Klez-G obscuring From addresses?

[Rose, Bobby]

The only thing you could do is send the warning message to the
postmaster at the sending domain.  There isn't any way to determine the
true sender but maybe the postmaster would know by looking at the IP of
the sending system.

-----Original Message-----
From: Todd Martin [mailto:todd at DECAGON.COM] 
Sent: Thursday, April 25, 2002 2:07 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Klez-G obscuring From addresses?


We've received a relatively high number of Klez-G attempts over the last
few days.

I noticed this particular virus appears to hide the name of the sender
by forging the from address. MailScanner knows who really sent it
because the postmaster notification shows the right sender
(envelope-from?).

I think it would be helpful if the message my users gets either had the
from address corrected or a notice in the message who the real sender
was.

I've also seen a positive correlation between the forged from address
and the to address. Several of the incoming virus look to be from users
in our domain. This brought on a little finger-pointing and panic.

After thinking about this for a few minutes, forged from addresses (and
envelope-from) seem easy enough for a virus with it's own SMTP engine to
obfuscate at will (like Klez-G). Perhaps this is a moot point. Any
opinions out there?

~Todd

P.S. Several Klez-G viruses slipped by my mailscanner 3.12 and Sophos
354 (causing some modest havoc). Upgrading to Sophos 356n seems to do
the trick.