At 13:09 -0700 5/28/2002, Marc MERLIN wrote:
>Are you saying that
>1) Klez forges the envelope From too? (not just header From)
A subset of the messages caught by our simple-minded filter show KLEZ (or
KLEZ-like-thing) forging the MAIL FROM:, yes. They're fairly obvious: one
or two "from" an address not otherwise suspect, and checking the login
records for the locally-originated ones shows that the login had no
relation to the Envelope from.
>2) Klez will look up the MX for the forged From and attempt to send the
> mail through there?
I haven't noticed it doing that. But perhaps it tries and we don't see it
because it's stopped earlier. And "I haven't noticed" doesn't even pretend
to be proof.
--John
--
John Baxter jwblist@??? Port Ludlow, WA, USA