Full Disclosure mailing list archives

RE: Swen Really Sucks


From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 25 Sep 2003 11:27:28 -0500

-----Original Message-----
From: Joe Stewart [mailto:jstewart () lurhq com] 
Sent: Wednesday, September 24, 2003 7:50 AM
To: jasonc () science org; full-disclosure () lists netsys com
Cc: secure () microsoft com
Subject: Re: [Full-disclosure] Swen Really Sucks

The "From" or Return-Path address specified by the MAIL FROM: 
transaction in the SMTP session is the real email address of the 
infected user, or at least is what they entered on the fake 
MAPI dialog 
that Swen uses to get that information.

Please tell me you don't believe this is true.  If you know anything
about SMTP you know that the MAIL FROM: can be anything you want it to
be.  And Swen certainly forges the sender, as the hundreds of bounces I
get will testify.  There is *nothing* in an SMTP transaction that you
can rely on except the headers *if* you know how to read headers.  If
you don't, even those will fool you.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: