RE: [Declude.Virus] Klez.h

Thu, 02 May 2002 08:53:48 -0700 

Actually Scott - DECLUDE is much smarter than you give it credit for.

In ALL of my many daily KLEZ encounters I have found the following to be
true:

a) the Message Header "FROM:" is false
b) the Envelope "FROM:" always uses an email addresses that matches the host
in the first RECEIVED line.

Here is a sample from a few minutes ago:

  Header From:   [EMAIL PROTECTED]
  Envelope From: [EMAIL PROTECTED]
  Their Server:  hbci.com [206.230.105.5] for hbci.com
  Message ID:    <[EMAIL PROTECTED]>

I have YET to receive ONE complaint about one of the KLEZ notifications.  So
I'm pretty confident that the Envelope From may contain the TRUE email
address of the infected user.

-----Original KLEZ Message Headers-----
Received: from mailserv.hbci.com [206.230.105.5] by hm-software.com with
ESMTP
  (SMTPD32-7.07) id A21C3B000C0; Thu, 02 May 2002 11:58:20 -0400
Received: from Zoun (m-0-242.docsis.hbci.com [64.213.219.242] (may be
forged))
        by mailserv.hbci.com (Switch-2.1.1/Switch-2.1.0) with SMTP id g42FqMi00603
        for <[EMAIL PROTECTED]>; Thu, 2 May 2002 10:52:23 -0500 (CDT)
Date: Thu, 2 May 2002 10:52:23 -0500 (CDT)
Message-Id: <[EMAIL PROTECTED]>
From: jnban <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary=A8IV6z39Y8a42788G4e5


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: Thursday, May 02, 2002 12:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Klez.h



>Hi, how do I tell where the Klez.h is really coming from? Thanks.

The only way to know for sure is to check the first Received: header to see
the IP address that it was sent from.  To find the user it came from, you
would need to find someone responsible for the IP address it came from, and
hope that they can track down the user.
                         -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Reply via email to