Here was the specific context to which I was responding:
they might even send out email using the user's own email
account and/or email client.
Swen does that. Really.
No, it doesn't.
Different versions of Swen do different things to get an SMTP server to
use, but they all use a built-in SMTP engine and none of them use SMTP
AUTH account information.
In some circumstances Swen will put up a fake MAPI32 exception handler
that asks you for your email account server, username and password (see
a copy at http://www.trendmicro.com/vinfo/images/worm_swen_a_img2.gif).
According to Symantec
(http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)swen(_dot_)a(_at_)mm(_dot_)h
tml) Swen uses the username and password to check the POP3 account for
copies of itself. So Swen might use the default SMTP server (harvested
from the registry), but that's as close as it gets to using the user's
own e-mail account.
How would a worm work if everyone had SMTP AUTH? It would either have to
use a social engineering trick like Swen does with the MAPI32 dialog -
and there's no evidence that there's a big problem with people filling
out that form - or it would have to find the cached account credentials
in the registry and use them.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
larryseltzer(_at_)ziffdavis(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
