On Tue, May 28, 2002 at 04:25:42PM -0700, John W Baxter wrote:
> A subset of the messages caught by our simple-minded filter show KLEZ (or
It's not a simple-minded filter :-)
(it's regular relay protection)
> >2) Klez will look up the MX for the forged From and attempt to send the
> > mail through there?
>
> I haven't noticed it doing that. But perhaps it tries and we don't see it
> because it's stopped earlier. And "I haven't noticed" doesn't even pretend
> to be proof.
I've looked some more, and yes, there is at least some klez variant that
does that, it's clear now.
It's really stupid too, because it's trying to Email non local users from
random IPs on the internet, so it gets rejected right away by the relay
check.
It seems as if the author had meant to look up the MX for the receipient of
the mail, but looked up the MX of the faked envelope from instead. How dumb!
Oh well, more crap in my logs I guess...
Marc
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page:
http://marc.merlins.org/ | Finger marc_f@??? for PGP key