[Esd-l] SECURITY_NOTIFY_SENDER="YES"

C.S. Kumar kumar at mech.iitkgp.ernet.in
Sat May 18 07:24:01 PDT 2002


Hi Philip,
Upgrading sendmail to 8.11.6 helped in getting the From and From: line
correctly. Thanks for the suggestion.
-CSKumar

> I had had problems with what you had been experiencing.. until i 
upgraded
> sendmail 8.9.3 to sendmail 8.11.6 that recognise envelope sender 
header,
> though i had had procmail v.3.15 and eventually moved up to procmail 
v3.22.
> 
> Thereafter, the filter responsed nicely.. and pocketed avg of 21k 
mails/ mth
> .. skyscrapping up from normally 5k mails/mth
> 
> So, maybe the solution to your problem may lie in your upgrading of 
sendmail
> and procmail.
> 
> Phil.
> ----- Original Message -----
> From: "C.S. Kumar" <kumar at mech.iitkgp.ernet.in>
> To: "Simon Matthews" <simon at paxonet.com>; "John Hardin"
> <jhardin at impsec.org>; "Email Security Discussion list" <esd-
l at spconnect.com>
> Sent: Friday, May 17, 2002 1:38 PM
> Subject: Re: [Esd-l] SECURITY_NOTIFY_SENDER="YES"
> 
> 
> > Hi all,
> >
> > I am using the procmail filter on our SMTP server and have
> > been monitoring the response to Klez virus.
> >
> > I also found that Klez forges nearly all the mails it sends.
> >
> > If one observes the headers of the mails from a Klez affected
> > source. The address in the "From " line is different from that in
> > the "From: " line.
> >
> > I noticed that the sanitizer sends notification to the
> > address in the "From: " field. This address may not be of the
> > real sender / affected PC.
> >
> > Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
> > signature like that of Klez?
> >
> > Regards
> > -Kumar
> > C.S.Kumar, Ph.D.
> > Mechanical Engineering Department
> > Indian Institute of Technology Kharagpur, India
> >
> > > John,
> > >
> > > Plausible, yes: 80-90%. Correct (ie. not forged): about 50%. I 
know
> > this
> > > because many of the trapped emails have local addresses (ie. from 
my
> > > company's US office), yet the source is an IP address that is in
> > India (we
> > > have many contacts in India).
> > >
> > > Since klez has its own smtp engine and contacts remote mailservers
> > itself,
> > > clearly it can put anything it wants in the "mail from:" 
statement.
> > >
> > > Simon
> > >
> > > At 07:19 PM 5/16/02 -0700, John Hardin wrote:
> > > >On Thu, 2002-05-16 at 18:42, Simon Matthews wrote:
> > > >
> > > > > Actually, I don't think Klez always puts the correct reply 
address
> > > > > anywhere.
> > > >
> > > >My bounces are running 80% to 90% plausible Return-Path: 
headers. Is
> > > >anybody seeing something lower than this?
> > > >
> > > >I don't know whether Klez would be able to forge the Return-Path:
> > and if
> > > >so, whether any variants are doing so. Maybe I should pull 
something
> > out
> > > >of quarantine and run it through "strings"...
> > > >
> > > >--
> > > >  John Hardin KA7OHZ    ICQ#15735746
> > http://www.impsec.org/~jhardin/
> > > >  jhardin at impsec.org                        pgpk -a
> > jhardin at impsec.org
> > > >   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 
CE 76
> > > >  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 
B873
> > 2E79
> > > >-----------------------------------------------------------------
----
> > --
> > > >  "To disable the Internet to save EMI and Disney is the moral
> > > >   equivalent of burning down the library of Alexandria to 
ensure the
> > > >   livelihood of monastic scribes."
> > > >                                     -- John Ippolito of the
> > Guggenheim
> > > >-----------------------------------------------------------------
----
> > --
> > > >    909 days until the Presidential Election
> > > _______________________________________________
> > > Esd-l mailing list
> > > Esd-l at spconnect.com
> > > http://www.spconnect.com/mailman/listinfo/esd-l
> > _______________________________________________
> > Esd-l mailing list
> > Esd-l at spconnect.com
> > http://www.spconnect.com/mailman/listinfo/esd-l



More information about the esd-l mailing list