lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: kye at (Kye Lewis)
Subject: Swen Really Sucks

Yes, I know these also exist, my email has been full of them, it's been a
little hard not to notice.
I'm talking about the Return-Path header, and not the addresses in the
emails you describe.

- Kye Lewis
<kye -at- lewislan -dot- id -dot- au>

> Swen does not only compose email pretending to be a patch from Microsoft.
> also composes email pretending to be a bounced message. There are various
> renditions of the false 'return to sender'. A couple of examples follow:
> -----------------------------------------
> Hi.
> I'm afraid I wasn't able to deliver your message to one or more
> destinations.
> Undeliverable mail to
> ------------------------------------------
> I'm sorry to have to inform you that the message returned below could not
> delivered to one or more destinations.
> Undeliverable message to
> ------------------------------------------
> Undelivered mail to
> Message follows:
> -----------------------------------------
> F-Secure has a complete list at:
> Regards,
> Mary Landesman
> Antivirus Guide
> ----- Original Message ----- 
> From: "Kye Lewis" <>
> To: <>
> Cc: "Craig Pratt" <>
> Sent: Friday, September 26, 2003 10:03 AM
> Subject: Re: [Full-Disclosure] Swen Really Sucks
> [..]
> > So, has anyone actually sent mail to an envelope sender to see if
> > they're actually infected? Or is it possible this thing just likes to
> > fake the same sender for all outgoing messages?
> Seeing that I have a collection of around 2000 unique and believable
> return-paths from this virus, it seems quite likely that they're

Powered by blists - more mailing lists