Re: SoBig and some info

[Sebastian Schneider <ses () straightliners de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is no real need to use spam relay servers to send e-mails containing 
malware. As a matter of fact, the Sobig.F acts as a SMTP client by itself.

The procedure to fake the sender's address is kind of easy, when knowing where 
to send your e-mail to. I.e. when addressing a mail to ask@me.twice you can 
obtain the appropriate mail server by querying a DNS for the MX records of 
domain me.twice. Then you just connect to that server doing the protocol 
stuff and transmitting the e-mail as is. That mail server usually has to 
accept that e-mail for it is its local domain.
Technically filters and rules can be applied to reject that very e-mail 
anyway. For instance, if the sender's domain does not exists, or the host 
name transmitted while in HELO/EHLO phase is not a full qualified domain or 
whatever the e-mail might be rejected.

So a simple telnet can do it, i.e. telnet smtp.server.local 25 can look like 
that:
S: 220 smtp.server.local ESMTP welcomes you
C: HELO me.myself.andi
S: 250 smtp.server.local
C: mail from: <dude () sco com>
S: 250 OK
C: rcpt to: <user@server.local>
S: 250 OK
C: DATA
S: 354 end data with <CR><LF>.<CR><LF>
C: From: "Real dude" <dude () sco com>
C: To: "Funny User" <user@server.local>
C: Subject: This is so much a test
C:
C: test it
C: .
C:
S: 250 OK, message id is 12345
C: QUIT
S: 221 see ya later

In that case, the server accepted the mail even if you don't own the 
<dude () sco com> address.

Sebastian

On Friday 22 August 2003 00:56, Kevin Saenz wrote:
> This current strain of SoBig, seems to be smarter than before.
> it seems to be grabbing real email addresses in people's outlook
> and using those as spoof accounts. The other thing I have found
> is, if that is the case there are thousands of email servers
> that are acting as open relays. Can any one correct me if I am
> wrong, I am pretty sure this is open to some hot debate. As my question
> will be if email servers are not relaying then how can a virus transmit
> spoofed email addresses?
> I have seen emails bouncing back to me saying that an email from me is
> possibly infected and contains an executable .pif the header of the
> email from me is Outlook version 6.x. The problem with that is, emails
> 100% of the time from me are sent by Evolution, a Linux email client.
> This has been since Wed Night Australian time or Tuesday morning U.S
> time.

- -- 

Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany

Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/RW8PQ7mOWZBxbPcRAtH/AKCs10KFOxGys+f+8+HOhGjMBwWHPQCdEH/0
pHSg9ROYt5wVXojxOzq0DCo=
=b8Ut
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------