[Dshield] Klez

Lauro, John jlauro at umflint.edu
Wed Jun 26 18:46:07 GMT 2002

Sendmail is the only transport (there might be others that do, but I
know lots that do not) that I know of that will add a "for" line.
Even when sendmail adds a for line, it will generally only do that if
delivering locally...  otherwise you could get the bcc information
from the for headers, and the purpose of BCC is to hide the other
recipient's address...  Most people know their own address, so why
tell them...

What I find annoying is when an autoforwarder does not add headers for
what address they are autoforwarding for...  then you don't know the
address, which can be a pain for postmasters who get to deal with the

-----Original Message-----
From: David Sentelle [mailto:David.Sentelle at cnbcbank.com] 
Sent: Wednesday, June 26, 2002 12:59 PM
To: list at dshield.org
Subject: RE: [Dshield] Klez

Klez....  We still get at least 2 a day.  InnoculateIT, with current
signatures, has caught one workstation where someone's web-based email
managed to get the virus on their PC.

On the subject of fake headers....

I get at least one spam a day that does not have my email address

A lot of people come back and say 'Oh, they probably BCCed you'.  I
realize that BCC doesn't show the list of addressees, but it SHOULD
show a 'for <spamvictim at poorlyrunisp.com>'.  The purpose of a BCC is
NOT to hide the recipient's email address from the recipient, it is to
hide ALL the recipients address from each other.  

When I get home, I'm going to dig into anti-spam mailing lists and see
if anyone there has answers.

David Sentelle
Network Operations Specialist
Commerce National Bank
614.334.6282 Voice    614.848.8830 Fax

>>> list-request at dshield.org 06/26/02 11:33AM >>>
Message: 3
Subject: RE: [Dshield] Klez
From: Clint Byrum <cbyrum at spamaps.org>
To: list at dshield.org 
Date: 25 Jun 2002 19:47:04 -0700
Reply-To: list at dshield.org 

On Tue, 2002-06-25 at 14:19, John Hardin wrote:
> The Return-Path: header *may* be usable, or Klez may have started
> forging that, too. The only *reliably* way to find the infected
> is the IP address in the Received: header. *No* worm will be able to
> alter the IP information added to the headers by the SMTP server
> sending the message to.

That might not be entirely true. I have received spam that was sent
through an open SOCKS proxy, that had 3 or 4 fake received headers..
presumably to avoid being blocked as an open relay/proxy. So a worm
could insert some random received headers, possibly taken from the
messages it is forwarding.

That said, it couldn't forge the whole path, so one could trace back
the originator eventually, but it might not be easy.

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which 
they are addressed. If you have received this e-mail in error, 
please notify admin at cnbcbank.com and delete it from your system.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list