lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309240850.01587.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Swen Really Sucks

On Tuesday 23 September 2003 10:49 pm, Jason Coombs wrote:
> and using the "From" address rather than the "From:"
> address for the filter doesn't work, either, because the "From"
> address appears to be a different non-randomized e-mail address,
> possibly the real e-mail address of the infected victim (? haven't
> read any forensic analysis on this point yet...)

The "From" or Return-Path address specified by the MAIL FROM: 
transaction in the SMTP session is the real email address of the 
infected user, or at least is what they entered on the fake MAPI dialog 
that Swen uses to get that information.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ