Klez bypasses MX records

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 3 23:31:48 UTC 2002

Joseph S D Yao wrote:

> On Thu, Oct 03, 2002 at 10:28:16AM -0700, Roger Smith wrote:
> >
> > If this is not the right place to post this, please forgive me.
> >
> > In our escapades with the Klez virus, it appears that its client connects
> > directly to the destination SMTP server.  Since we use MX records to redirect
> > our email to our anti-virus SMTP processing server, the Klez effectively
> > bypasses that server.
> >
> > Is there a way to make sure it does not bypass our MX records or rewrite the
> > DNS to have it hit the AV server first?
> I would suggest not having "tcoe.org" have an A record.  Then, with
> your MX records just as they are, most mail should go directly to your
> AV server as long as it is up.
> If you must have "tcoe.org" point to your Web server, as it does now,
> then make sure that your mail server is not also on that machine.
> Linux boxes are inexpensive, as you know.  ;-)

I agree with the suggestion that web servers should be separated from mail
servers, but in addition to that, I think it might behoove you to actually block
port 25 to the mail server and/or configure the mail server to only accept mail
from the anti-virus scanner. Removing the A record for tcoe.org is effectively
only Security Through Obscurity, since your extranet can be scanned for port 25...

- Kevin

More information about the bind-users mailing list