> -----Original Message----- > From: Kai Schaetzl
> Larry Gilson wrote on Sun, 21 Sep 2003 17:13:35 -0400: > > > I agree with what you are saying about the MAIL FROM command. > > It is easy enough to forge. However, I have only seen the header > > From change and leave the MAIL FROM command as that configured in > > the user's profile. > > What "user's profile" do you mean? The virus isn't interested in > any user profiles. It creates its own email and sends it out with > its own SMTP client and uses the same mail from from envelope and > header. Not to mention that many of the mails seem to come from > original spreaders instead of "just" infected machines. The messages I have seen from known sources indicates to me that the MAIL FROM variable obtains the information from the user's defined Email address in the default Email client. The same is true for the SMTP relay server. So I was just indicating that this information would be available from the users' profile. This profile information is stored in the registry. At any rate, the MAIL FROM and SMTP server is real and so is the first Received line. > This is > > consistent with the virus documentation I have read also. > > > > I don't know any such documentation which says this. Really, > you can't rely on this. Even if it were ture in this very limited > case it's never true on a broader scale. One would want to use such > a program in the longer run and block future viruses and spam > spreaders as well. The virus libraries only indicate that the virus has a small SMTP client that pulls it's SMTP information from the registry. This registry information is specific to the profile being used. The virus library documentation and all the messages I have seen indicate that the From and To are grabbed from multiple locations on the computer and the Subject is dynamic from hard-coded lists. It says nothing about the MAIL FROM but all the known sources I have seen messages come from indicate that this information is also pulled from the users' profile. If any of these viruses actually do forge the MAIL FROM, I have not seen it. For any grouping of messages, the MAIL FROM, SMTP server, and first Received line have always been consistent. However the From, To, and Subject have all been variable. I would not want to rely on any of this in the long-run either. I personally would rather block/quarantine bad attachments on the gateway for further inspection and also run an AV product internally. I was just answering the original question as it was asked. --Larry ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
