Full Disclosure mailing list archives
Re: Swen Really Sucks
From: Joe Stewart <jstewart () lurhq com>
Date: Thu, 25 Sep 2003 14:21:26 -0400
On Thursday 25 September 2003 12:27 pm, Schmehl, Paul L wrote:
The "From" or Return-Path address specified by the MAIL FROM: transaction in the SMTP session is the real email address of the infected user, or at least is what they entered on the fake MAPI dialog that Swen uses to get that information.Please tell me you don't believe this is true. If you know anything about SMTP you know that the MAIL FROM: can be anything you want it to be. And Swen certainly forges the sender, as the hundreds of bounces I get will testify. There is *nothing* in an SMTP transaction that you can rely on except the headers *if* you know how to read headers. If you don't, even those will fool you.
I am speaking from direct knowledge gained by reverse-engineering Swen. It is true that anyone can forge SMTP headers, but Swen does not forge the address in the MAIL FROM: transaction. It sends the email address provided to it by the infected user. The bounces you are getting may be actual first-generation Swen messages, as a phony bounce message is one of the many formats it generates. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Swen Really Sucks Schmehl, Paul L (Sep 25)
- Re: Swen Really Sucks Joe Stewart (Sep 25)
- RE: Swen Really Sucks Nick FitzGerald (Sep 25)
- Re: Swen Really Sucks Craig Pratt (Sep 26)
- Re: Swen Really Sucks Kye Lewis (Sep 26)
- Re: Swen Really Sucks Mary Landesman (Sep 26)
- Re: Swen Really Sucks Kye Lewis (Sep 26)
- Re: Swen Really Sucks Craig Pratt (Sep 26)
- <Possible follow-ups>
- RE: Swen Really Sucks Schmehl, Paul L (Sep 25)
- RE: Swen Really Sucks Nick FitzGerald (Sep 25)