Microsoft Exchange servers dodge worm

In the somewhat calm wake of the MyParty virus, security experts have considered the possibility that, for once, users of Microsoft Exchange servers may have been better off.

A discussion thread on the Virus Focus mailing list suggested that the reason the MyParty virus and its subsequent variant didn't have a high spread ratio is because it couldn't propagate via Exchange servers.

According to research, the virus uses SMTP commands like 'HELO' and 'RCPT TO' to propagate itself, but Exchange doesn't use these commands when communicating with an Outlook email client.

Also, MyParty uses non-RFC (request for comments) compliant control characters to end its lines, which Exchange doesn't support either.

Although there is some argument that the worm's built in SMTP engine could still allow it to mail itself out via Exchange, the second point still cripples its propagation ability.

"If this is true, then every copy of MyParty is being sent out from non-Exchange servers. It seems hard to believe that we have the first major email worm in the last three years where Exchange users were actually better off than everybody else," read one posting to the newsgroup from IT director Roger Grimes.

Another security watcher supported these claims. Nick FitzGerald, of Computer Virus Consulting, wrote: "I have seen reports from people who have tested that Exchange will not accept such 'malformed' SMTP data streams," otherwise known as non-RFC compliant end of line characters.

"Thus victims 'behind' Exchange servers cannot actually spread it via email."