| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200309251421.26903.jstewart@lurhq.com> From: jstewart at lurhq.com (Joe Stewart) Subject: Swen Really Sucks On Thursday 25 September 2003 12:27 pm, Schmehl, Paul L wrote: > > The "From" or Return-Path address specified by the MAIL FROM: > > transaction in the SMTP session is the real email address of the > > infected user, or at least is what they entered on the fake > > MAPI dialog > > that Swen uses to get that information. > > Please tell me you don't believe this is true. If you know anything > about SMTP you know that the MAIL FROM: can be anything you want it > to be. And Swen certainly forges the sender, as the hundreds of > bounces I get will testify. There is *nothing* in an SMTP > transaction that you can rely on except the headers *if* you know how > to read headers. If you don't, even those will fool you. I am speaking from direct knowledge gained by reverse-engineering Swen. It is true that anyone can forge SMTP headers, but Swen does not forge the address in the MAIL FROM: transaction. It sends the email address provided to it by the infected user. The bounces you are getting may be actual first-generation Swen messages, as a phony bounce message is one of the many formats it generates. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/
Powered by blists - more mailing lists