[Exim] Viruses, and HELOs without dots

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M-\ 
M.MNigel Metheringham at ->
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: [Exim] Viruses, and HELOs without dots
A lot of earlier viruses which contained their own SMTP engine were
presenting HELO/EHLO domains without dots (typically, it was the
Windows host name).

I've been noticing in the last few days that there must now be viruses
around which randomly append .org, .com, .net to the host name to
produce their HELO domain. I'm not sure which virus they are, because
we reject them on the basis of appearing to be Windows executables
before they would get as far as being actually virus-checked.

I just thought it might be worth posting a heads-up, in case anyone's
putting too much reliance on a test for an unqualified name in the
HELO. Seems the virus writers got wise to that...

I don't at the moment see any other pattern than this one:
component.(org|net|com) - i.e just a single dot, and one of just those
three TLDs. Examples P3.org, P3.com, DELL600-WJS.net,
DELL600-WJS.org, hpcomputer.com, hpcomputer.net and so on.

(I'm sure the writers will soon change that detail, though.)

all the best


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Callout results in "421 VS14-RT5 Mailbox bounce arrival rate..."Re: [Exim] relaying for specific hosts - CORRECTION->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)