Re: [PLUG] spoofing

gabriel rosenkoetter on Mon, 30 Sep 2002 10:26:05 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spoofing

From: gabriel rosenkoetter <gr@eclipsed.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] spoofing

Date: Mon, 30 Sep 2002 10:25:30 -0400

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.4i

On Mon, Sep 30, 2002 at 08:11:16AM -0400, Arthur S. Alexion wrote: > This leads me to believe that this is not a klez virus thing, but > rather, a Russian spammer who is using my address. I'm just concerned > about whether I should be concerned (if that makes sense). There's precious little you can do about it, so not much reason to be concerned. I can't recall whether I've gotten these before, but I just got one today. Here're the full headers: From MAILER-DAEMON Mon Sep 30 10:04:13 2002 Return-Path: <> Delivered-To: gr@eclipsed.net Received: from mail.eclipsed.net (sdu129-197.ppp.algonet.se [195.163.197.129]) by uriel.eclipsed.net (Postfix) with SMTP id 16EDD49701 for <gr@eclipsed.net>; Mon, 30 Sep 2002 10:04:00 -0400 (EDT) From: Mail Delivery System <MAILER-DAEMON@eclipsed.net> To: gr@eclipsed.net Subject: Undelivered Mail Returned to Sender -PAK PROVISIONSUNDERLAG Date: Mon,30 Sep 2002 14:39:33 PM X-Mailer: Microsoft Outlook Express 5.50.4133.2400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=mntwdoi Message-Id: <20020930140401.16EDD49701@uriel.eclipsed.net> Status: RO Content-Length: 41616 Lines: 564 (Incidentally, the message I got looks like it was, in fact, Klez or something related. Or, at least, there's an attached file pretending to be a a midi file--pretending by way of MIME type--but appears to actually be a DOS executable. I don't keep up with this stuff since it doesn't affect me.) Unfortunately, I don't have (nor did you) the full headers on the original message, which would be far more telling. In both cases, the original sender has remapped not just the "From: line", as Martin DiViaio suggests, but more importantly the envelope sender, the line which probably displays as "From <foo>" in your MUA. The lack of a colon is important, as a line matched by /^From / separates messages in mbox format, which is why anything matched by that string internal to a message stream will be prefixed with a '>' by responsible MTAs. Someone who actually cared about the Klez virus (I just dump those messages in my spam mbox without really being conscious that they aren't) would know whether or not it does this. (It's not complicated, but most MUAs don't let you. For instance, the Perl module MIME::Lite won't, but Net::SMTP will.) More importantly, what's missing on the original message is the return path. That's what you'd really want to be able to track down the source, Arthur. (That is, the lines that /^Received: / matches.) Without that, there's totally nothing you can do (besides tossing the messages into whatever spam blocking software you use). -- gabriel rosenkoetter gr@eclipsed.net
Attachment: pgpBp1YlpnXS8.pgp
Description: PGP signature

References:

RE: [PLUG] spoofing
From: "Bradley Molnar" <brmolnar@ursinus.edu>

Re: [PLUG] spoofing
From: "Arthur S. Alexion" <arthur@alexion.com>

Prev by Date: Re: [PLUG] spoofing

Next by Date: Re: [PLUG] CD Burner Recommendations

Previous by thread: Re: [PLUG] spoofing

Next by thread: Re: [PLUG] spoofing

Index(es):

Date

Thread