[Esd-l] Spoofed email addresses

Mark_Saunders Mark_Saunders at piucorp.com
Fri Jun 14 07:33:00 PDT 2002 

You may already be aware of this, but the Klez worm falsifies the "From" address, so the traditional notification methods don't apply.

Paul Ferwerda wrote:

>         As a newbie to this list I apologize if I'm asking something that has been covered before. I checked the subject of posts in the archives for the last two years for "spoolf" but didn't find anything.  The sanitizer sent out a notification message and I received the following message back.  From looking at the headers it looks like the Return-Path was forged.  Is there any way to deal with this short of not notifying?
>
> Thanks,
> Paul
>
> >X-Sent-via: StarNet http://www.azstarnet.com/
> >Date: Thu, 13 Jun 2002 22:18:05 -0700
> >From: John Sartin <culsart at azstarnet.com>
> >Reply-To: culsart at azstarnet.com
> >X-Mailer: Mozilla 4.79 (Macintosh; U; PPC)
> >X-Accept-Language: en,pdf
> >To: Procmail Security daemon <postmaster@/" EUDORA="AUTOURL"www.mxtabs.net>
> >Subject: Re: Language
> >
> >I have sent you no email prior to this one! I am running Mac OS9.2 and have the latest Norton virus definitions and scan shows no trace of virus or worm. I have no
> >idea what you want me to do!
> >Procmail Security daemon wrote:
> >> Regarding your message to
> >> <webmaster at mxtabs.net>
> >>
> >> ***** SECURITY NOTICE *****
> >>
> >> Our site security policy rejects most executables and all .EXE files
> >> received as email attachments. If you need to send us an .EXE file for
> >> some reason, please reply to this message to make arrangements.
> >>
> >> If it's a publicly-available program, please send a URL where the
> >> recipient can download the program directly from the vendor rather
> >> than sending us a copy of the program via email. This will avoid the
> >> possibility of your sending us a copy that has been infected by a
> >> virus.
> >>
> >> If your attachment was not an .EXE file, the following applies:
> >>
> >> Our email gateway has detected that your message MAY contain
> >> hazardous attachments or embedded scripting, and may have
> >> prevented its delivery to the intended recipient (see below for
> >> details). Our mail administrator has been notified.
> >>
> >> It is possible that your computer has been infected by a virus,
> >> or you have been the target of an email worm which is now attacking
> >> other computers on its own, without your knowledge or consent. This
> >> is particularly possible if you don't recall sending the message that
> >> caused this notice to be sent to you.
> >>
> >> Please contact your system administrator by phone immediately.
> >> You should not send out any email attachments until you have updated
> >> your antivirus scanner's virus signature list and re-scanned your
> >> computer.
> >>
> >> If the Macro Scanner score is large, suspicious macro code has
> >> been detected within the document attachment. Some antivirus
> >> software disables macro viruses but does not remove all traces of
> >> the macro virus program, and the email gateway may be detecting the
> >> parts that remain. To ensure your document contains no traces of
> >> a macro virus, save it in a format that does not support macros
> >> (for example, Rich Text - RTF), reload from that file, and re-save in
> >> the original format. This will strip all macros from the document.
> >>
> >> Simply re-sending the same attachment again will not work. The
> >> message was not rejected due to some temporary problem such as
> >> the recipient's mailbox being full. The message has been refused
> >> due to security concerns about the content. If you do not alter
> >> the content, the message will be refused again for the same
> >> reason.
> >>
> >> We apologize for any inconvenience, and thank you for your
> >> understanding. If you have any questions, please reply to this
> >> message. Do not include any attachments in your reply.
> >>
> >> REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
> >> REPORT: Not a document, or already poisoned by filename. Not scanned for macros.
> >> STATUS: Message discarded, not delivered to recipient.
> >>
> >> Headers from message:
> >>
> >> > From Culsart at azstarnet.com Thu Jun 13 17:38:58 2002
> >> > Return-Path: <Culsart at azstarnet.com>
> >> > Received: from cepheus.azstarnet.com (cepheus.azstarnet.com [169.197.56.195])
> >> > by www.mxtabs.net (8.10.2/8.10.2) with ESMTP id g5DMcvr14663
> >> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 17:38:58 -0500
> >> > Received: from Txkzxn (dhcp825.mc01.dsl.fastucson.net [169.197.11.57])
> >> > by cepheus.azstarnet.com (8.9.3/8.9.3) with SMTP id PAA14156
> >> > for <webmaster at mxtabs.net>; Thu, 13 Jun 2002 15:38:45 -0700 (MST)
> >> > Date: Thu, 13 Jun 2002 15:38:45 -0700 (MST)
> >> > Message-Id: <200206132238.PAA14156 at cepheus.azstarnet.com>
> >> > X-Sent-via: StarNet http://www.azstarnet.com/
> >> > From: kisielkids <kisielkids at aol.com>
> >> > To: webmaster at mxtabs.net
> >> > Subject: Language
> >> > MIME-Version: 1.0
> >> > Content-Type: multipart/alternative;
> >> > boundary=S9772l75J45233Tf3zVn
> >> > X-Content-Security: [www.mxtabs.net] NONOTIFY
> >> > X-Content-Security: [www.mxtabs.net] DISCARD
> >> > X-Content-Security: [www.mxtabs.net] REPORT: Trapped possible Klez worm - see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
> >>
> >> --
> >> Message sanitized on www.mxtabs.net
> >> See http://www.impsec.org/email-tools/sanitizer-intro.html for details.
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

--
mv $win /dev/null

More information about the esd-l mailing list