[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F769947.6356.39BC89B@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Does Swen forge the sender? WARNING - LONG POST
Paul Schmehl <pauls@...allas.edu> wrote:
> In deference to the experts, Joe and Nick, rather than argue about what
> Swen does, I'll just post some headers and ask for a *brief* explanation of
> them.
>
> 1st header is a "bounce" to my work account. Unfortunately the bouncing
> party didn't bother to include the original message headers, but it's
> evident that they *thought* that I sent them the virus. Since the "From"
> address was "Microsoft Security Support"
> <dyfotwrltwosb_whweemsf@...letin.msn.com>, how does this get back to me
> unless the "MAIL FROM" command was "pauls@...allas.edu"?
<<snip headers Paul has correctly deciphered>>
As well as what Joe and I have already said about Swen's grabbing the
"SMTP Email Address" value from the deafult IAM account in the regsitry
and its use of this as the MAIL FROM: argument, don't forget that as
well as mass-sending itself as an apparent MS security patch, Swen also
sends itself as an attachment to Emails faked as bounce messages.
This seems to be what the first example message you posted is. Note
that it has an Incorrect MIME Type exploit in the body _of the bounce
message_. If it were really a bounce of a Swen message, that exploit
would be in the body of the bounced message rather than in the message
part telling you it was unable to deliver some other message.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists