It took a long time, but finally an email-borne virus has bypassed the MX records for a domain, where there is an anti-spam, anti-virus and anti-mail scanner, and delivered itself directly to the target server. This was a very obvious thing to do, but for some reason, it hasn’t happened before – presumably because virus writers have been busy reaping the low-hanging fruit, or just maybe because they didn’t realise just how many domains deliver mail to a server with an easily guessable name.
This is what the virus smelled like:
Subject: [virus Win32/Merond.O worm]
You have received A Hallmark E-Card!
Date: Wed, 17 Nov 2010 09:27:45 +0200
In the mail log, it looked like this:
2010-11-17 09:28:01 [15397] 1PIcQq-00040L-2X <= e-cards@hallmark.com H=(hallmark.com) [4.3.90.120]:61593 I=[19.3.40.91]:25 P=esmtp S=686941 T=”You have received A Hallmark E-Card!” from for shaun@it.co.za
Avira has a nice rundown of the virus – http://www.avira.com/en/support-threats-description/tid/5101/worm_merond.o.html They don’t seem to have noticed this about the SMTP engine though.
How do we work around this, and encourage our visiting viruses to send themselves via the well armoured front door, with its scanner, and avoid the back door which has no protections?
- We could add some rules to accept SMTP only from the scanner (pretty complex rules those would be). That’s not going to happen
- We could firewall port 25, but there is enough mail that delivers directly to make this impractical.
- We could drop the A-record for the domain, which might be what the SMTP engine used, but the www. and mail. records would work just as well.
- We could move the mail server to a different address that is not as easy to guess
- We could put in a transparent proxy server of some sort to enforce the policy
All of those ideas work well for one or two domains, but for a few thousand domains all of them are a stack of work, so none of them work. So what we will probably do is wait for all the windows desktops in the world to catch viruses and die …<sigh/> Alternatively, it is just possible that the virus did an A- record lookup after failing the MX record lookup, and this posting serves only to let the cat out of the /bin.
