[Dshield] Suejdz & Kleze anyone

John Hardin johnh at aproposretail.com
Thu Oct 24 16:25:17 GMT 2002

On Wed, 2002-10-23 at 22:33, KeithTarrant at spamcop.net wrote:
> > On Tue, 2002-10-22 at 18:35, KeithTarrant at spamcop.net wrote:
> > > So with Klez email actually from AOL you would see an x-apparently
> line
> > > with the actual AOL account (at least until some hacker thinks to fake
> > > that too).
> >
> > A spammer/wormer adding a forged X-Apparently-From: header won't confuse
> > things much, as the mail server will still add it's own, and hopefully
> > the mail server is smart enough to discard any preexisting
> > X-Apparently-From: header.
> You're not thinking deviously enough ;) ... you add the AOL headers to
> email from non-AOL machines, that way they are the only AOL headers.  So
> you just have "X-Apparently-From: BillNovak at aol.com" or anyone else with
> an AOL account that you hate.  Then do the usual bounce of the open mail
> server.

...and then you ignore the bogus X-Apparently-From: header because none
of the Received: headers was generated by a server at AOL...

Granted, this might work to confuse things if the AOL mail servers are
open to relay from non-AOL client IP addresses.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 ...people confuse "security" and "Trustworthy Computing."
                                 - Craig Mundie, MS Senior VP and CTO
 3 days until Daylight Savings Time ends

More information about the list mailing list