Klez-G obscuring From addresses?
Martin Sapsed
m.sapsed at BANGOR.AC.UK
Tue Apr 30 10:06:22 IST 2002
Todd Martin wrote:
> We've received a relatively high number of Klez-G attempts over the
> last few days.
>
> I noticed this particular virus appears to hide the name of the
> sender by forging the from address. MailScanner knows who really sent
> it because the postmaster notification shows the right sender
> (envelope-from?).
>
> I've also seen a positive correlation between the forged from address
> and the to address. Several of the incoming virus look to be from
> users in our domain. This brought on a little finger-pointing and
> panic.
I think you'll find Klez picks both the From: and To: addresses from the
address book on the victim's machine. I had a case yesterday where
boyfriend suggested that girlfriend's PC was infected. Closer examination
of the headers revealed that actually it's boyfriend's PC that's infected!
Oh dear!
Cheers,
Martin
--
Martin Sapsed To have no errors
Information Services Would be life without meaning
University of Wales, Bangor, LL57 2UX No struggle, no joy.
Fax: +44 (0)1248 383826
More information about the MailScanner
mailing list