So what good does that do when Klez has it's own smtp engine and always tries to connect to the "senders" mail server address.
Say if I got infected and klez would spoof your address [EMAIL PROTECTED] then klez on my machine would connect to the mx server for knl.cc and try to send out the message through that server (if the server is configured as should then it will deny the delivery attempt since it's a relay attempt) that way it really would look like it came from you. :( However if it do fail to connect to the mx servers for knl.cc then it's my understanding it falls back to the smtp server configured in outlook. Also the from address in the smtp envelope and in the message body do not have to be the same and from my experience rarely are the same. For a long time we had our mailserver configured relay for local users only and we keep an eye on it and didn't see any problems for almost a year but then Klez came out and the amount of viruses that tried to send through our server got rampant so had to turn on "relay mail for addresses" which immediately killed off 98% of all Klez viruses. Today we see occasional Klez viruses where the to address is a customer of ours but so far never seen a single klez where any of our domains is the from address or the remote ip is one that belongs to us or our customers. One good thing with klez is that it forces many admins to actually start do things "right". Tuesday, August 20, 2002, 12:55:45 PM, you wrote: RB> We're stopping tons with the same sender address too. After the first RB> couple dozen I decided the user must actually have the virus. We knew them, RB> contacted them by phone and explained the problem. They were/are totally RB> clueless and have no idea how to go about getting virus software and RB> scanning for Klez. <sigh> I contacted their ISP and they said they will be RB> shutting down their e-mail account until they get the problem solved. RB> - Rodney RB> -----Original Message----- RB> From: [EMAIL PROTECTED] RB> [mailto:[EMAIL PROTECTED]]On Behalf Of Heimir Eidskrem RB> Sent: Tuesday, August 20, 2002 1:44 PM RB> To: [EMAIL PROTECTED] RB> Subject: [Declude.Virus] Klez and IP RB> We are stopping tons of klez infected mail using the same sender address. RB> My question is regarding the reported remote ip address - the ip address RB> reported using the %remoteip% is that the actually ip address of the RB> computer sending the virus or is that also forged by the virus? RB> So far I have logged 25 different ip addresses using the same sender RB> address. RB> Thanks, RB> H. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231-7777 Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
