2 MX Servers not Receiving Same Viruses

[mikea]

On Thu, Mar 18, 2004 at 03:32:33PM -0700, Daniel Straka wrote:
> Hello List,
>
>   I'm Dan Straka, I work at Casper College in Casper, WY (USA),
> www.caspercollege.edu. I've got my first question for the list.
>
> I've got 2 MX servers (with different cost values in DNS) and the viruses
> being intercepted by Sophos on these machines are not the same. For
> instance, one is receiving Netsky and Bagle variations but the other one
> is not. On the opposite machine, it's receiving Mymail and Sefex
> variations but the other does not. I thought this is a bit strange.
>
> Question, does this have to do with the MX cost value being different in
> DNS, or are the machines being targeted differently by the virused email?

Some ratware deliberately targets the highest-value MX, other ratware
just goes for the lowest. I suspect that the thinking behind going for
the most expensive is that it probably is a fallback server not under
the direct control of the mailadmin, but configured and maintained for
him/her by someone else -- not uncommonly in another organization --
and hence may not have all the filters, up-to-date access list or
equivalent, and so on.

--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin