[Greylist-users] greylisting side-effect: mail worm delay

[Deke Clinger]

Greetings,

I think I've found an interesting side effect of the greylisting
package. Looking at mail logs after the arrival of WORM_MIMAIL.A today I
noticed that although the first attempted deliveries of this malware reached
our greylist-equipped Internet gateways shortly before 5 am today, the first
example did not reach the next hop for inbound mail for over three and a half
hours, until about 8:40 am.

This may not seem like much, but this delay happened during the lag between
the new worm being introduced and other countermeasures being deployed (virus
pattern updates, mail rule additions). This could mean the difference between
an internal outbreak and a non-event.

I believe this is happening because the SMTP engine used by the worm to spread
itself does not retry delivery after a temporary error like those generated by
the greylist engine. This will delay delivery at least until a given instance
of the worm (relay_ip) retries a previously attacked email address, probably
not a high priority until all available addresses have been tried once.

Obviously, a greylist is not a virus defense by itself, but the time it buys
could make a lot of difference if the admins and AV vendors are on the ball.

Here's more about MIMAIL:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.A

-Deke