[Esd-l] Spoofed email addresses
paul at ferwerda.net
Fri Jun 14 04:15:04 PDT 2002
As a newbie to this list I apologize if I'm asking something that has been covered before. I checked the subject of posts in the archives for the last two years for "spoolf" but didn't find anything. The sanitizer sent out a notification message and I received the following message back. From looking at the headers it looks like the Return-Path was forged. Is there any way to deal with this short of not notifying?
>X-Sent-via: StarNet http://www.azstarnet.com/
>Date: Thu, 13 Jun 2002 22:18:05 -0700
>From: John Sartin <culsart at azstarnet.com>
>Reply-To: culsart at azstarnet.com
>X-Mailer: Mozilla 4.79 (Macintosh; U; PPC)
>To: Procmail Security daemon <postmaster@/" EUDORA="AUTOURL"www.mxtabs.net>
>Subject: Re: Language
>I have sent you no email prior to this one! I am running Mac OS9.2 and have the latest Norton virus definitions and scan shows no trace of virus or worm. I have no
>idea what you want me to do!
>Procmail Security daemon wrote:
>> Regarding your message to
>> <webmaster at mxtabs.net>
>> ***** SECURITY NOTICE *****
>> Our site security policy rejects most executables and all .EXE files
>> received as email attachments. If you need to send us an .EXE file for
>> some reason, please reply to this message to make arrangements.
>> If it's a publicly-available program, please send a URL where the
>> recipient can download the program directly from the vendor rather
>> than sending us a copy of the program via email. This will avoid the
>> possibility of your sending us a copy that has been infected by a
>> If your attachment was not an .EXE file, the following applies:
>> Our email gateway has detected that your message MAY contain
>> hazardous attachments or embedded scripting, and may have
>> prevented its delivery to the intended recipient (see below for
>> details). Our mail administrator has been notified.
>> It is possible that your computer has been infected by a virus,
>> or you have been the target of an email worm which is now attacking
>> other computers on its own, without your knowledge or consent. This
>> is particularly possible if you don't recall sending the message that
>> caused this notice to be sent to you.
>> Please contact your system administrator by phone immediately.
>> You should not send out any email attachments until you have updated
>> your antivirus scanner's virus signature list and re-scanned your
>> If the Macro Scanner score is large, suspicious macro code has
>> been detected within the document attachment. Some antivirus
>> software disables macro viruses but does not remove all traces of
>> the macro virus program, and the email gateway may be detecting the
>> parts that remain. To ensure your document contains no traces of
>> a macro virus, save it in a format that does not support macros
>> (for example, Rich Text - RTF), reload from that file, and re-save in
>> the original format. This will strip all macros from the document.
>> Simply re-sending the same attachment again will not work. The
>> message was not rejected due to some temporary problem such as
>> the recipient's mailbox being full. The message has been refused
>> due to security concerns about the content. If you do not alter
>> the content, the message will be refused again for the same
>> We apologize for any inconvenience, and thank you for your
>> understanding. If you have any questions, please reply to this
>> message. Do not include any attachments in your reply.
>> REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
>> REPORT: Not a document, or already poisoned by filename. Not scanned for macros.
>> STATUS: Message discarded, not delivered to recipient.
>> Headers from message:
>> > From Culsart at azstarnet.com Thu Jun 13 17:38:58 2002
>> > Return-Path: <Culsart at azstarnet.com>
>> > Received: from cepheus.azstarnet.com (cepheus.azstarnet.com [22.214.171.124])
>> > by www.mxtabs.net (8.10.2/8.10.2) with ESMTP id g5DMcvr14663
>> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 17:38:58 -0500
>> > Received: from Txkzxn (dhcp825.mc01.dsl.fastucson.net [126.96.36.199])
>> > by cepheus.azstarnet.com (8.9.3/8.9.3) with SMTP id PAA14156
>> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 15:38:45 -0700 (MST)
>> > Date: Thu, 13 Jun 2002 15:38:45 -0700 (MST)
>> > Message-Id: <200206132238.PAA14156 at cepheus.azstarnet.com>
>> > X-Sent-via: StarNet http://www.azstarnet.com/
>> > From: kisielkids <kisielkids at aol.com>
>> > To: webmaster at mxtabs.net
>> > Subject: Language
>> > MIME-Version: 1.0
>> > Content-Type: multipart/alternative;
>> > boundary=S9772l75J45233Tf3zVn
>> > X-Content-Security: [www.mxtabs.net] NONOTIFY
>> > X-Content-Security: [www.mxtabs.net] DISCARD
>> > X-Content-Security: [www.mxtabs.net] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
>> Message sanitized on www.mxtabs.net
>> See http://www.impsec.org/email-tools/sanitizer-intro.html for details.
More information about the esd-l