[Esd-l] DNSBL? (was: Re: Weird thing about the Swen worm)
Jeffrey H. Johnson
jeff at cqasys.com
Sun Sep 21 12:21:09 PDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
> OK, guys, this is weird. We, like most other ISPs, are getting deluged
> with copies of the Swen worm. But for some reason, it appears that a
> large percentage of the copies -- at least 60% -- are coming to ME,
> [snip] -- Brett Glass
> I councur. At work the first sign of Swen was a lot of attacks
> directed at my email address - not to others in my office and our
> clients, as I normally see with worms.
> [snip] -- John Hardin
It seems that some versions of Outlook Express or Outlook are configured
to add your e-mail address to the address book automaticly when responding
to a message.
I've noticed a pattern between posting on Usenet and mailing lists and
receiving copies of the virus. The viruses uses random e-mail addresses
and most of the attachments I'm getting back are bounces.
What's probably happening is that your e-mail address was chosen by the
worm and a copy of it was sent to everyone in the address book, so broken
or misconfigured MTA's are sending the bounce, complete with attachment,
back to you, as the "Sender". I even get bounces caused by virus scanners
that send back the virus infected attachment to me, as it was my e-mail
listed as the "From:" address.
I've been getting lots of Swen here; 350 messages per day since yesterday.
I'm blocking all of these misconfigured sites here, and I wish there was
some sort of public DNSBL available. It might be an interesting project
to create a DNSBL and an automated test suite using the EICAR test code.
A message could be sent to a non-existant address, with the EICAR string
attached as a .COM file, and sent using MIME/Base64 and UU encoding to
the MTA, using different, but monitored From: address header. If the
EICAR infected virus is returned with the attachment intact, the MTA IP
should be added to the DNSBL. A web interface could be provided to
allow mail admins to schedule their servers for retesting.
I wonder if this would be considered too intrusive by most admins - I
wouldn't mind since the test strings are small, would use less bandwidth
than most of the open relay testers, and the harmles EICAR code would
be destined to a non-existant mailbox. I'd like some comments on this.
jeff at cqasys.com
Expect the worst, it's the least you can do.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3-dev
-----END PGP SIGNATURE-----
More information about the esd-l