Paul Schmehl <[EMAIL PROTECTED]> wrote: > In deference to the experts, Joe and Nick, rather than argue about what > Swen does, I'll just post some headers and ask for a *brief* explanation of > them. > > 1st header is a "bounce" to my work account. Unfortunately the bouncing > party didn't bother to include the original message headers, but it's > evident that they *thought* that I sent them the virus. Since the "From" > address was "Microsoft Security Support" > <[EMAIL PROTECTED]>, how does this get back to me > unless the "MAIL FROM" command was "[EMAIL PROTECTED]"? <<snip headers Paul has correctly deciphered>>
As well as what Joe and I have already said about Swen's grabbing the "SMTP Email Address" value from the deafult IAM account in the regsitry and its use of this as the MAIL FROM: argument, don't forget that as well as mass-sending itself as an apparent MS security patch, Swen also sends itself as an attachment to Emails faked as bounce messages. This seems to be what the first example message you posted is. Note that it has an Incorrect MIME Type exploit in the body _of the bounce message_. If it were really a bounce of a Swen message, that exploit would be in the body of the bounced message rather than in the message part telling you it was unable to deliver some other message. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
