[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Swen Really Sucks

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Swen Really Sucks
From: "Schmehl, Paul L" <pauls@xxxxxxxxxxxx>
Date: Thu, 25 Sep 2003 11:27:28 -0500

> -----Original Message-----
> From: Joe Stewart [mailto:jstewart@xxxxxxxxx] 
> Sent: Wednesday, September 24, 2003 7:50 AM
> To: jasonc@xxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx
> Cc: secure@xxxxxxxxxxxxx
> Subject: Re: [Full-Disclosure] Swen Really Sucks
> 
> The "From" or Return-Path address specified by the MAIL FROM: 
> transaction in the SMTP session is the real email address of the 
> infected user, or at least is what they entered on the fake 
> MAPI dialog 
> that Swen uses to get that information.
> 
Please tell me you don't believe this is true.  If you know anything
about SMTP you know that the MAIL FROM: can be anything you want it to
be.  And Swen certainly forges the sender, as the hundreds of bounces I
get will testify.  There is *nothing* in an SMTP transaction that you
can rely on except the headers *if* you know how to read headers.  If
you don't, even those will fool you.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Swen Really Sucks
  - From: Joe Stewart
- RE: [Full-Disclosure] Swen Really Sucks
  - From: Nick FitzGerald

Prev by Date: RE: [Full-Disclosure] An open question for Snort and Project Honeynet
Next by Date: RE: [Full-Disclosure] SAM Switch - Win2k/XP password-less login
Previous by thread: Re: [Full-Disclosure] Verisign Login Hijacking
Next by thread: Re: [Full-Disclosure] Swen Really Sucks
Index(es):
- Date
- Thread