Re: [Exim] Spammer or new virus?

Top Page
Delete this message
Reply to this message
Author: John W Baxter
Date:  
To: exim-users
Subject: Re: [Exim] Spammer or new virus?
At 13:09 -0700 5/28/2002, Marc MERLIN wrote:
>Are you saying that
>1) Klez forges the envelope From too? (not just header From)

A subset of the messages caught by our simple-minded filter show KLEZ (or
KLEZ-like-thing) forging the MAIL FROM:, yes. They're fairly obvious: one
or two "from" an address not otherwise suspect, and checking the login
records for the locally-originated ones shows that the login had no
relation to the Envelope from.


>2) Klez will look up the MX for the forged From and attempt to send the
> mail through there?

I haven't noticed it doing that. But perhaps it tries and we don't see it
because it's stopped earlier. And "I haven't noticed" doesn't even pretend
to be proof.

--John

--
John Baxter   jwblist@???      Port Ludlow, WA, USA