[Esd-l] SECURITY_NOTIFY_SENDER="YES"
C.S. Kumar
kumar at mech.iitkgp.ernet.in
Sat May 18 07:24:01 PDT 2002
Hi Philip,
Upgrading sendmail to 8.11.6 helped in getting the From and From: line
correctly. Thanks for the suggestion.
-CSKumar
> I had had problems with what you had been experiencing.. until i
upgraded
> sendmail 8.9.3 to sendmail 8.11.6 that recognise envelope sender
header,
> though i had had procmail v.3.15 and eventually moved up to procmail
v3.22.
>
> Thereafter, the filter responsed nicely.. and pocketed avg of 21k
mails/ mth
> .. skyscrapping up from normally 5k mails/mth
>
> So, maybe the solution to your problem may lie in your upgrading of
sendmail
> and procmail.
>
> Phil.
> ----- Original Message -----
> From: "C.S. Kumar" <kumar at mech.iitkgp.ernet.in>
> To: "Simon Matthews" <simon at paxonet.com>; "John Hardin"
> <jhardin at impsec.org>; "Email Security Discussion list" <esd-
l at spconnect.com>
> Sent: Friday, May 17, 2002 1:38 PM
> Subject: Re: [Esd-l] SECURITY_NOTIFY_SENDER="YES"
>
>
> > Hi all,
> >
> > I am using the procmail filter on our SMTP server and have
> > been monitoring the response to Klez virus.
> >
> > I also found that Klez forges nearly all the mails it sends.
> >
> > If one observes the headers of the mails from a Klez affected
> > source. The address in the "From " line is different from that in
> > the "From: " line.
> >
> > I noticed that the sanitizer sends notification to the
> > address in the "From: " field. This address may not be of the
> > real sender / affected PC.
> >
> > Can we selectively disable SECURITY_NOTIFY_SENDER for a specific
> > signature like that of Klez?
> >
> > Regards
> > -Kumar
> > C.S.Kumar, Ph.D.
> > Mechanical Engineering Department
> > Indian Institute of Technology Kharagpur, India
> >
> > > John,
> > >
> > > Plausible, yes: 80-90%. Correct (ie. not forged): about 50%. I
know
> > this
> > > because many of the trapped emails have local addresses (ie. from
my
> > > company's US office), yet the source is an IP address that is in
> > India (we
> > > have many contacts in India).
> > >
> > > Since klez has its own smtp engine and contacts remote mailservers
> > itself,
> > > clearly it can put anything it wants in the "mail from:"
statement.
> > >
> > > Simon
> > >
> > > At 07:19 PM 5/16/02 -0700, John Hardin wrote:
> > > >On Thu, 2002-05-16 at 18:42, Simon Matthews wrote:
> > > >
> > > > > Actually, I don't think Klez always puts the correct reply
address
> > > > > anywhere.
> > > >
> > > >My bounces are running 80% to 90% plausible Return-Path:
headers. Is
> > > >anybody seeing something lower than this?
> > > >
> > > >I don't know whether Klez would be able to forge the Return-Path:
> > and if
> > > >so, whether any variants are doing so. Maybe I should pull
something
> > out
> > > >of quarantine and run it through "strings"...
> > > >
> > > >--
> > > > John Hardin KA7OHZ ICQ#15735746
> > http://www.impsec.org/~jhardin/
> > > > jhardin at impsec.org pgpk -a
> > jhardin at impsec.org
> > > > 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9
CE 76
> > > > 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6
B873
> > 2E79
> > > >-----------------------------------------------------------------
----
> > --
> > > > "To disable the Internet to save EMI and Disney is the moral
> > > > equivalent of burning down the library of Alexandria to
ensure the
> > > > livelihood of monastic scribes."
> > > > -- John Ippolito of the
> > Guggenheim
> > > >-----------------------------------------------------------------
----
> > --
> > > > 909 days until the Presidential Election
> > > _______________________________________________
> > > Esd-l mailing list
> > > Esd-l at spconnect.com
> > > http://www.spconnect.com/mailman/listinfo/esd-l
> > _______________________________________________
> > Esd-l mailing list
> > Esd-l at spconnect.com
> > http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list