[Esd-l] Re: [Esa-l] ANN: Sanitizer update - 1.135 released
scott at dctchambers.com
Mon May 27 09:03:01 PDT 2002
Hello John et al,
At 10:05 PM 26/05/2002, John D. Hardin wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>The procmail sanitizer has been updated. The current version is 1.135
>- From the changelog:
>Smarten $SECURITY_NOTIFY_SENDER up to reduce spoofing by forged
> headers; disable this by setting $SECURITY_DISABLE_SMART_REPLY to
> any value; side-effect is the sender address is now taken from the
> Return-Path: header instead of the From: header.
That's a great idea, however, I've noticed that one worm rebuilds the
headers with one minor change in the return path line, IE: Return-Path:
<kqroski@ but the From line has the correct email address:
kproski@ (notice the second character it one away).
In another case both From: and Return-Path: are spoofed as
<"nh today.doc"@...> with the domain as the recipient domain. This one
really bothers me, because the recipient's domain may allow certain file
types from within it's own domain. This may have just been a fluke where
the virus parsed some document for email addresses and something got messed
up. I've only seen it the one time, but then with the huge flow of email
worms today... and the user "nh today.doc" nor alias exists on that domain.
More information about the esd-l