[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Swen Really Sucks

To: <jasonc@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Swen Really Sucks
From: Joe Stewart <jstewart@xxxxxxxxx>
Date: Wed, 24 Sep 2003 08:50:01 -0400

On Tuesday 23 September 2003 10:49 pm, Jason Coombs wrote:
> and using the "From" address rather than the "From:"
> address for the filter doesn't work, either, because the "From"
> address appears to be a different non-randomized e-mail address,
> possibly the real e-mail address of the infected victim (? haven't
> read any forensic analysis on this point yet...)

The "From" or Return-Path address specified by the MAIL FROM: 
transaction in the SMTP session is the real email address of the 
infected user, or at least is what they entered on the fake MAPI dialog 
that Swen uses to get that information.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Swen Really Sucks
  - From: Jason Coombs

Prev by Date: Re: [Full-Disclosure] Swen Really Sucks
Next by Date: Re: [Full-Disclosure] BugTraq Speed
Previous by thread: Re: [Full-Disclosure] Swen Really Sucks
Next by thread: [Full-Disclosure] GLSA: openssh (200309-14)
Index(es):
- Date
- Thread