Security Basics mailing list archives
Re: SoBig and some info
From: Sebastian Schneider <ses () straightliners de>
Date: Fri, 22 Aug 2003 03:17:03 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is no real need to use spam relay servers to send e-mails containing malware. As a matter of fact, the Sobig.F acts as a SMTP client by itself. The procedure to fake the sender's address is kind of easy, when knowing where to send your e-mail to. I.e. when addressing a mail to ask@me.twice you can obtain the appropriate mail server by querying a DNS for the MX records of domain me.twice. Then you just connect to that server doing the protocol stuff and transmitting the e-mail as is. That mail server usually has to accept that e-mail for it is its local domain. Technically filters and rules can be applied to reject that very e-mail anyway. For instance, if the sender's domain does not exists, or the host name transmitted while in HELO/EHLO phase is not a full qualified domain or whatever the e-mail might be rejected. So a simple telnet can do it, i.e. telnet smtp.server.local 25 can look like that: S: 220 smtp.server.local ESMTP welcomes you C: HELO me.myself.andi S: 250 smtp.server.local C: mail from: <dude () sco com> S: 250 OK C: rcpt to: <user@server.local> S: 250 OK C: DATA S: 354 end data with <CR><LF>.<CR><LF> C: From: "Real dude" <dude () sco com> C: To: "Funny User" <user@server.local> C: Subject: This is so much a test C: C: test it C: . C: S: 250 OK, message id is 12345 C: QUIT S: 221 see ya later In that case, the server accepted the mail even if you don't own the <dude () sco com> address. Sebastian On Friday 22 August 2003 00:56, Kevin Saenz wrote:
This current strain of SoBig, seems to be smarter than before. it seems to be grabbing real email addresses in people's outlook and using those as spoof accounts. The other thing I have found is, if that is the case there are thousands of email servers that are acting as open relays. Can any one correct me if I am wrong, I am pretty sure this is open to some hot debate. As my question will be if email servers are not relaying then how can a virus transmit spoofed email addresses? I have seen emails bouncing back to me saying that an email from me is possibly infected and contains an executable .pif the header of the email from me is Outlook version 6.x. The problem with that is, emails 100% of the time from me are sent by Evolution, a Linux email client. This has been since Wed Night Australian time or Tuesday morning U.S time.
- -- Sebastian Schneider straightLiners IT Consulting & Services Metzer Str. 12 13595 Berlin Germany Fon: +49-30-3510-6168 Fax: +49-30-3510-6169 www.straightliners.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/RW8PQ7mOWZBxbPcRAtH/AKCs10KFOxGys+f+8+HOhGjMBwWHPQCdEH/0 pHSg9ROYt5wVXojxOzq0DCo= =b8Ut -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Password storage tool? john (Aug 20)
- Re: Password storage tool? Simon Gray (Aug 21)
- Re: Password storage tool? senrong (Aug 21)
- <Possible follow-ups>
- RE: Password storage tool? McGill, Lachlan (Aug 21)
- SoBig and some info Kevin Saenz (Aug 21)
- Re: SoBig and some info Sebastian Schneider (Aug 22)
- SoBig and some info Kevin Saenz (Aug 21)
- RE: Password storage tool? Meidinger Chris (Aug 21)
- RE: Password storage tool? Tim Donahue (Aug 21)
- RE: Password storage tool? Chris Merkel (Aug 21)
- RE: Password storage tool? Jennifer Fountain (Aug 21)
- RE: Password storage tool? Chris Berry (Aug 22)