OT: W32/Klez.H@mm

Matt Kettler mkettler at EVI-INC.COM
Tue Sep 17 00:50:30 IST 2002


In most cases, the senders don't know, because klez works hard to make it
difficult to figure out who is infected and sent the virus. Certainly
automated MailScanner notices are NOT going to the correct sender.

  People who detect the virus incoming have to do a lot of detective work
to tell the person sending the virus that they are infected. All of the
from's are forged, including the envelope, so you can only reduce the set
based on the MX that transferred it, and look for other people who email
you that use that same MX. If it's the MX of a large ISP, this becomes
difficult.. you can track it back to the originating IP, but if it's a
dialin, you've really only limited yourself to one dialing area for one ISP.

If you have 20 friends or mailing list members in one town who all use the
same local ISP, it's very tough to narrow it down. Often you might not even
normally get email from that person via that ISP because they may only
email you via yahoo webmail, etc..

At 06:24 PM 9/16/2002 -0500, Matt wrote:
>Does this thing ever go away?  I am tempted to setup Mailscanner to quietly
>delete this one.  What is the deal, why does it just keep floating around?
>Don't the senders care they have a virus on there PC?



More information about the MailScanner mailing list