Klez-G obscuring From addresses?

Todd Martin todd at DECAGON.COM
Thu Apr 25 19:06:30 IST 2002


We've received a relatively high number of Klez-G attempts over the
last few days.

I noticed this particular virus appears to hide the name of the
sender by forging the from address. MailScanner knows who really sent
it because the postmaster notification shows the right sender
(envelope-from?).

I think it would be helpful if the message my users gets either had
the from address corrected or a notice in the message who the real
sender was.

I've also seen a positive correlation between the forged from address
and the to address. Several of the incoming virus look to be from
users in our domain. This brought on a little finger-pointing and
panic.

After thinking about this for a few minutes, forged from addresses
(and envelope-from) seem easy enough for a virus with it's own SMTP
engine to obfuscate at will (like Klez-G). Perhaps this is a moot
point. Any opinions out there?

~Todd

P.S. Several Klez-G viruses slipped by my mailscanner 3.12 and Sophos
354 (causing some modest havoc). Upgrading to Sophos 356n seems to do
the trick.



More information about the MailScanner mailing list