[Dshield] e-mail ettiquette

John Hardin johnh at aproposretail.com
Wed Aug 20 21:09:11 GMT 2003


On Wed, 2003-08-20 at 13:51, Jon R. Kibler wrote:
> With SOBIG, does it forge both the 'From' and the 'envelope-sender'? I
> thought that most viruses only forged the 'From'. If they were forging
> the envelope-sender, and the MTA was sendmail, and they were not root,
> a properly configured sendmail should gag -- it may still send it, but
> the originator would be clearly labeled as 'forged'. I think most
> other MTAs would do the same.

I think you're assuming a *nix environment on the sending end. If
sendmail is receiving a message via 25/tcp, how does it know whether the
submitter is root, and thus whether the envelope sender address is
trustworthy?

Remember, these viruses are their own SMTP clients, running on Windows.

--
John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "...in retrospect, we probably should have turned it on by default."
     - Craig Mundie, Microsoft CTO, on shipping Windows XP with the
       much-hyped "Internet Connection Firewall" turned off by default
-----------------------------------------------------------------------
 Tomorrow: company picnic and AquaSox game




More information about the list mailing list