Silent virus list
Martin Sapsed
m.sapsed at BANGOR.AC.UK
Fri Sep 19 12:41:24 IST 2003
Raymond Dijkxhoorn wrote:
>>Are you sure this should be on the silent list? From what I can see of
>>the copies we've caught, the envelope From address is related to the
>>first mail server that the message goes through. Earlier flavours of
>>Gibe haven't forged the envelope address either as far as I can see...?
>
> You can assure that i wont post this just like that...
With respect, Raymond, you can be sure I wouldn't question your
suggestion without good reason...
> Examples:
>
> From: Microsoft Corporation Technical Assistance <cxrdnriunp at technet.com>
> From: Microsoft Network Message Storage System <webrobot at netmail.net>
>
> We have gotten 5179 of W32/Swen.A at mm today so far.
>
> Did you read the announcement on the page i posted? I think not.
>
>>From that page:
>
> The attachment name, subject and part of the infected message is randomly
> composed from text strings hardcoded in the worm's body.
>
> The fake sender's address is selected from the following parts:
I see that, but those are the "From: " address in the message headers.
My experience is that the envelope From address bears a strong
resemblance to the server the mail is routed through and is not the same
as from "From: " address. Since (Julian will correct me if I'm wrong)
it's the Sender: address rather than the From: address which is used for
the alerts, I see no need to treat this as Silent and would rather alert
the victims when I can.
> Its your pick to put it on the Silent list, i would not hesitate...
Indeed, and you are free to do so. I'm just not convinced myself.
Cheers,
Martin
--
Martin Sapsed
Information Services "Who do you say I am?"
University of Wales, Bangor Jesus of Nazareth
More information about the MailScanner
mailing list