On Thu, 2002-05-16 at 13:37, Philip Guenther wrote:
Paul Thomas <cueman(_at_)cuenet(_dot_)com> writes:
Heh, Charlie seems to be hitting his stride today. Have another
cup of coffee Charlie!;)
You might now like how he says it, but did you pay attention to the
_content_? He is correct: sending a bounce message to the header
sender is a Bad Thing. Use "formail -r", "formail -rt" when generating
bounces.
The sanitizer does this, and always has.
I've been checking the Klez bounces from my domain and I'm seeing 80% to
90% correlation between Return-Path: and the domains in the Received:
headers.
Some comments and questions:
(1) I haven't seen the headers on the messages claiming to be from Mr.
Summers so I don't know if the attack message contained a Return-Path:
header. I have seen a few messages (not necessarily from Klez) that do
not. I've asked Paul if he still has the administrator notifications
from those messages so I can see them.
(2) Is it possible to forge a Return-Path: header? Or do the MTAs
override this one?
(3) If it is possible to forge the Return-Path: header, does anyone know
whether any Klez variants do so?
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin(_at_)impsec(_dot_)org pgpk -a
jhardin(_at_)impsec(_dot_)org
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"To disable the Internet to save EMI and Disney is the moral
equivalent of burning down the library of Alexandria to ensure the
livelihood of monastic scribes."
-- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
909 days until the Presidential Election
signature.asc
Description: This is a digitally signed message part