[Esd-l] DNSBL? (was: Re: Weird thing about the Swen worm)

Jeffrey H. Johnson jeff at cqasys.com
Sun Sep 21 12:21:09 PDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> OK, guys, this is weird. We, like most other ISPs, are getting deluged 
> with copies of the Swen worm. But for some reason, it appears that a 
> large percentage of the copies -- at least 60% -- are coming to ME, 
> personally. 
> [snip]  -- Brett Glass

> I councur. At work the first sign of Swen was a lot of attacks
> directed at my email address - not to others in my office and our
> clients, as I normally see with worms.
> [snip]  -- John Hardin 

It seems that some versions of Outlook Express or Outlook are configured
to add your e-mail address to the address book automaticly when responding
to a message.

I've noticed a pattern between posting on Usenet and mailing lists and 
receiving copies of the virus.  The viruses uses random e-mail addresses
and most of the attachments I'm getting back are bounces.  

What's probably happening is that your e-mail address was chosen by the
worm and a copy of it was sent to everyone in the address book, so broken
or misconfigured MTA's are sending the bounce, complete with attachment,
back to you, as the "Sender".  I even get bounces caused by virus scanners
that send back the virus infected attachment to me, as it was my e-mail
listed as the "From:" address.  

I've been getting lots of Swen here; 350 messages per day since yesterday.

I'm blocking all of these misconfigured sites here, and I wish there was
some sort of public DNSBL available.  It might be an interesting project
to create a DNSBL and an automated test suite using the EICAR test code.

A message could be sent to a non-existant address, with the EICAR string
attached as a .COM file, and sent using MIME/Base64 and UU encoding to
the MTA, using different, but monitored From: address header.  If the
EICAR infected virus is returned with the attachment intact, the MTA IP
should be added to the DNSBL.  A web interface could be provided to 
allow mail admins to schedule their servers for retesting.  

I wonder if this would be considered too intrusive by most admins - I 
wouldn't mind since the test strings are small, would use less bandwidth 
than most of the open relay testers, and the harmles EICAR code would
be destined to a non-existant mailbox.  I'd like some comments on this.

- -- 
Jeff Johnson
jeff at cqasys.com

Expect the worst, it's the least you can do.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3-dev

iD8DBQE/bfol+kOlYvxmiZYRAszXAKCHTj0HoqxeUQECGZM0d4hny/3LDgCfdQI5
zV14WU+J6DDaIZRykO30c1Y=
=Z3mb
-----END PGP SIGNATURE-----

More information about the esd-l mailing list