[Esd-l] SECURITY_NOTIFY_SENDER="YES"

Philip Choy plchoy at income.com.sg
Fri May 17 00:55:01 PDT 2002 

I had had problems with what you had been experiencing.. until i upgraded
sendmail 8.9.3 to sendmail 8.11.6 that recognise envelope sender header,
though i had had procmail v.3.15 and eventually moved up to procmail v3.22.

Thereafter, the filter responsed nicely.. and pocketed avg of 21k mails/ mth
.. skyscrapping up from normally 5k mails/mth

So, maybe the solution to your problem may lie in your upgrading of sendmail
and procmail.

Phil.
----- Original Message -----
From: "C.S. Kumar" <kumar at mech.iitkgp.ernet.in>
To: "Simon Matthews" <simon at paxonet.com>; "John Hardin"
<jhardin at impsec.org>; "Email Security Discussion list" <esd-l at spconnect.com>
Sent: Friday, May 17, 2002 1:38 PM
Subject: Re: [Esd-l] SECURITY_NOTIFY_SENDER="YES"


> Hi all,
>
> I am using the procmail filter on our SMTP server and have
> been monitoring the response to Klez virus.
>
> I also found that Klez forges nearly all the mails it sends.
>
> If one observes the headers of the mails from a Klez affected
> source. The address in the "From " line is different from that in
> the "From: " line.
>
> I noticed that the sanitizer sends notification to the
> address in the "From: " field. This address may not be of the
> real sender / affected PC.
>
> Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
> signature like that of Klez?
>
> Regards
> -Kumar
> C.S.Kumar, Ph.D.
> Mechanical Engineering Department
> Indian Institute of Technology Kharagpur, India
>
> > John,
> >
> > Plausible, yes: 80-90%. Correct (ie. not forged): about 50%. I know
> this
> > because many of the trapped emails have local addresses (ie. from my
> > company's US office), yet the source is an IP address that is in
> India (we
> > have many contacts in India).
> >
> > Since klez has its own smtp engine and contacts remote mailservers
> itself,
> > clearly it can put anything it wants in the "mail from:" statement.
> >
> > Simon
> >
> > At 07:19 PM 5/16/02 -0700, John Hardin wrote:
> > >On Thu, 2002-05-16 at 18:42, Simon Matthews wrote:
> > >
> > > > Actually, I don't think Klez always puts the correct reply address
> > > > anywhere.
> > >
> > >My bounces are running 80% to 90% plausible Return-Path: headers. Is
> > >anybody seeing something lower than this?
> > >
> > >I don't know whether Klez would be able to forge the Return-Path:
> and if
> > >so, whether any variants are doing so. Maybe I should pull something
> out
> > >of quarantine and run it through "strings"...
> > >
> > >--
> > >  John Hardin KA7OHZ    ICQ#15735746
> http://www.impsec.org/~jhardin/
> > >  jhardin at impsec.org                        pgpk -a
> jhardin at impsec.org
> > >   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
> > >  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873
> 2E79
> > >---------------------------------------------------------------------
> --
> > >  "To disable the Internet to save EMI and Disney is the moral
> > >   equivalent of burning down the library of Alexandria to ensure the
> > >   livelihood of monastic scribes."
> > >                                     -- John Ippolito of the
> Guggenheim
> > >---------------------------------------------------------------------
> --
> > >    909 days until the Presidential Election
> > _______________________________________________
> > Esd-l mailing list
> > Esd-l at spconnect.com
> > http://www.spconnect.com/mailman/listinfo/esd-l
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list