>> On Fri, 3 Jan 2003 [EMAIL PROTECTED] wrote: >> > >The scenario turned up when a person I know received spam with the > >sender being spoofed showing [EMAIL PROTECTED] and recipient being > >[EMAIL PROTECTED] After inspecting the mail headers, we > >discovered that the source IP was definitely external. We've scoured > >sendmail.org, arachnoid.com, cauce.org and all the books we have and > >could not find this scenario speifically mentioned. > >
Just to answer the above .. it is just a mass mailer virus. Current versions have their own SMTP and attempt to "guess" at smtp engines from address's found. IE: address found in doc = [EMAIL PROTECTED], virus trys to send by smtp.someschool.edu . It scans local and net attached drives for addresses in address book[s],IRC applications, .doc, .hta, .html, .xls + other file types. It disables various virus checker applications, inserts/attaches random docs, random subject lines, etc. Just means you can get email from yourself or a dead person .. depending on the documentation data available on the infected unit. Not sure you should deal with this at the sendmail point .. regards, /don _______________________________________________________ Don Voss "Jazz music is an intensified feeling of nonchalance." -- Francoise Sagan
