[Dshield] Klez

Micheal Patterson micheal at cancercare.net
Wed Jun 26 19:22:31 GMT 2002

You will very rarely find your address in any header once it's passed
through your MTA. Reason is that the To: address is usually a bogus address
with all the targets listed in the BCC: entry. The MTA will strip out all
BCC header information and deliver to you with just the To: header
displayed. You can check this by simply looking at your MTA logs on it's
delivery status. You say that you should  show a 'for
<spamvictim at poorlyrunisp.com>' when in fact, you won't. The BCC header is
never passed on to the recipient. It's not allowed otherwise it violates


Micheal Patterson
Network Administration
Cancer Care Network

----- Original Message -----
From: "David Sentelle" <David.Sentelle at cnbcbank.com>
To: <list at dshield.org>
Sent: Wednesday, June 26, 2002 11:58 AM
Subject: RE: [Dshield] Klez

> Klez....  We still get at least 2 a day.  InnoculateIT, with current
signatures, has caught one workstation where someone's web-based email
managed to get the virus on their PC.
> On the subject of fake headers....
> I get at least one spam a day that does not have my email address ANYWHERE
in it.
> A lot of people come back and say 'Oh, they probably BCCed you'.  I
realize that BCC doesn't show the list of addressees, but it SHOULD show a
'for <spamvictim at poorlyrunisp.com>'.  The purpose of a BCC is NOT to hide
the recipient's email address from the recipient, it is to hide ALL the
recipients address from each other.
> When I get home, I'm going to dig into anti-spam mailing lists and see if
anyone there has answers.
> ----------------------------------------
> David Sentelle
> Network Operations Specialist
> Commerce National Bank
> 614.334.6282 Voice    614.848.8830 Fax
> >>> list-request at dshield.org 06/26/02 11:33AM >>>
> Message: 3
> Subject: RE: [Dshield] Klez
> From: Clint Byrum <cbyrum at spamaps.org>
> To: list at dshield.org
> Date: 25 Jun 2002 19:47:04 -0700
> Reply-To: list at dshield.org
> On Tue, 2002-06-25 at 14:19, John Hardin wrote:
> >
> > The Return-Path: header *may* be usable, or Klez may have started
> > forging that, too. The only *reliably* way to find the infected machine
> > is the IP address in the Received: header. *No* worm will be able to
> > alter the IP information added to the headers by the SMTP server it's
> > sending the message to.
> >
> That might not be entirely true. I have received spam that was sent
> through an open SOCKS proxy, that had 3 or 4 fake received headers..
> presumably to avoid being blocked as an open relay/proxy. So a worm
> could insert some random received headers, possibly taken from the very
> messages it is forwarding.
> That said, it couldn't forge the whole path, so one could trace back to
> the originator eventually, but it might not be easy.
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to which
> they are addressed. If you have received this e-mail in error,
> please notify admin at cnbcbank.com and delete it from your system.
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list