Simon Matthews simon at paxonet.com
Thu May 16 20:09:01 PDT 2002


Plausible, yes: 80-90%. Correct (ie. not forged): about 50%. I know this 
because many of the trapped emails have local addresses (ie. from my 
company's US office), yet the source is an IP address that is in India (we 
have many contacts in India).

Since klez has its own smtp engine and contacts remote mailservers itself, 
clearly it can put anything it wants in the "mail from:" statement.


At 07:19 PM 5/16/02 -0700, John Hardin wrote:
>On Thu, 2002-05-16 at 18:42, Simon Matthews wrote:
> > Actually, I don't think Klez always puts the correct reply address
> > anywhere.
>My bounces are running 80% to 90% plausible Return-Path: headers. Is
>anybody seeing something lower than this?
>I don't know whether Klez would be able to forge the Return-Path: and if
>so, whether any variants are doing so. Maybe I should pull something out
>of quarantine and run it through "strings"...
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
>  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>  "To disable the Internet to save EMI and Disney is the moral
>   equivalent of burning down the library of Alexandria to ensure the
>   livelihood of monastic scribes."
>                                     -- John Ippolito of the Guggenheim
>    909 days until the Presidential Election

More information about the esd-l mailing list