Greg Hewgill (ghewgill) wrote,
Greg Hewgill

beating back the demons

I've noticed a significant increase in worm related email traffic over the last couple of days, apparently related to the "netsky" variant this time (though it's getting harder to tell all the different variants apart). Overnight last night I received nearly 400 new worm-related email messages, all of which successfully passed through qgreylist, spamassassin, and some custom filters that worked for mydoom.

In looking at the incoming messages, I noticed something odd about the HELO command that was used. Normally in an SMTP transaction, the first command that the sending mail server sends to the receiver is something like "HELO", which means the sender is responsible for sending messages from This HELO name isn't actually used during the delivery of the messages, but is just sort of a polite introduction.

What I noticed was that in most of these worm messages, the sender was using the command "HELO". This is backwards, it should be using the domain name of the sender, not the recipient. So I can be sure that if the sender uses my domain name in HELO, then it is not a legitimate message. By using the following procmail rule:

* ^Received:.*(HELO

a huge number of worm messages have been caught. In just the last 2.5 hours, 181 messages have been blocked and 33 got through. Of those that got through, virtually all of them are bounce messages from other mail servers, where a message to with my name forged in the From field, was returned to me as undeliverable. These types of messages, since they are sent by legitimate functional mail servers, have correct HELO commands and are not recognized by this filter.

Unfortunately, the latest variants of these email worms no longer seem to have automatic built-in expiration dates (as reported by mcafee or symantec), like the sobig family did. We can therefore expect to be plagued by these for some time to come.

Finally, this would be a good time to remind everybody who is responsible for any email operations to adopt Sender Policy Framework and publish SPF records. Doing so will help reduce the ability for worms to forge email addresses from your domain, and using SPF filtering against incoming messages will help you reject messages with forged From addresses.

Tags: spam

  • 2013 in review

    2013 is the year when everything changed. The biggest event was the birth of our daughter Lily. She was born prematurely in Shanghai while we…

  • 2012 in review

    2012 has been fairly quiet. Maybe it just seems that way because I haven't actually written anything new in this blog since last year's annual…

  • new photo galleries

    I've been busy processing photo galleries from the last year (or two) and putting them online for your perusal. Vancouver 2010 Northland…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded