[Dshield] Klez

John Hardin johnh at aproposretail.com
Tue Jun 25 21:19:50 GMT 2002

On Tue, 2002-06-25 at 13:21, Stuart Whelan wrote:
> If I understand correctly it does not rewrite the reply-to header, if it
> exists.
> In every Klez I have received (which is only abot 5 in total) I have
> been able to sucessfully clean up the source machine or notify the user
> by looking at the reply-to header line.

That would be news to me.

The Return-Path: header *may* be usable, or Klez may have started
forging that, too. The only *reliably* way to find the infected machine
is the IP address in the Received: header. *No* worm will be able to
alter the IP information added to the headers by the SMTP server it's
sending the message to.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 Any time that PR dominates the information stream, you can't trust
 the information.
                                               - CRYPTO-GRAM 01/2002
 5 days until First Class postage goes up to 37 cents

More information about the list mailing list