There's a worm out there, a new one in the Win32/Stration family. You
can read about it here:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=58375
There's no new hate in yet another windows worm, of course.
This one mass-mails itself to e-mail addresses harvested from the
affected machine. It fakes the "from" address from a handful of domains.
One of these domains is mine. Still no new hate, because this domain
is a spam magnet. It is "niet.com", and "niet" is the dutch
equivalent of "not", sort of. It is often used by the dutch when
filling out web forms that require an e-mail address, and you end up
with addresses like "[email protected]" which means something like
"[email protected]". There are plenty of far more creative, in a not-
safe-for-work kinda way, expressions used in these made-up e-mail
addresses. There are two kinds of email coming in to the niet.com
mailserver: a small handful of confirmation messages ("click here to
confirm that this is indeed a valid email address so we can activate
your account") or far, far, far, far more frequently, email
newsletters by companies that don't believe in double-opt-in.
So now this mail server is swamped with non-delivery reports. As we
all know there is anti-virus out there that knows that this virus
fakes the from line, and still insists in sending a non-delivery to
the from address. Some of them helpfully include the full virus.
This, too, is an old, well-known hate.
What really gets my goat this time around is that some of these mail
servers attempting to deliver these non-delivery reports are so mind-
boggingly stupid that:
1) they use the A record for "niet.com" from DNS to figure out where
to connect to, instead of the MX record.
2) they think the "513 relaying denied" they receive from the machine
pointed to by the A record is a temporary error, and will try again
and again and again. As in, giving me a six digit line count when I
grep for this error in my daily log files.
As to the idiots who wrote these mail servers, I'd like to get their
attention to the relevant RFC's, preferably by wrapping them around a
steel bar and applying it rectally.
I removed the A record for now, and the delivery attempts have died
down. I'll have to check the logs on the machine that is the MX to
see if these brain-dead mail servers use the MX record as a fall-back
attempt to deliver mail, but it would not surprise me. In the mean
time, the MX machine for the domain is so busy it gives "4xx too
busy" errors every now and then. Luckily it is serving only this
domain, and just accepts and stores everything. I'd hate to think
what it would go through if it also had to ran spamassassin or a
virus check on each incoming message.
-John
