[Dshield] Re: Klez header question

John Hardin johnh at aproposretail.com
Fri Aug 30 15:53:47 GMT 2002

On Thu, 2002-08-29 at 16:18, Ed Truitt wrote:
> >
> > > Received: from Molh (AC8DA130.ipt.aol.com [])
> > >  by logs-wb.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7TCi77201651
> > >  for <XXX at XXX.XXX>; Thu, 29 Aug 2002 08:44:08 -0400 (EDT)
> >
> > The "Molh" name is likely a forgery. 
> Actually, the name "Molh" is more than likely what the originating system
> identified itself to the SMTP server as.

...in other words, whatever Klez's SMTP client says it is.

> For many of  the PCs using
> dial-up, this is what the user chooses to name the machine.

...except if Klez decides to ignore that and use something else to
obscure the origin of the message - hence, "forged headers". 

Klez also ignores what the user has configured as their "from" address -
it does all it can to lie about and obscure the true source of the

The only data in the headers that you can trust is the data put there by
the SMTP server, which is pretty much just the IP address of the client
and (maybe) the reverse DNS.

Unfortunately, not all SMTP servers give you that data.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
 110 days until The Two Towers

More information about the list mailing list