[Esd-l] Spoofed email addresses

Paul Ferwerda paul at ferwerda.net
Fri Jun 14 07:51:01 PDT 2002


John,

Yep, that is what I figured. We've got an originating IP address but no user at that address.  I've received a bunch of emails claiming that the website has sent them viruses but the From is forged.  For now I think I won't bother notifying the sender if it is Klez.

Paul

PS.  I think the sanitizer is a wonderful tool. We have been getting 100 or so copies of Klez each day which fills up mailboxes and are in general a big nuisance. The sanitizer has made a world of difference. Thanks!

At 07:06 AM 6/14/2002 -0700, John D. Hardin wrote:
>On Fri, 14 Jun 2002, Paul Ferwerda wrote:
>
>> From looking at the headers it looks like the Return-Path was
>> forged.  Is there any way to deal with this short of not
>> notifying?
>
>There's a limit to how smart the sanitizer can be made, and you can
>only really catch forgery of invalid addresses. If a work running at
>ferwerda.net forges the sender address as <paul at ferwerda.net>, how can
>you (even manually) tell that's not valid?
>
>> >> > From Culsart at azstarnet.com Thu Jun 13 17:38:58 2002 
>> >> > Return-Path: <Culsart at azstarnet.com> 
>
>> >> > Received: from Txkzxn (dhcp825.mc01.dsl.fastucson.net [169.197.11.57]) 
>> >> > by cepheus.azstarnet.com (8.9.3/8.9.3) with SMTP id PAA14156 
>> >> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 15:38:45 -0700 (MST) 
>
>This one is the original delivery. If there was some automated way to
>query the ISP for which of their clients had 169.197.11.57 at that
>time, then we might be able to notify something close to the correct
>user.
>
>Klez is a serious pain in the butt.
>
>--
> John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
> jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
> 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
> "To disable the Internet to save EMI and Disney is the moral
>  equivalent of burning down the library of Alexandria to ensure the
>  livelihood of monastic scribes."
>                                    -- John Ippolito of the Guggenheim
>-----------------------------------------------------------------------
>   343 days until The Matrix Reloaded



More information about the esd-l mailing list