----- Original Message ----- From: "Russ Uhte (Lists)" <[EMAIL PROTECTED]>
> At 12:17 PM 6/15/2004, Matt wrote: > >This domain was recently moved to our DNS and I suspect that someone at > >their old DNS hosting provider is infected and using their old unremoved > >DNS entries and that is why they are bypassing us. Note though that some > >spammers are definitely caching old lookups in their spamware which is why > >I thought it might be possible that a virus was doing this as well. > > I just want to interject that I'm seeing this behavior a bunch specifically > with the Zafi worm. I moved to two postfix boxes to do my gatewaying many > months ago, and I still occasionally get virii coming directly into my > Imail box. I don't have the luxury of shutting off SMTP to my Imail box > because I have some remote users that connect to it to send email. I see this with Zafi as well. This from another list regarding Zafi: ===== This Hungarian originated virus initiates a Dictionary attack on domain names that if finds on the infected machine. It does not use DNS to find the MX records, but instead guesses the host name (such as 'mail' or 'mx'), prepends it to the domain name, and then proceeds with it's dirty work using Hungarian sounding names. ===== Thus this particular virus will bypass gateway machines and send directly to the hostname "A" record, which is typically pointed to the IMail server so that customers can reach the IMail server via their e-mail clients. That's one of the reasons why we do virus scanning on our gateway machines and our IMail servers. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
