On Mon, 24 Jun 2002, Leonardo Boselli wrote:
> On 24 Jun 2002, at 10:23, Dave C. wrote:
> > > A nontrivial proportion of the spam that gets past the other
> > > defences does indeed utilise the trick of counterfeiting a local
> > > user as the envelope sender.
> > Really? That is unusual. I get tons of spam, and very little of it has
> > an address in my domain as the sender.
>
> Four dais ago i received a complaint for a reception of a "virus
> delivery notice" .
> It turned that someone send a virus to an user in my domain using
> a forged return address, and the filter sent a "discard notice" to that
> user.
> The "original message [virus]" was sent FROM A MACHINE IN MY
> DOMAIN (that btw forged the helo address, but not the IP) USING
> AN OPEN RELAY IN ANOTHER DOMAIN !!!!!!!
This sounds like the Klez virus. It forges sender addresses when
propogating itself, and my logs suggest i tries to use that senders MX
host to relay through.
>
> Leonardo Boselli
> nucleo informatico e telematico
> Dipartimento Ingegneria Civile
> Universita` di Firenze
> V. S. Marta 3 - I-50139 Firenze
> tel +39()0554796431
> cel +39 3488605348
> fax +39()055495333
> http://www.dicea.unifi.it/~leo
>
--
