lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: kye at lewislan.id.au (Kye Lewis)
Subject: Swen Really Sucks

Yes, I know these also exist, my email has been full of them, it's been a
little hard not to notice.
I'm talking about the Return-Path header, and not the addresses in the
emails you describe.

- Kye Lewis
<kye -at- lewislan -dot- id -dot- au>


> Swen does not only compose email pretending to be a patch from Microsoft.
It
> also composes email pretending to be a bounced message. There are various
> renditions of the false 'return to sender'. A couple of examples follow:
>
> -----------------------------------------
> Hi.
> I'm afraid I wasn't able to deliver your message to one or more
> destinations.
> Undeliverable mail to ykhytbgqcg@...foot.net
> ------------------------------------------
> I'm sorry to have to inform you that the message returned below could not
be
> delivered to one or more destinations.
> Undeliverable message to sxlpvjk@...rica.net
> ------------------------------------------
> Undelivered mail to pdijepslaw@...mail.net
> Message follows:
> -----------------------------------------
>
> F-Secure has a complete list at:
> http://www.f-secure.com/v-descs/swen.shtml
>
> Regards,
> Mary Landesman
> Antivirus About.com Guide
> http://antivirus.about.com
>
>
> ----- Original Message ----- 
> From: "Kye Lewis" <kye@...islan.id.au>
> To: <full-disclosure@...ts.netsys.com>
> Cc: "Craig Pratt" <craig@...ong-box.net>
> Sent: Friday, September 26, 2003 10:03 AM
> Subject: Re: [Full-Disclosure] Swen Really Sucks
>
>
> [..]
>
> > So, has anyone actually sent mail to an envelope sender to see if
> > they're actually infected? Or is it possible this thing just likes to
> > fake the same sender for all outgoing messages?
>
> Seeing that I have a collection of around 2000 unique and believable
> return-paths from this virus, it seems quite likely that they're
legitimate.
>
>


Powered by blists - more mailing lists