Thursday, August 21, 2003

SoBig Worm (Why RMX is Useful)

Yet another reason why the RMX (reverse-MX) records need to be added to the DNS system and SMTP servers need to be re-written so that they do some level of verification that the SMTP server that sends e-mail is authorized to send mail for the purported recipient's domain. The way Sobig spreads is that it has it's own built-in SMTP engine which it uses to spread itself to other systems (hence, the originating IP is that of the infected system). In addition, it forges the return e-mail address in order to make it more difficult to track down the exact PC that is infected.

If the RMX system was in place, my mail server would look at that inbound bit of e-mail, which has a forged return address, check the RMX records for the forged domain and conclude that the inbound e-mail is not valid for delivery. Which would put a good dent in the ability of e-mail worms to spread themselves without leaving tracks in a company's outbound SMTP logs.

I've already gotten a few hundred messages in my bulk mail foder as a result, as well as some mail bounces where the virus forged my e-mail address in the return address field. Interestingly, all of the ones that I checked came to me from the same IP address. Even more interesting is that when I plugged that particular IP address into both Google and Yahoo! I found multiple web sites over in Germany that listed that IP address in their publically readable and indexed usage statistics pages. (The sort of pages that should be excluded from the search engine, not to mention put behind a password - unless they don't care that their competitors are able to monitor their site statistics.)

BTW, here's an excellent explanation of mail routing.

posted by Wuphon's at 4:54 PM