Klez-G

Rose, Bobby brose at MED.WAYNE.EDU
Thu May 9 15:42:12 IST 2002 

But how can the host/ip in the received from header be forged since it's
being put there by the recipient system?  Also the Message-ID is
constructed by the recipient system so it would be hard for that to be
forged as well.  The only problem with the message-id is that it's
replaced by whatever system picks it up so if it's a relayed message,
the Message-ID would be for the relayed domain.

As for nagging the remote postermaster, who here are postmasters and get
nagged anyway.  Probably everyone.  The problem doesn't get resolved
unless someone on the remote end gets involved.  At least they would
know the actual sender and contact them.  That's what we've had to do
here for people dialing into the University dialin pool.  Send it to the
dialin pool people to look to see who was connected at the time the
virus was sent so that they can be contacted.  I would assume it should
be the same process for Comcase or Verizon.


-----Original Message-----
From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK] 
Sent: Thursday, May 09, 2002 7:23 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Klez-G


Parsing out the domain and then guessing at the relevant postmaster
address is almost impossible to do automatically. For example, if you
sent it to "postmaster at xxx.yyy" as you suggest, and the message claims
to have come from us, you would miss us completely as I am
postmaster at vvv.xxx.yyy.zzz. Mailing postmaster at xxx.yyy would get you
nowhere, apart from annoying the administrators for the entire UK
academic community.

And sending it to "postmaster at 130.85.253.53" will only work if they
either have wildcard MX records (a very bad thing) or an MX record for
every host in their domain (unnecessary). In our case, all mail leaves
as foobar at ecs.soton.ac.uk and we just have MX records for
ecs.soton.ac.uk, not every host.ecs.soton.ac.uk.

So you see my problem...

At 11:52 09/05/2002, you wrote:
>Julian,
>    I too would like to see something going back to the remote 
>postmaster. Since I turned on the "Postmaster Gets Full Mail Headers" 
>option, I can see the domain that Klez came from, not just the phony 
>"From:".  What I have been doing (by hand), is looking at the topmost 
>Received line in the header, eg:
>
>  Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53])
>
>then bouncing the entire mailscanner message to "postmaster at xxx.yyy" 
>the last two components of the domain.  In this case, it would go to 
>postmaster at umbc.edu.  Maybe even postmaster at 130.85.253.53 in a pinch. 
>This logic could be automated via perl.
>
>** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
>** Senior UNIX Sysadmin, Information Technology    EMAIL:
jaearick at colby.edu
>** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
>** Waterville ME, 04901-8842
>-----------------------------------------------------------------------
>-----
>
>On Thu, 9 May 2002, Julian Field wrote:
>
> > Date: Thu, 9 May 2002 10:25:38 +0100
> > From: Julian Field <jkf at ECS.SOTON.AC.UK>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Klez-G
> >
> > At 00:23 09/05/2002, you wrote:
> > >Has anyone made any modifications to Mailscanner yet forward a copy

> > >of the postmaster warning message to the postmaster in the domain 
> > >of the sending machine?  Or is this a bad idea of attempting?
> > >
> > >Just getting annoying seeing all these Klez's coming from Comcast, 
> > >Verizon and broadband provider domains.
> >
> > Oh, and another problem: what happens when the sender address is 
> > fake (like it is in most spam)? Then you are just going to harass 
> > completely the wrong person, which is a good way to get blocked by 
> > them.
> >
> > There is absolutely no way of guaranteeing the domain name from 
> > where the email message originated.
> > --
> > Julian Field                Teaching Systems Manager
> > jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > Tel. 023 8059 2817          University of Southampton
> >                              Southampton SO17 1BJ
> >

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list