Security Basics mailing list archives

RE: Worm.SCO.A (W32/Mydoom@MM)

From: "Dan Bartley" <bartleyd () corp netcarrier com>
Date: Tue, 27 Jan 2004 21:47:13 -0500

No, NDR = Non Delivery Report. That has nothing to do with anti-virus,
it is a normal function of RFC compliant email systems.

Anti-virus notification means an email it believes you sent was
infected. Most anti-virus software delivers the email anyway with the
attachment stripped off and replaced by a notice. So NDR does not even
remotely come in to the picture with most anti-virus because the email
is still delivered.

Turning off NDR on SMTP is contrary to RFC if I'm not mistaken, at the
very least not considered a properly configured email system.

While annoying in this case, it is not the proper action to turn off all
NDR, which is what you would be doing by turning it off at the SMTP or
MTA.

Anti-virus software is not the SMTP or MTA, it is usually a gateway
software in front of or behind your transport system. Some are also a
mail store scanner. They are 2 completely separate pieces of software
and functions. NDR applies to SMTP, notification applies to anti-virus.

Best Regards, 

Dan Bartley


-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com] 
Sent: Tuesday, January 27, 2004 21:09
To: Dan Bartley; security-basics () securityfocus com
Subject: RE: Worm.SCO.A (W32/Mydoom@MM)

I assume you mean anti-virus notification, not an NDR. The NDRs are

generated because the Trojan is using a list of common >names for every
domain it picks up on. You can't disable NDRs, that would be bad
practice.

AV NDR's = Anti-Virus Notifications. The majority of the time you get a
AV notification you basically getting a NDR from the server describing
why it was unable to deliver the message, in this case because of a
virus. 

Turning off SMTP/MTA NDR's != GOOD.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------

Current thread:

RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- <Possible follow-ups>
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 29)
  - RE: Worm.SCO.A (W32/Mydoom@MM) & NDR Sean Kelly (Jan 30)