Klez-G

Julian Field jkf at ecs.soton.ac.uk
Thu May 9 16:19:11 IST 2002 

At 15:42 09/05/2002, you wrote:
>But how can the host/ip in the received from header be forged since it's
>being put there by the recipient system?

Never seen packets with forged IP addresses? Lucky you!

>As for nagging the remote postermaster, who here are postmasters and get
>nagged anyway.  Probably everyone.  The problem doesn't get resolved
>unless someone on the remote end gets involved.  At least they would
>know the actual sender and contact them.  That's what we've had to do
>here for people dialing into the University dialin pool.  Send it to the
>dialin pool people to look to see who was connected at the time the
>virus was sent so that they can be contacted.  I would assume it should
>be the same process for Comcase or Verizon.

Fair enough, what would you like implementing? A customisable anti-virus
message sent to some customisable-address at sender-domain.com?

>-----Original Message-----
>From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK]
>Sent: Thursday, May 09, 2002 7:23 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Klez-G
>
>
>Parsing out the domain and then guessing at the relevant postmaster
>address is almost impossible to do automatically. For example, if you
>sent it to "postmaster at xxx.yyy" as you suggest, and the message claims
>to have come from us, you would miss us completely as I am
>postmaster at vvv.xxx.yyy.zzz. Mailing postmaster at xxx.yyy would get you
>nowhere, apart from annoying the administrators for the entire UK
>academic community.
>
>And sending it to "postmaster at 130.85.253.53" will only work if they
>either have wildcard MX records (a very bad thing) or an MX record for
>every host in their domain (unnecessary). In our case, all mail leaves
>as foobar at ecs.soton.ac.uk and we just have MX records for
>ecs.soton.ac.uk, not every host.ecs.soton.ac.uk.
>
>So you see my problem...
>
>At 11:52 09/05/2002, you wrote:
> >Julian,
> >    I too would like to see something going back to the remote
> >postmaster. Since I turned on the "Postmaster Gets Full Mail Headers"
> >option, I can see the domain that Klez came from, not just the phony
> >"From:".  What I have been doing (by hand), is looking at the topmost
> >Received line in the header, eg:
> >
> >  Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53])
> >
> >then bouncing the entire mailscanner message to "postmaster at xxx.yyy"
> >the last two components of the domain.  In this case, it would go to
> >postmaster at umbc.edu.  Maybe even postmaster at 130.85.253.53 in a pinch.
> >This logic could be automated via perl.
> >
> >** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
> >** Senior UNIX Sysadmin, Information Technology    EMAIL:
>jaearick at colby.edu
> >** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
> >** Waterville ME, 04901-8842
> >-----------------------------------------------------------------------
> >-----
> >
> >On Thu, 9 May 2002, Julian Field wrote:
> >
> > > Date: Thu, 9 May 2002 10:25:38 +0100
> > > From: Julian Field <jkf at ECS.SOTON.AC.UK>
> > > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: Klez-G
> > >
> > > At 00:23 09/05/2002, you wrote:
> > > >Has anyone made any modifications to Mailscanner yet forward a copy
>
> > > >of the postmaster warning message to the postmaster in the domain
> > > >of the sending machine?  Or is this a bad idea of attempting?
> > > >
> > > >Just getting annoying seeing all these Klez's coming from Comcast,
> > > >Verizon and broadband provider domains.
> > >
> > > Oh, and another problem: what happens when the sender address is
> > > fake (like it is in most spam)? Then you are just going to harass
> > > completely the wrong person, which is a good way to get blocked by
> > > them.
> > >
> > > There is absolutely no way of guaranteeing the domain name from
> > > where the email message originated.
> > > --
> > > Julian Field                Teaching Systems Manager
> > > jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > > Tel. 023 8059 2817          University of Southampton
> > >                              Southampton SO17 1BJ
> > >
>
>--
>Julian Field                Teaching Systems Manager
>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list