Silent virus list
Antony Stone
Antony at SOFT-SOLUTIONS.CO.UK
Fri Sep 19 12:32:06 IST 2003
On Friday 19 September 2003 12:23 pm, Raymond Dijkxhoorn wrote:
> > Are you sure this should be on the silent list? From what I can see of
> > the copies we've caught, the envelope From address is related to the
> > first mail server that the message goes through. Earlier flavours of
> > Gibe haven't forged the envelope address either as far as I can see...?
>
> You can assure that i wont post this just like that...
>
> Examples:
>
> From: Microsoft Corporation Technical Assistance <cxrdnriunp at technet.com>
> From: Microsoft Network Message Storage System <webrobot at netmail.net>
>
> Did you read the announcement on the page i posted? I think not.
>
> From that page:
>
> The attachment name, subject and part of the infected message is randomly
> composed from text strings hardcoded in the worm's body.
All this is indeed true, however these refer to the "From: " field in the
headers of the email.
I can see emails being caught on my MailScanner system with completely
unrelated SMTP envelope From fields, and therefore I think the question asked
by Martin is valid.
We know that the header From field is forged, but is the SMTP envelope
address also forged?
I suspect not (and I'm investigating the apparent senders of some of the
viruses I've had to try and find out).
Regards,
Antony.
--
"John Major" and "Cher" are as much abstractions as "the national debt" or
"the state of Welsh rugby".
- Guy Claxton, Hare Brain, Tortoise Mind
More information about the MailScanner
mailing list