Why the from and the sender are not the same thing?

Tue Aug 20 16:02:03 IST 2002

> -----Original Message-----
> From: Jonathan Arcand [mailto:jonathan.arcand at CEGEPTR.QC.CA]
> Sent: Tuesday, August 20, 2002 10:36 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Why the from and the sender are not the same thing?

Simplest answer:  The KLEZ virus is a dirty lying stinking scoundrel.  It
reads the victim's address book, snags at-random a few addresses, and uses
those as the From and To.  it has it's own built-in SMTP engine, which it
uses to deliver its nastiness.

You cannot trust the From and To in a Klez message, unfortunatly.  however,
if you have access to the syslogd mail logs, you should be able to grep for
the message number and get a bit better picture.

I wish this helped, but Klez is an just an intensely uncomfortable sensation
in the nethermost regions.  MailScanner and Sophos deal with it quite
handily, however.

Mark

> 
> 
> Hi,
> 
> I received some messages like this:
> 
> 
> > The following e-mail messages were found to have viruses in them:
> >
> >    Sender: <Webmaster at cegeptr.qc.ca >
> > Recipient: <infoprog at cegeptr.qc.ca>
> >   Subject: Scrolling
> > MessageID: g7KE78FF002666
> >    Report: /g7KE78FF002666/Yzdsr.scr        Found the 
> W32/Klez.h at MM virus
> !!!
> > Windows Screensavers often hide viruses in email in Yzdsr.scr
> >
> > Full headers are:
> >  Return-Path: <g>
> >  Received: from Jcdyf (hurricane-ppp29.sorel.cognicase.net 
> [64.254.11.35])
> >   by courrier.cegeptr.qc.ca (8.12.5/8.12.5) with SMTP id 
> g7KE78FF002666
> >   for <infoprog at cegeptr.qc.ca>; Tue, 20 Aug 2002 10:07:09 -0400
> >  Date: Tue, 20 Aug 2002 10:07:08 -0400
> >  Message-Id: <200208201407.g7KE78FF002666 at courrier.cegeptr.qc.ca>
> >  From: webmaster <webmaster at johnabbott.qc.ca>
> >  To: infoprog at cegeptr.qc.ca
> >  Subject: Scrolling
> >  MIME-Version: 1.0
> >  Content-Type: multipart/alternative;
> >   boundary=BBowx3aO8i4OBHwS930B5Us0800A2M03
> >
> > --
> > MailScanner
> > Email Virus Scanner
> 
> I don't understand why the sender is webmaster at my.domain and 
> in the header
> is webmaster at johnabbott.qc.ca
> 
> The user's auto-response goes to webmaster at cegeptr.qc.ca
> 
> I'm using mailsanner 3.20-7 with no spam detection and Mcafee
> 
> Somenone knows what is my problem?
> Thanks!
> 
> Jonathan
> 

HTC Disclaimer:  The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.