lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ragdelaed at catholic.org (ragdelaed)
Subject: Partial protection against MyDoom

If you look at the source, its not using mx records. Its guessing.

It gets the domain name, then prepends mx., mail., smtp., mx1., mxs.,
mail1., relay., ns., and gate. to the domain name and send itself off.
Since most companies call their smtp outbounds relay or smtp or mail,
then it gets lucky. A lot.

Sux, but its kinda smart.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Tomasz
Grabowski
Sent: Thursday, February 12, 2004 7:44 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Partial protection against MyDoom


Hello.

I have not been able to find simmilar information on the Internet, so
I'm
posting it here. Maybe someone will find it as a solution to MyDoom
e-mails flood. But if it is already known, sorry for wasting your time.

* * *

It looks that MyDoom is not using the MX flag of particular domain. Look
at the following example:

$ host -t ANY domain.example.com
[snip]
                        7200    ;retry refresh this often
                        3600000 ;expiration period
                        172800  ;minimum TTL
                        )
domain.example.com mail is handled (pri=0) by mail.domain.example.com

This is a common example of configuration of 'big' domain. You can see
that MX for this domain is mail.domain.example.com.

There is in fact no such host like domain.example.com. If you will try
to
lookup for such configured domain directly, you will end up with the
"domain.example.com: Non-existent host".

If you have simmilar situation and you are still suffering from enormous
amount of MyDoom e-mails, you can configure your domain like this:

$ host -t ANY domain.example.com
[snip]
                        7200    ;retry refresh this often
                        3600000 ;expiration period
                        172800  ;minimum TTL
                        )
domain.example.com has address 127.0.0.1
domain.example.com mail is handled (pri=0) by mail.domain.example.com


It should not affect your domain (real SMTP servers will use MX flag and
send e-mails to mail.domain.example.com) but MyDoom will be using this
127.0.0.1 address instead, thus your domain will be protected.

Opinions are welcome.


Regards,

--
Tomasz Grabowski
Technical University of Szczecin,         +48 (91)4494234
Academic Centre of Computer Science   www.man.szczecin.pl


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists