[prev] [thread] [next] [lurker] [Date index for 2006/10/23]
There's a worm out there, a new one in the Win32/Stration family. You can read about it here: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=58375 There's no new hate in yet another windows worm, of course. This one mass-mails itself to e-mail addresses harvested from the affected machine. It fakes the "from" address from a handful of domains. One of these domains is mine. Still no new hate, because this domain is a spam magnet. It is "niet.com", and "niet" is the dutch equivalent of "not", sort of. It is often used by the dutch when filling out web forms that require an e-mail address, and you end up with addresses like "liever@xxxx.xxx" which means something like "rather@xxx.xxx". There are plenty of far more creative, in a not- safe-for-work kinda way, expressions used in these made-up e-mail addresses. There are two kinds of email coming in to the niet.com mailserver: a small handful of confirmation messages ("click here to confirm that this is indeed a valid email address so we can activate your account") or far, far, far, far more frequently, email newsletters by companies that don't believe in double-opt-in. So now this mail server is swamped with non-delivery reports. As we all know there is anti-virus out there that knows that this virus fakes the from line, and still insists in sending a non-delivery to the from address. Some of them helpfully include the full virus. This, too, is an old, well-known hate. What really gets my goat this time around is that some of these mail servers attempting to deliver these non-delivery reports are so mind- boggingly stupid that: 1) they use the A record for "niet.com" from DNS to figure out where to connect to, instead of the MX record. 2) they think the "513 relaying denied" they receive from the machine pointed to by the A record is a temporary error, and will try again and again and again. As in, giving me a six digit line count when I grep for this error in my daily log files. As to the idiots who wrote these mail servers, I'd like to get their attention to the relevant RFC's, preferably by wrapping them around a steel bar and applying it rectally. I removed the A record for now, and the delivery attempts have died down. I'll have to check the logs on the machine that is the MX to see if these brain-dead mail servers use the MX record as a fall-back attempt to deliver mail, but it would not surprise me. In the mean time, the MX machine for the domain is so busy it gives "4xx too busy" errors every now and then. Luckily it is serving only this domain, and just accepts and stores everything. I'd hate to think what it would go through if it also had to ran spamassassin or a virus check on each incoming message. -JohnThere's stuff above here
Generated at 07:01 on 24 Oct 2006 by mariachi 0.52