Full Disclosure mailing list archives
RE: Swen Really Sucks
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 25 Sep 2003 11:27:28 -0500
-----Original Message----- From: Joe Stewart [mailto:jstewart () lurhq com] Sent: Wednesday, September 24, 2003 7:50 AM To: jasonc () science org; full-disclosure () lists netsys com Cc: secure () microsoft com Subject: Re: [Full-disclosure] Swen Really Sucks The "From" or Return-Path address specified by the MAIL FROM: transaction in the SMTP session is the real email address of the infected user, or at least is what they entered on the fake MAPI dialog that Swen uses to get that information.
Please tell me you don't believe this is true. If you know anything about SMTP you know that the MAIL FROM: can be anything you want it to be. And Swen certainly forges the sender, as the hundreds of bounces I get will testify. There is *nothing* in an SMTP transaction that you can rely on except the headers *if* you know how to read headers. If you don't, even those will fool you. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Swen Really Sucks Schmehl, Paul L (Sep 25)
- Re: Swen Really Sucks Joe Stewart (Sep 25)
- RE: Swen Really Sucks Nick FitzGerald (Sep 25)
- Re: Swen Really Sucks Craig Pratt (Sep 26)
- Re: Swen Really Sucks Kye Lewis (Sep 26)
- Re: Swen Really Sucks Mary Landesman (Sep 26)
- Re: Swen Really Sucks Kye Lewis (Sep 26)
- Re: Swen Really Sucks Craig Pratt (Sep 26)
- <Possible follow-ups>
- RE: Swen Really Sucks Schmehl, Paul L (Sep 25)
- RE: Swen Really Sucks Nick FitzGerald (Sep 25)
