[Dshield] Klez

Clint Byrum cbyrum at spamaps.org
Wed Jun 26 02:47:04 GMT 2002


On Tue, 2002-06-25 at 14:19, John Hardin wrote:
> 
> The Return-Path: header *may* be usable, or Klez may have started
> forging that, too. The only *reliably* way to find the infected machine
> is the IP address in the Received: header. *No* worm will be able to
> alter the IP information added to the headers by the SMTP server it's
> sending the message to.
> 

That might not be entirely true. I have received spam that was sent
through an open SOCKS proxy, that had 3 or 4 fake received headers..
presumably to avoid being blocked as an open relay/proxy. So a worm
could insert some random received headers, possibly taken from the very
messages it is forwarding.

That said, it couldn't forge the whole path, so one could trace back to
the originator eventually, but it might not be easy.






More information about the list mailing list