On 7 Mar 2004 at 7:38, Suresh Ramasubramanian wrote about
"Re: [Exim] What to do with messages":
| On Sat, Mar 06, 2004 at 10:41:52PM +0000, Alan J. Flavell wrote:
| > On Sat, 6 Mar 2004, Fred Viles wrote:
|...
| > > How does the virus figure out the smarthost's address?
|...
| The other way is far simpler. Find the domain name of the IP of the infected
| host (say if the infected host is on ip-10-0-0-5.cablemodem.example.com,
| parse out example.com from there). Then do "nslookup -q=mx example.com" and
| try to send out all its payloads through example.com's mx servers.
Hum. Well maybe, but I would not think that would work often enough
to be worthwhile. Do you *know* this is a technique the worms use,
or are you speculating how they *might* do it?
- Fred
