[Dshield] Klez

David Sentelle David.Sentelle at cnbcbank.com
Wed Jun 26 16:58:41 GMT 2002

Klez....  We still get at least 2 a day.  InnoculateIT, with current signatures, has caught one workstation where someone's web-based email managed to get the virus on their PC.

On the subject of fake headers....

I get at least one spam a day that does not have my email address ANYWHERE in it.

A lot of people come back and say 'Oh, they probably BCCed you'.  I realize that BCC doesn't show the list of addressees, but it SHOULD show a 'for <spamvictim at poorlyrunisp.com>'.  The purpose of a BCC is NOT to hide the recipient's email address from the recipient, it is to hide ALL the recipients address from each other.  

When I get home, I'm going to dig into anti-spam mailing lists and see if anyone there has answers.

David Sentelle
Network Operations Specialist
Commerce National Bank
614.334.6282 Voice    614.848.8830 Fax

>>> list-request at dshield.org 06/26/02 11:33AM >>>
Message: 3
Subject: RE: [Dshield] Klez
From: Clint Byrum <cbyrum at spamaps.org>
To: list at dshield.org 
Date: 25 Jun 2002 19:47:04 -0700
Reply-To: list at dshield.org 

On Tue, 2002-06-25 at 14:19, John Hardin wrote:
> The Return-Path: header *may* be usable, or Klez may have started
> forging that, too. The only *reliably* way to find the infected machine
> is the IP address in the Received: header. *No* worm will be able to
> alter the IP information added to the headers by the SMTP server it's
> sending the message to.

That might not be entirely true. I have received spam that was sent
through an open SOCKS proxy, that had 3 or 4 fake received headers..
presumably to avoid being blocked as an open relay/proxy. So a worm
could insert some random received headers, possibly taken from the very
messages it is forwarding.

That said, it couldn't forge the whole path, so one could trace back to
the originator eventually, but it might not be easy.

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which 
they are addressed. If you have received this e-mail in error, 
please notify admin at cnbcbank.com and delete it from your system.

More information about the list mailing list