort of. It is often used by the dutch when  
filling out web forms that require an e-mail address, and you end up  
with addresses like "liever@xxxx.xxx" which means something like  
"rather@xxx.xxx". There are plenty of far more creative, in a not- 
safe-for-work kinda way, expressions used in these made-up e-mail  
addresses. There are two kinds of email coming in to the niet.com  
mailserver: a small handful of confirmation messages ("click here to  
confirm that this is indeed a valid email address so we can activate  
your account") or far, far, far, far more frequently, email  
newsletters by companies that don't believe in double-opt-in.

So now this mail server is swamped with non-delivery reports. As we  
all know there is anti-virus out there that knows that this virus  
fakes the from line, and still insists in sending a non-delivery to  
the from address. Some of them helpfully include the full virus.

This, too, is an old, well-known hate.

What really gets my goat this time around is that some of these mail  
servers attempting to deliver these non-delivery reports are so mind- 
boggingly stupid that:

1) they use the A record for "niet.com" from DNS to figure out where  
to connect to, instead of the MX record.
2) they think the "513 relaying denied" they receive from the machine  
pointed to by the A record is a temporary error, and will try again  
and again and again. As in, giving me a six digit line count when I  
grep for this error in my daily log files.

As to the idiots who wrote these mail servers, I'd like to get their  
attention to the relevant RFC's, preferably by wrapping them around a  
steel bar and applying it rectally.

I removed the A record for now, and the delivery attempts have died  
down. I'll have to check the logs on the machine that is the MX to  
see if these brain-dead mail servers use the MX record as a fall-back  
attempt to deliver mail, but it would not surprise me. In the mean  
time, the MX machine for the domain is so busy it gives "4xx too  
busy" errors every now and then. Luckily it is serving only this  
domain, and just accepts and stores everything. I'd hate to think  
what it would go through if it also had to ran spamassassin or a  
virus check on each incoming message.

-John

There's stuff above here

Patrick Carr 20:08 on 21 Oct 2006
- mail servers John Sinteur 06:55 on 23 Oct 2006
  - Re: mail servers Nicholas Clark 11:22 on 23 Oct 2006
    - too deep to show

Generated at 07:01 on 24 Oct 2006 by mariachi 0.52