[Esd-l] SECURITY_NOTIFY_SENDER="YES"

C.S. Kumar kumar at mech.iitkgp.ernet.in
Thu May 16 22:48:01 PDT 2002 

Hi all,

I am using the procmail filter on our SMTP server and have 
been monitoring the response to Klez virus. 

I also found that Klez forges nearly all the mails it sends.

If one observes the headers of the mails from a Klez affected
source. The address in the "From " line is different from that in 
the "From: " line.

I noticed that the sanitizer sends notification to the
address in the "From: " field. This address may not be of the
real sender / affected PC.
 
Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
signature like that of Klez?

Regards
-Kumar
C.S.Kumar, Ph.D.
Mechanical Engineering Department 
Indian Institute of Technology Kharagpur, India

> John,
> 
> Plausible, yes: 80-90%. Correct (ie. not forged): about 50%. I know 
this 
> because many of the trapped emails have local addresses (ie. from my 
> company's US office), yet the source is an IP address that is in 
India (we 
> have many contacts in India).
> 
> Since klez has its own smtp engine and contacts remote mailservers 
itself, 
> clearly it can put anything it wants in the "mail from:" statement.
> 
> Simon
> 
> At 07:19 PM 5/16/02 -0700, John Hardin wrote:
> >On Thu, 2002-05-16 at 18:42, Simon Matthews wrote:
> >
> > > Actually, I don't think Klez always puts the correct reply address
> > > anywhere.
> >
> >My bounces are running 80% to 90% plausible Return-Path: headers. Is
> >anybody seeing something lower than this?
> >
> >I don't know whether Klez would be able to forge the Return-Path: 
and if
> >so, whether any variants are doing so. Maybe I should pull something 
out
> >of quarantine and run it through "strings"...
> >
> >--
> >  John Hardin KA7OHZ    ICQ#15735746    
http://www.impsec.org/~jhardin/
> >  jhardin at impsec.org                        pgpk -a 
jhardin at impsec.org
> >   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
> >  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 
2E79
> >---------------------------------------------------------------------
--
> >  "To disable the Internet to save EMI and Disney is the moral
> >   equivalent of burning down the library of Alexandria to ensure the
> >   livelihood of monastic scribes."
> >                                     -- John Ippolito of the 
Guggenheim
> >---------------------------------------------------------------------
--
> >    909 days until the Presidential Election
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list