Greg Hewgill (ghewgill) wrote,
Greg Hewgill

beating back the demons

I've noticed a significant increase in worm related email traffic over the last couple of days, apparently related to the "netsky" variant this time (though it's getting harder to tell all the different variants apart). Overnight last night I received nearly 400 new worm-related email messages, all of which successfully passed through qgreylist, spamassassin, and some custom filters that worked for mydoom.

In looking at the incoming messages, I noticed something odd about the HELO command that was used. Normally in an SMTP transaction, the first command that the sending mail server sends to the receiver is something like "HELO", which means the sender is responsible for sending messages from This HELO name isn't actually used during the delivery of the messages, but is just sort of a polite introduction.

What I noticed was that in most of these worm messages, the sender was using the command "HELO". This is backwards, it should be using the domain name of the sender, not the recipient. So I can be sure that if the sender uses my domain name in HELO, then it is not a legitimate message. By using the following procmail rule:

* ^Received:.*(HELO

a huge number of worm messages have been caught. In just the last 2.5 hours, 181 messages have been blocked and 33 got through. Of those that got through, virtually all of them are bounce messages from other mail servers, where a message to with my name forged in the From field, was returned to me as undeliverable. These types of messages, since they are sent by legitimate functional mail servers, have correct HELO commands and are not recognized by this filter.

Unfortunately, the latest variants of these email worms no longer seem to have automatic built-in expiration dates (as reported by mcafee or symantec), like the sobig family did. We can therefore expect to be plagued by these for some time to come.

Finally, this would be a good time to remind everybody who is responsible for any email operations to adopt Sender Policy Framework and publish SPF records. Doing so will help reduce the ability for worms to forge email addresses from your domain, and using SPF filtering against incoming messages will help you reject messages with forged From addresses.

Tags: spam

  • url blacklists

    One of the most useful antispam techniques of late has been the "URL blacklist". This compares all URLs found within a message body against one or…

  • another spam filter rendered ineffective

    A while ago I turned up as much spam and junk mail protection stuff as I could find in my Postfix configuration. Specifically, I had the following…

  • stock spam disclaimer

    I happened to read the disclaimer text at the bottom of a stock spam I got today. I was amused (emphasis mine): Information within this report…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded