[Esd-l] Curious KLEZ immunity (from DELIVERY!) (fwd)

John D. Hardin jhardin at impsec.org
Wed Jul 17 10:20:01 PDT 2002 

An interesting bug in klez...

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   310 days until The Matrix Reloaded

---------- Forwarded message ----------
Date: Fri, 12 Jul 2002 20:48:28 -0700
From: Professional Software Engineering <PSE-L at mail.professional.org>
Reply-To: procmail-users at procmail.org
To: procmail-users at procmail.org
Subject: Curious KLEZ immunity (from DELIVERY!)


I recently discovered why I hadn't been receiving many KLEZ messages.

My server has been bouncing them as "User unknown".  Why?  because the 
addresses I use the most (at least on forums where the average member it 
more likely to be a clueless user who'd get infected in the first place) 
are plussed.

Seems that KLEZ is parsing the address after the plus (or parsing 
"outwards" from the @).  So, where an address might be 
"username+plusportion at domain.tld", KLEZ it snapping it up as 
"plusportion at domain.tld", which in my case, doesn't resolve to valid 
usernames on my systems.

I went back and checked, and sure enough, there were a buttload of "unknown 
user" errors in archives maillogs.  Besides not having to filter them out 
in the first place, I'm also not taking the delivery hit for the circa 
120KB attachment...

I figure this insight might be of interest to someone.  Let's see everyone 
switching to plussed aliases... <g>
---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail at lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

More information about the esd-l mailing list