> -----Original Message----- > From: Joe Stewart [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 24, 2003 7:50 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Swen Really Sucks > > The "From" or Return-Path address specified by the MAIL FROM: > transaction in the SMTP session is the real email address of the > infected user, or at least is what they entered on the fake > MAPI dialog > that Swen uses to get that information. > Please tell me you don't believe this is true. If you know anything about SMTP you know that the MAIL FROM: can be anything you want it to be. And Swen certainly forges the sender, as the hundreds of bounces I get will testify. There is *nothing* in an SMTP transaction that you can rely on except the headers *if* you know how to read headers. If you don't, even those will fool you.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
