Re: Headerless EMail

["Forrester, Mike" <mforrester () HSACORP NET>]

We see this sort of thing all the time.  Either the lack of headers or
headers containing forged information.  The tools that most spammers use do
not add header information to the messages that it sends.  They use SMTP to
send the messages, but AFAIK it's up to the mailer/server to update the
header information.  Most of the time we get spam, the only reliable header
is the one generated by our mail server.

Mike Forrester - Systems Security Engineer
HSA Corp. - Denver, CO USA
mforrester () hsacorp net - +1 720 922 2545

"Only amateurs attack machines; professionals target people.
And any solutions will have to target the people problem,
not the math problem." - Bruce Schneier


-----Original Message-----
From: Attonbitus Deus [mailto:Thor () HAMMEROFGOD COM]
Sent: Friday, January 19, 2001 12:56 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: [INCIDENTS] Headerless EMail


What was the thread on the email with no headers?  I looked in the archives
but could not find anything.  The response was that the sender must have
sent the mail directly from the user's mail server... Anyone remember?

I ask because I just got sent one myself, with the following file attached:
MEPOJPME.EXE with no name and no headers other than this:

Received: from oemcomputer (uu212-190-4-90.unknown.uunet.be [212.190.4.90])
by hermod.hammerofgod.com with SMTP (Microsoft Exchange Internet Mail
Service Version 5.5.2650.21)
 id C3C6PG0J; Fri, 19 Jan 2001 13:55:40 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEA381QJOHYZWDE7"


Of course my mail system blocked it, but it still pisses me off.  This was
sent directly to me, and the bad part is that they got the email address
from one the SF lists that I participate in.  Nowhere else have I ever used
this email address.

Thanks!