Re: [Full-Disclosure] Swen Really Sucks

["Kye Lewis" <kye@xxxxxxxxxxxxxx>]

Yes, I know these also exist, my email has been full of them, it's been a
little hard not to notice.
I'm talking about the Return-Path header, and not the addresses in the
emails you describe.

- Kye Lewis
<kye -at- lewislan -dot- id -dot- au>


> Swen does not only compose email pretending to be a patch from Microsoft.
It
> also composes email pretending to be a bounced message. There are various
> renditions of the false 'return to sender'. A couple of examples follow:
>
> -----------------------------------------
> Hi.
> I'm afraid I wasn't able to deliver your message to one or more
> destinations.
> Undeliverable mail to ykhytbgqcg@xxxxxxxxxxx
> ------------------------------------------
> I'm sorry to have to inform you that the message returned below could not
be
> delivered to one or more destinations.
> Undeliverable message to sxlpvjk@xxxxxxxxxxx
> ------------------------------------------
> Undelivered mail to pdijepslaw@xxxxxxxxxxx
> Message follows:
> -----------------------------------------
>
> F-Secure has a complete list at:
> http://www.f-secure.com/v-descs/swen.shtml
>
> Regards,
> Mary Landesman
> Antivirus About.com Guide
> http://antivirus.about.com
>
>
> ----- Original Message ----- 
> From: "Kye Lewis" <kye@xxxxxxxxxxxxxx>
> To: <full-disclosure@xxxxxxxxxxxxxxxx>
> Cc: "Craig Pratt" <craig@xxxxxxxxxxxxxx>
> Sent: Friday, September 26, 2003 10:03 AM
> Subject: Re: [Full-Disclosure] Swen Really Sucks
>
>
> [..]
>
> > So, has anyone actually sent mail to an envelope sender to see if
> > they're actually infected? Or is it possible this thing just likes to
> > fake the same sender for all outgoing messages?
>
> Seeing that I have a collection of around 2000 unique and believable
> return-paths from this virus, it seems quite likely that they're
legitimate.
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html