[Dshield] Klez

John Hardin johnh at aproposretail.com
Tue Jun 25 21:14:50 GMT 2002

On Tue, 2002-06-25 at 11:59, Paul Marsh wrote:
> I just want to take a quick poll, is everyone/anyone else still seeing Klez
> attachments? 

Hell yes! :)

> It's just getting annoying, is there anyway to truly
> locate the infected machine? 

The only way to reliably identify the attacking machine is by the sender
IP address reported in the earliest Received: header. This is the one
nearest the bottom of the headers.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 Any time that PR dominates the information stream, you can't trust
 the information.
                                               - CRYPTO-GRAM 01/2002
 5 days until First Class postage goes up to 37 cents

More information about the list mailing list