Re: [vox] Spam question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox] Spam question
I really think that it is probably the klez worm
One of the best antivirus sites is run by Trend.
Link to the Klez virus
Look in the Tech Details tab for details.
The problems with the Klez virus is that the original
sender is only located in the Evelope From field.
There are a some email systems that will strip this
information (Exchange) and use the forged header info,
so that you will not see it. The NDR will read the
forged name and bounce the email back to you. I am
fortunate in that I block executable type attachments
and I have a front end system before it gets to my
If the NDR has the original message then you can
compare it to the Tech Details description of posible
subj lines and see if it is Klez or one of it's
I get 10-20 bounces a day at work and my conterpart at
the bigger division gets LOTS more.
The header info of the NDR will only have the path from
the postmaster of the system sending you the notice.
Klez harvests email addresses from
On Thu, 20 June 2002, Nicole Carlson wrote
> Hi guys
> Thanks a bunch for the help.
> I looked up the info on the Klez worm and, much as
I'd like to believe
> that that's what it is, it doesn't seem to match. So
I must conclude that
> some bastard is using my e-mail as a return address.
This pisses me off.
> :( I've alerted the guy who runs my alias, hopefully
he won't yank it.
> Anyhoo. Here's one of the headers, per Rod's
request; I did an nslookup
> on the origin IPs, and they match. If there's any
other tricks, I'd love
> to hear them.
> Return-Path: <MAILER-DAEMON>
> Received: from millard.ucdavis.edu
> by pop10.ucdavis.edu (8.11.4/8.11.0/IT4.6.0)
with ESMTP id
> for <email@example.com>; Wed, 19
Jun 2002 23:49:57 -0700
> Received: from ussenterprise.ufp.org
> by millard.ucdavis.edu
(8.11.4/8.11.0/IT4.6.1) with ESMTP id
> for <firstname.lastname@example.org>; Wed, 19 Jun 2002
23:49:57 -0700 (PDT)
> Received: from hotmail.com (mc2-s5.law16.hotmail.com
> by ussenterprise.ufp.org (8.11.1/8.11.1) with
> for <email@example.com>; Thu, 20 Jun 2002
02:49:45 -0400 (EDT)
> From: firstname.lastname@example.org
> To: email@example.com
> Date: Wed, 19 Jun 2002 23:47:10 -0700
> MIME-Version: 1.0
> Content-Type: multipart/report;
> Message-ID: <GtS79AX7U000026b8@hotmail.com>
> Subject: Delivery Status Notification (Failure)
> FWIW: firstname.lastname@example.org is my alias;
ussenterprise.ufp.org is the server
> that translates alias->real address
> --n twn
> "If you decided to sell your happiness, for how much
would you sell it?"
> --Moxy Fruvous
> Visit Nicolopolis!
> email@example.com firstname.lastname@example.org
> vox mailing list
vox mailing list