MyDoom Quirk?

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

While examining the Black List log, I made an interesting observation; all the
legitimate names (current or expired) had a single space between the RCPT TO:
and the mail address.

RCPT TO: <[email protected]>

All the MyDoom virus messages sent to ficticious names (and some legitmate
names) had no space.

RCPT TO:<[email protected]>

Has anyone else noticed this or does anyone have an explanation?

J.A. Coutts
 
John Coutts said:
While examining the Black List log, I made an interesting observation; all the
legitimate names (current or expired) had a single space between the RCPT TO:
and the mail address.

RCPT TO: <[email protected]>

All the MyDoom virus messages sent to ficticious names (and some legitmate
names) had no space.

RCPT TO:<[email protected]>

Has anyone else noticed this or does anyone have an explanation?
Click to expand...

I suggest that, in your quest to understand this, you should start by reading
the SMTP RFC (2821) paying careful attention to its definitions of, requirements
for, etc "white space" and the "<SP>". According to the RFC a <SP> is required
after "RCPT TO:", but in practiice, too many sending implementations have been
written at various poionts in time that do not send such and most SMTP servers
effectively treat the ":" as the command terminator.

I'd be hesitant to filter incoming mail based solely on the absence of this
(required) space character, at least not with a straight "reject" action. Setting
up a "quarantine" queue and moving all such mail there may not be a bad idea to
check that you don't get some "valid" Emails delivered from some other similarly
faulty implementation (of course, this means if you don't have some _other_
mechanism for filtering out Mydoom "inline" during delivery you have to accept all
its Email -- not a very desirable solution I suspect).
 
I suggest that, in your quest to understand this, you should start by reading
the SMTP RFC (2821) paying careful attention to its definitions of, requirements
for, etc "white space" and the "<SP>". According to the RFC a <SP> is required
after "RCPT TO:", but in practiice, too many sending implementations have been
written at various poionts in time that do not send such and most SMTP servers
effectively treat the ":" as the command terminator.

I'd be hesitant to filter incoming mail based solely on the absence of this
(required) space character, at least not with a straight "reject" action. Setting
up a "quarantine" queue and moving all such mail there may not be a bad idea to
check that you don't get some "valid" Emails delivered from some other similarly
faulty implementation (of course, this means if you don't have some _other_
mechanism for filtering out Mydoom "inline" during delivery you have to accept all
its Email -- not a very desirable solution I suspect).
Click to expand...
**************** REPLY SEPARATER ****************
Thanks for the response Nick. I was not contemplating rejecting email based on
this quirk, but it certainly has made separating Spam from virus in the Black
List log file fairly easy.
 
Back
Top