[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Swen Really Sucks
- To: "Schmehl, Paul L" <pauls@xxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Swen Really Sucks
- From: Joe Stewart <jstewart@xxxxxxxxx>
- Date: Thu, 25 Sep 2003 14:21:26 -0400
On Thursday 25 September 2003 12:27 pm, Schmehl, Paul L wrote:
> > The "From" or Return-Path address specified by the MAIL FROM:
> > transaction in the SMTP session is the real email address of the
> > infected user, or at least is what they entered on the fake
> > MAPI dialog
> > that Swen uses to get that information.
>
> Please tell me you don't believe this is true. If you know anything
> about SMTP you know that the MAIL FROM: can be anything you want it
> to be. And Swen certainly forges the sender, as the hundreds of
> bounces I get will testify. There is *nothing* in an SMTP
> transaction that you can rely on except the headers *if* you know how
> to read headers. If you don't, even those will fool you.
I am speaking from direct knowledge gained by reverse-engineering Swen.
It is true that anyone can forge SMTP headers, but Swen does not forge
the address in the MAIL FROM: transaction. It sends the email address
provided to it by the infected user.
The bounces you are getting may be actual first-generation Swen
messages, as a phony bounce message is one of the many formats it
generates.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html