lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F769947.6356.39BC89B@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Does Swen forge the sender? WARNING - LONG POST

Paul Schmehl <pauls@...allas.edu> wrote:

> In deference to the experts, Joe and Nick, rather than argue about what 
> Swen does, I'll just post some headers and ask for a *brief* explanation of 
> them.
> 
> 1st header is a "bounce" to my work account.  Unfortunately the bouncing 
> party didn't bother to include the original message headers, but it's 
> evident that they *thought* that I sent them the virus.  Since the "From" 
> address was "Microsoft Security Support" 
> <dyfotwrltwosb_whweemsf@...letin.msn.com>, how does this get back to me 
> unless the "MAIL FROM" command was "pauls@...allas.edu"?
<<snip headers Paul has correctly deciphered>>

As well as what Joe and I have already said about Swen's grabbing the 
"SMTP Email Address" value from the deafult IAM account in the regsitry 
and its use of this as the MAIL FROM: argument, don't forget that as 
well as mass-sending itself as an apparent MS security patch, Swen also 
sends itself as an attachment to Emails faked as bounce messages.

This seems to be what the first example message you posted is.  Note 
that it has an Incorrect MIME Type exploit in the body _of the bounce 
message_.  If it were really a bounce of a Swen message, that exploit 
would be in the body of the bounced message rather than in the message 
part telling you it was unable to deliver some other message.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ