At 20:21 2002-05-24 -0500, David W. Tamkin did say:
this evening I got a copy of Klez with postmaster(_at_)[my(_dot_)site] forged
sender and even some opening text that
<someaddressIhaveneverheardofmuchlesswrittento(_at_)famousbig(_dot_)domain> is an
unknown user and "Returned mail" as the subject.
That's part of the payload delivery trick with KLEZ - the From: and the
ENVELOPE sender are separate - if the delivery fails to the intended
recipient, the mail system will route it back to the envelope sender --
thereby providing the infected payload to yet someone else.
I dealt with a KLEZ message yesterday which appeared addressed to an
address which only five other people had (and one of them is dead). I
loaded the originating IP address into a web browser and found an unsecured
WebRamp network sharing box, which had the user's ISP account address (for
internet login, and typically for email as well), and as HTML password
fields, their login password (view source, and there it is in
plaintext). Sent them an email telling them to contact me about their
various security issues.
In all the Klez crap I've seen, this is the first time I managed a positive
ID on the infected user. The rest have been through mailing lists where
there are MANY lurkers, so you can't match the originating IP netblock
against recent messages, because they haven't POSTED anything...
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
procmail mailing list