[Dshield] Klez any one

Dave security at morgansouthern.com
Fri Aug 23 02:53:32 GMT 2002


We've had a whole bunch of Klez bounce off our gateway scanner, and the 
vast majority of them seem to be coming from verizon.net.  In fact, the 
header posted is very similar to ones that I have pulled locally.  Maybe we 
can get Verizon to shut down the open-relay servers they are 
running..?  The virus seems to be using them at an abnormally high rate...

For the more knowledgeable virus types out there:  Can the Klez virus forge 
the IP in this line:
 >>Received: from Pgcdjo ([205.152.62.117]) by out003.verizon.net
The name is obviously bogus, but if that IP is logged by the Verizon SMTP 
server, then we have the IP of the infected machine.  It sounds too good to 
be true.

Dave

>Return-Path: <adoptapet2 at verizon.net>
>Received: from  rly-xg02.mx.aol.com (rly-xg02.mail.aol.com 
>[172.20.115.199]) by air-xg01.mail.aol.com (v87.22) with ESMTP id 
>MAILINXG13-0818213610; Sun, 18 Aug 2002 21:36:10 -0400
>Received: from  out003.verizon.net (out003pub.verizon.net 
>[206.46.170.103]) by rly-xg02.mx.aol.com (v87.22) with ESMTP id 
>MAILRELAYINXG25-0818213515; Sun, 18 Aug 2002 21:35:15 -0400
>Received: from Pgcdjo ([205.152.62.117]) by out003.verizon.net
>           (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
>           id <20020819013544.XWIF13272.out003.verizon.net at Pgcdjo>
>           for <Wolves5149 at aol.com>; Sun, 18 Aug 2002 20:35:44 -0500





More information about the list mailing list