On Tue, 13 Aug 2002 09:13:23 -0400 Alan Kim <[EMAIL PROTECTED]> wrote: > Someone probably explained how the other part of this virus works but > it's > all beyond me - when you start receiving mail under your own address. > Also, you start receiving undeliverable message under your e-mail > address. > This part of the bug is not operating out of my computer, so how does it > work ?
what follows has a lot of technical detail, and an actual example which i ran on a un*x computer system. i would be suprised if everyone actually wante to know all this. feel free to skip it entirely. the mechanisms by which email is transported on the internet are described a pair of documents, RFC 2821 (which supercedes the traditional RFC 821) and RFC 2822 (which supercedes RFC 822). these documents (which are full of mind numbing technical detail) may be viewed at http://www.ietf.org/rfc/rfc2821.txt http://www.ietf.org/rfc/rcf2822.txt at no point in this history of SMTP ("Simple Mail Transport Protocol, described in 821/2821) has there ever been much attention paid to security. the result is that mail forgery is fairly easy to commit, which both spammers and virus authors take advantage of. having been a mail admin on numerous un*x boxes over the years, i've personally commited many forgeries, as it's normal practice when testing a mail server which isn't behaving correctly to connect directly instead of through a mail client in order to probe its behavior. in essence, when you formulate an email message with your client (MUA, Mail User Agent in mail admin speak), it will engage in an SMTP dialog with the mail server (which is running a program called an MTA, Mail Transport Agent.) the SMTP dialog is normally called an envelope, and information about the sender and the recipient is exchanged. these are entirely separate from the ones you normally see in the mail header in your MUA. an example -- i'm using telnet to connect directly to the MUA on my server in colocation, and forging an email message to myself. before reading the example, some things you need to know. all the stuff i type in starts with smtp commands: helo, mail from:, rcpt to:, data, and quit. all the stuff that the MTA replies with starts with 3 digit error codes; 2xx means "ok so far but not done, 4xx means "temp error", 5xx means "permanent error", and 3xx means "kep going. note also that the From and To addresses in the body (which runs from "354 Enter message" until the . by itself on the line have nothing to do with the envelope sender and recipient; the MTA never looks at the body of the message, but just pushes Received lines onto it and passes it on (which means that you can forge received lines as well if you want, something that spammers do.) --------- $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 krusty1.krusty-motorsports.com ESMTP Exim 4.05 Tue, 13 Aug 2002 13:27:57 +0000 [ NO UCE NO UBE C=US,ST=New York ] helo localhost 250 krusty1.krusty-motorsports.com Hello root at localhost [127.0.0.1] mail from:<[EMAIL PROTECTED]> 250 OK rcpt to:<[EMAIL PROTECTED]> 250 Accepted data 354 Enter message, ending with "." on a line by itself Date: Tue, 13 Aug 2002 14:30 +0000 From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Bwahahahahaha you'll never catch me. a friend -- SuperMacs is sponsored by <http://lowendmac.com/> and... Small Dog Electronics http://www.smalldog.com | Refurbished Drives | Service & Replacement Parts [EMAIL PROTECTED] | & CDRWs on Sale! | Support Low End Mac <http://lowendmac.com/lists/support.html> SuperMacs list info: <http://lowendmac.com/supermacs/list.shtml> --> AOL users, remove "mailto:"; Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/supermacs%40mail.maclaunch.com/> Using a Mac? Free email & more at Applelinks! http://www.applelinks.com
