Why the from and the sender are not the same thing?
Julian Field
mailscanner at ecs.soton.ac.uk
Tue Aug 20 19:00:46 IST 2002
At 16:02 20/08/2002, you wrote:
> > -----Original Message-----
> > From: Jonathan Arcand [mailto:jonathan.arcand at CEGEPTR.QC.CA]
> > Sent: Tuesday, August 20, 2002 10:36 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Why the from and the sender are not the same thing?
>
>Simplest answer: The KLEZ virus is a dirty lying stinking scoundrel. It
>reads the victim's address book, snags at-random a few addresses, and uses
>those as the From and To. it has it's own built-in SMTP engine, which it
>uses to deliver its nastiness.
>
>You cannot trust the From and To in a Klez message, unfortunatly. however,
>if you have access to the syslogd mail logs, you should be able to grep for
>the message number and get a bit better picture.
>
>I wish this helped, but Klez is an just an intensely uncomfortable sensation
>in the nethermost regions. MailScanner and Sophos deal with it quite
>handily, however.
Indeed. Look for the
Viruses To Quietly Delete = /usr/local/MailScanner/etc/viruses.to.delete.conf
line in your mailscanner.conf file and make sure it isn't commented out.
You can use the option after that one to stop them being delivered to the
recipients as well as to the senders.
Just ensure you have the right strings in the viruses.to.delete.conf file,
as these will depend on what your virus scanner calls them.
> > Hi,
> >
> > I received some messages like this:
> >
> >
> > > The following e-mail messages were found to have viruses in them:
> > >
> > > Sender: <Webmaster at cegeptr.qc.ca >
> > > Recipient: <infoprog at cegeptr.qc.ca>
> > > Subject: Scrolling
> > > MessageID: g7KE78FF002666
> > > Report: /g7KE78FF002666/Yzdsr.scr Found the
> > W32/Klez.h at MM virus
> > !!!
> > > Windows Screensavers often hide viruses in email in Yzdsr.scr
> > >
> > > Full headers are:
> > > Return-Path: <g>
> > > Received: from Jcdyf (hurricane-ppp29.sorel.cognicase.net
> > [64.254.11.35])
> > > by courrier.cegeptr.qc.ca (8.12.5/8.12.5) with SMTP id
> > g7KE78FF002666
> > > for <infoprog at cegeptr.qc.ca>; Tue, 20 Aug 2002 10:07:09 -0400
> > > Date: Tue, 20 Aug 2002 10:07:08 -0400
> > > Message-Id: <200208201407.g7KE78FF002666 at courrier.cegeptr.qc.ca>
> > > From: webmaster <webmaster at johnabbott.qc.ca>
> > > To: infoprog at cegeptr.qc.ca
> > > Subject: Scrolling
> > > MIME-Version: 1.0
> > > Content-Type: multipart/alternative;
> > > boundary=BBowx3aO8i4OBHwS930B5Us0800A2M03
> > >
> > > --
> > > MailScanner
> > > Email Virus Scanner
> >
> > I don't understand why the sender is webmaster at my.domain and
> > in the header
> > is webmaster at johnabbott.qc.ca
> >
> > The user's auto-response goes to webmaster at cegeptr.qc.ca
> >
> > I'm using mailsanner 3.20-7 with no spam detection and Mcafee
> >
> > Somenone knows what is my problem?
> > Thanks!
> >
> > Jonathan
> >
>
>
>HTC Disclaimer: The information contained in this message may be
>privileged and confidential and protected from disclosure. If the reader
>of this message is not the intended recipient, or an employee or agent
>responsible for delivering this message to the intended recipient, you are
>hereby notified that any dissemination, distribution or copying of this
>communication is strictly prohibited. If you have received this
>communication in error, please notify us immediately by replying to the
>message and deleting it from your computer. Thank you.
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list