[Dshield] e-mail ettiquette

John Hardin johnh at aproposretail.com
Wed Aug 20 21:09:11 GMT 2003

On Wed, 2003-08-20 at 13:51, Jon R. Kibler wrote:
> With SOBIG, does it forge both the 'From' and the 'envelope-sender'? I
> thought that most viruses only forged the 'From'. If they were forging
> the envelope-sender, and the MTA was sendmail, and they were not root,
> a properly configured sendmail should gag -- it may still send it, but
> the originator would be clearly labeled as 'forged'. I think most
> other MTAs would do the same.

I think you're assuming a *nix environment on the sending end. If
sendmail is receiving a message via 25/tcp, how does it know whether the
submitter is root, and thus whether the envelope sender address is

Remember, these viruses are their own SMTP clients, running on Windows.

John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "...in retrospect, we probably should have turned it on by default."
     - Craig Mundie, Microsoft CTO, on shipping Windows XP with the
       much-hyped "Internet Connection Firewall" turned off by default
 Tomorrow: company picnic and AquaSox game

More information about the list mailing list