[Esd-l] Spoofed email addresses

Paul Ferwerda paul at ferwerda.net
Fri Jun 14 04:15:04 PDT 2002

        As a newbie to this list I apologize if I'm asking something that has been covered before. I checked the subject of posts in the archives for the last two years for "spoolf" but didn't find anything.  The sanitizer sent out a notification message and I received the following message back.  From looking at the headers it looks like the Return-Path was forged.  Is there any way to deal with this short of not notifying?


>X-Sent-via: StarNet http://www.azstarnet.com/ 
>Date: Thu, 13 Jun 2002 22:18:05 -0700 
>From: John Sartin <culsart at azstarnet.com> 
>Reply-To: culsart at azstarnet.com 
>X-Mailer: Mozilla 4.79 (Macintosh; U; PPC) 
>X-Accept-Language: en,pdf 
>To: Procmail Security daemon <postmaster@/" EUDORA="AUTOURL"www.mxtabs.net> 
>Subject: Re: Language 
>I have sent you no email prior to this one! I am running Mac OS9.2 and have the latest Norton virus definitions and scan shows no trace of virus or worm. I have no 
>idea what you want me to do!
>Procmail Security daemon wrote:
>> Regarding your message to 
>> <webmaster at mxtabs.net> 
>> ***** SECURITY NOTICE ***** 
>> Our site security policy rejects most executables and all .EXE files 
>> received as email attachments. If you need to send us an .EXE file for 
>> some reason, please reply to this message to make arrangements. 
>> If it's a publicly-available program, please send a URL where the 
>> recipient can download the program directly from the vendor rather 
>> than sending us a copy of the program via email. This will avoid the 
>> possibility of your sending us a copy that has been infected by a 
>> virus. 
>> If your attachment was not an .EXE file, the following applies: 
>> Our email gateway has detected that your message MAY contain 
>> hazardous attachments or embedded scripting, and may have 
>> prevented its delivery to the intended recipient (see below for 
>> details). Our mail administrator has been notified. 
>> It is possible that your computer has been infected by a virus, 
>> or you have been the target of an email worm which is now attacking 
>> other computers on its own, without your knowledge or consent. This 
>> is particularly possible if you don't recall sending the message that 
>> caused this notice to be sent to you. 
>> Please contact your system administrator by phone immediately. 
>> You should not send out any email attachments until you have updated 
>> your antivirus scanner's virus signature list and re-scanned your 
>> computer. 
>> If the Macro Scanner score is large, suspicious macro code has 
>> been detected within the document attachment. Some antivirus 
>> software disables macro viruses but does not remove all traces of 
>> the macro virus program, and the email gateway may be detecting the 
>> parts that remain. To ensure your document contains no traces of 
>> a macro virus, save it in a format that does not support macros 
>> (for example, Rich Text - RTF), reload from that file, and re-save in 
>> the original format. This will strip all macros from the document. 
>> Simply re-sending the same attachment again will not work. The 
>> message was not rejected due to some temporary problem such as 
>> the recipient's mailbox being full. The message has been refused 
>> due to security concerns about the content. If you do not alter 
>> the content, the message will be refused again for the same 
>> reason. 
>> We apologize for any inconvenience, and thank you for your 
>> understanding. If you have any questions, please reply to this 
>> message. Do not include any attachments in your reply. 
>> REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html 
>> REPORT: Not a document, or already poisoned by filename. Not scanned for macros. 
>> STATUS: Message discarded, not delivered to recipient. 
>> Headers from message: 
>> > From Culsart at azstarnet.com Thu Jun 13 17:38:58 2002 
>> > Return-Path: <Culsart at azstarnet.com> 
>> > Received: from cepheus.azstarnet.com (cepheus.azstarnet.com []) 
>> > by www.mxtabs.net (8.10.2/8.10.2) with ESMTP id g5DMcvr14663 
>> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 17:38:58 -0500 
>> > Received: from Txkzxn (dhcp825.mc01.dsl.fastucson.net []) 
>> > by cepheus.azstarnet.com (8.9.3/8.9.3) with SMTP id PAA14156 
>> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 15:38:45 -0700 (MST) 
>> > Date: Thu, 13 Jun 2002 15:38:45 -0700 (MST) 
>> > Message-Id: <200206132238.PAA14156 at cepheus.azstarnet.com> 
>> > X-Sent-via: StarNet http://www.azstarnet.com/ 
>> > From: kisielkids <kisielkids at aol.com> 
>> > To: webmaster at mxtabs.net 
>> > Subject: Language 
>> > MIME-Version: 1.0 
>> > Content-Type: multipart/alternative; 
>> > boundary=S9772l75J45233Tf3zVn 
>> > X-Content-Security: [www.mxtabs.net] NONOTIFY 
>> > X-Content-Security: [www.mxtabs.net] DISCARD 
>> > X-Content-Security: [www.mxtabs.net] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html 
>> -- 
>> Message sanitized on www.mxtabs.net 
>> See http://www.impsec.org/email-tools/sanitizer-intro.html for details.

More information about the esd-l mailing list