-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In my shop it has been my experience that klez infections can be tracked = back=20 to the person who is sending it out. My shop machine was getting hit abou= t 30=20 times a day. Viewing the in the headers always showed the s= ame=20 name, but the From: was different everytime. Then it all stopped. For a few days we didn't get hit, and assumed the ma= chine=20 had been cleaned.=20 That day, while working on a computer with a klez infection, I found that= the=20 reply to: in his outlook setup was the same as the return-path in the mai= ls I=20 was getting. We had called the ISP but they had ne record of that email=20 address, because it had been misspelled and he wasn't recieving replys fr= om=20 people, which was the reason the machine was in. I kept track of other return-paths in messages and found all but a couple= were=20 traceable and we got rid of them. A couple more must have been miss spell= ed=20 again. Return-Path: Received: from localhost (localhost [127.0.0.1]) =09by fallout.the-arcanum.org (8.12.4/8.12.4) with ESMTP id The message I am replying to is from Victor Odhner, but the return path i= s=20 plug-discuss-admin@lists.plug.phoenix.az.us So far its worked for me. And klez seems to be on the rise again. Atleast in Payson. nathan On Thursday 21 November 2002 23:22, Victor Odhner wrote: > Hi, Cliff. > > cliff rogers wrote: > > The virus software on InterLogic Graphics & Marketing's (ILGM), > > the server that manages mail for xxx@xxx.xxx > > has reported that you sent an e-mail to > > xxx@xxx.xxx , containing the : > > W32/Klez.H@mm virus in the PCT.exe attachment. The subject of > > the E-mail was "A very funny website". > > The Klez work looks in the address books of machines it > has invaded, and randomly selects addresses to use as > the "From" address of the messages it sends out. This > is done randomly, and it also varies the subject lines. > So all you can know is that SOMEBODY who had you in their > address book got hit by the Klez worm. > > Klez exploits a bug in IE5 whose fix has been available > for a long time. Of course Klez can't infect a Linux box. > > In fact, I don't think it can hit you if you avoid using > IE5 for browsing and are not using Microsoft mail clients > (since these use IE if they receive an HTML e-mail > message). > > I have gotten a million Klez messages on the Linux system > where I have one of my e-mail accounts, and of course > these worms are just data outside the Windows world. > I think Cox.net must be filtering out Klez messages > directed to the address I'm using for mailing lists, > since I haven't seen any on this account (which I read > with Mozilla on Win98). > > Vic > > http://members.cox.net/vodhner/ > -- or -- > http://www.newearth.org/~victor/resume.html > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss - --=20 Nathan England plug at the-arcanum.org jabber id: linuxjunkie@jabber.earth.li "A free society is one where it is safe to be unpopular." - --Adlai Stevenson - ----------------------------------------------------------------- Registered Linux User #189789, Machine #106603 www.sincerechoice.org Spam related material will be forwarded to: uce@ftc.gov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE93kxCQ7yNnsYcupwRAnDRAKCUNC5WLZhdRVIc0ZFGnY0b+TPajwCgpYAQ EPQJCvYr+tcmc71gR+R/wqM=3D =3DUbWm -----END PGP SIGNATURE-----