Klez bypasses MX records

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 3 23:37:19 UTC 2002

Kevin Darcy wrote:

> Joseph S D Yao wrote:
> > On Thu, Oct 03, 2002 at 10:28:16AM -0700, Roger Smith wrote:
> > >
> > > If this is not the right place to post this, please forgive me.
> > >
> > > In our escapades with the Klez virus, it appears that its client connects
> > > directly to the destination SMTP server.  Since we use MX records to redirect
> > > our email to our anti-virus SMTP processing server, the Klez effectively
> > > bypasses that server.
> > >
> > > Is there a way to make sure it does not bypass our MX records or rewrite the
> > > DNS to have it hit the AV server first?
> >
> > I would suggest not having "tcoe.org" have an A record.  Then, with
> > your MX records just as they are, most mail should go directly to your
> > AV server as long as it is up.
> >
> > If you must have "tcoe.org" point to your Web server, as it does now,
> > then make sure that your mail server is not also on that machine.
> > Linux boxes are inexpensive, as you know.  ;-)
> I agree with the suggestion that web servers should be separated from mail
> servers, but in addition to that, I think it might behoove you to actually block
> port 25 to the mail server and/or configure the mail server to only accept mail
> from the anti-virus scanner. Removing the A record for tcoe.org is effectively
> only Security Through Obscurity, since your extranet can be scanned for port 25...

I meant "restrict" rather than "block" of course; an SMTP server with port 25
completely blocked wouldn't be very useful...

- Kevin

More information about the bind-users mailing list