Klez-G obscuring From addresses?

Julian Field jkf at ecs.soton.ac.uk
Fri Apr 26 12:01:39 IST 2002


It's not safe to assume that any address given in a message is genuine.

At 19:06 25/04/2002, you wrote:
>We've received a relatively high number of Klez-G attempts over the
>last few days.
>
>I noticed this particular virus appears to hide the name of the
>sender by forging the from address. MailScanner knows who really sent
>it because the postmaster notification shows the right sender
>(envelope-from?).
>
>I think it would be helpful if the message my users gets either had
>the from address corrected or a notice in the message who the real
>sender was.
>
>I've also seen a positive correlation between the forged from address
>and the to address. Several of the incoming virus look to be from
>users in our domain. This brought on a little finger-pointing and
>panic.
>
>After thinking about this for a few minutes, forged from addresses
>(and envelope-from) seem easy enough for a virus with it's own SMTP
>engine to obfuscate at will (like Klez-G). Perhaps this is a moot
>point. Any opinions out there?
>
>~Todd
>
>P.S. Several Klez-G viruses slipped by my mailscanner 3.12 and Sophos
>354 (causing some modest havoc). Upgrading to Sophos 356n seems to do
>the trick.

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list