Can't we just hack the mailman configs to dump mails with X-sender
value
of outlook or outlook express? That would solve the problem, no;)
Well, the only problem with that idea is that we explicitly do
*NOT*
have > a "Your clue must be ->THIS<- tall to ride the IETF list"
policy... ;)
The Sobig worm includes its own SMTP code, and places arbitrary
values
in the header fields.
You mean to say that there is a full MTA tucked away in there?
Yes. Maybe not a full MTA, but definitely enough to format messages and
execute SMTP. The common assumption is that Sobig was written by one or
several criminals, with the purpose of installing a network of mail
relays "zombies", and then to sell the services of this network of
zombies to spammers. The same SMTP agent is probably also used to send
spam from the zombies. If you compare the headers of mail generated by
the worm and those of random spam, you will find that they are very
similar.
There is another link between Sobig and spam. It appears that these
networks of zombies are used in denial of service attacks against
anti-spam services.
By the way, the worm does not only include its own SMTP service. It
seems to also include its own DNS code, probably in order to get the MX
records of its targets. This DNS agent is parameterized to start any
look-up at the A-root, with the side effect of overloading this root
server.
-- Christian Huitema