On Fri, 29 Aug 2003, Christian Huitema wrote:
Can't we just hack the mailman configs to dump mails with X-sender
value
of outlook or outlook express? That would solve the problem, no;)
Well, the only problem with that idea is that we explicitly do *NOT*
have > a "Your clue must be ->THIS<- tall to ride the IETF list"
policy... ;)
The Sobig worm includes its own SMTP code, and places arbitrary values
in the header fields.
You mean to say that there is a full MTA tucked away in there?
The source address is forged, and so are various
other fields, including X-Mailer.
Perhaps you misunderstood my intentions. My intentions accociated with
this post had nothing to do with the worm.
The worm finds target source and
destination addresses by reading files on the user's disk, not by using
a specific Outlook or OE API. It propagates by "social engineering",
when users open some executable attachments.
Since when is social engineering a desktop activity. The last time I
checked, social engineering was along the lines of thank you for the shiny
new job, now i'm going to hide a rouge server on your network.
User can do click on
attachments with many mailers, not just Outlook and OE. In fact, the
latest versions of Outlook automatically strip such attachments.
I'm glad I don't have to click on my mail.
-- Christian Huitema
sleekfreak pirate broadcast
world tour 2002-3
live from the pirate hideout
http://sleekfreak.ath.cx:81/