On Tuesday 23 September 2003 10:49 pm, Jason Coombs wrote: > and using the "From" address rather than the "From:" > address for the filter doesn't work, either, because the "From" > address appears to be a different non-randomized e-mail address, > possibly the real e-mail address of the infected victim (? haven't > read any forensic analysis on this point yet...)
The "From" or Return-Path address specified by the MAIL FROM: transaction in the SMTP session is the real email address of the infected user, or at least is what they entered on the fake MAPI dialog that Swen uses to get that information. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
