[Esd-l] SECURITY_NOTIFY_SENDER="YES"
Simon Matthews
simon at paxonet.com
Thu May 16 20:09:01 PDT 2002
John,
Plausible, yes: 80-90%. Correct (ie. not forged): about 50%. I know this
because many of the trapped emails have local addresses (ie. from my
company's US office), yet the source is an IP address that is in India (we
have many contacts in India).
Since klez has its own smtp engine and contacts remote mailservers itself,
clearly it can put anything it wants in the "mail from:" statement.
Simon
At 07:19 PM 5/16/02 -0700, John Hardin wrote:
>On Thu, 2002-05-16 at 18:42, Simon Matthews wrote:
>
> > Actually, I don't think Klez always puts the correct reply address
> > anywhere.
>
>My bounces are running 80% to 90% plausible Return-Path: headers. Is
>anybody seeing something lower than this?
>
>I don't know whether Klez would be able to forge the Return-Path: and if
>so, whether any variants are doing so. Maybe I should pull something out
>of quarantine and run it through "strings"...
>
>--
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin at impsec.org pgpk -a jhardin at impsec.org
> 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
> 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
> "To disable the Internet to save EMI and Disney is the moral
> equivalent of burning down the library of Alexandria to ensure the
> livelihood of monastic scribes."
> -- John Ippolito of the Guggenheim
>-----------------------------------------------------------------------
> 909 days until the Presidential Election
More information about the esd-l
mailing list