In my shop it has been my experience that klez infections can be tracked =
back=20
to the person who is sending it out. My shop machine was getting hit abou=
t 30=20
times a day. Viewing the <return-path> in the headers always showed the s=
ame=20
name, but the From: was different everytime.
Then it all stopped. For a few days we didn't get hit, and assumed the ma=
chine=20
had been cleaned.=20
That day, while working on a computer with a klez infection, I found that=
the=20
reply to: in his outlook setup was the same as the return-path in the mai=
ls I=20
was getting. We had called the ISP but they had ne record of that email=20
address, because it had been misspelled and he wasn't recieving replys fr=
om=20
people, which was the reason the machine was in.
I kept track of other return-paths in messages and found all but a couple=
were=20
traceable and we got rid of them. A couple more must have been miss spell=
ed=20
again.
<snip clipping from source of this message>
Return-Path: <
plug-discuss-admin@lists.plug.phoenix.az.us>
Received: from localhost (localhost [127.0.0.1])
=09by fallout.the-arcanum.org (8.12.4/8.12.4) with ESMTP id
</snip>
The message I am replying to is from Victor Odhner, but the return path i=
s=20
plug-discuss-admin@lists.plug.phoenix.az.us
So far its worked for me. And klez seems to be on the rise again.
Atleast in Payson.
nathan
On Thursday 21 November 2002 23:22, Victor Odhner wrote:
> Hi, Cliff.
>
> cliff rogers wrote:
> > The virus software on InterLogic Graphics & Marketing's (ILGM),
> > the server that manages mail for xxx@xxx.xxx <mailto:xxx@xxx.xxx>
> > has reported that you sent an e-mail to
> > xxx@xxx.xxx <mailto:xxx@xxx.xxx>, containing the :
> > W32/Klez.H@mm virus in the PCT.exe attachment. The subject of
> > the E-mail was "A very funny website".
>
> The Klez work looks in the address books of machines it
> has invaded, and randomly selects addresses to use as
> the "From" address of the messages it sends out. This
> is done randomly, and it also varies the subject lines.
> So all you can know is that SOMEBODY who had you in their
> address book got hit by the Klez worm.
>
> Klez exploits a bug in IE5 whose fix has been available
> for a long time. Of course Klez can't infect a Linux box.
>
> In fact, I don't think it can hit you if you avoid using
> IE5 for browsing and are not using Microsoft mail clients
> (since these use IE if they receive an HTML e-mail
> message).
>
> I have gotten a million Klez messages on the Linux system
> where I have one of my e-mail accounts, and of course
> these worms are just data outside the Windows world.
> I think Cox.net must be filtering out Klez messages
> directed to the address I'm using for mailing lists,
> since I haven't seen any on this account (which I read
> with Mozilla on Win98).
>
> Vic
>
> http://members.cox.net/vodhner/
> -- or --
> http://www.newearth.org/~victor/resume.html
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
- --=20
Nathan England
plug at the-arcanum.org
jabber id:
linuxjunkie@jabber.earth.li
"A free society is one where it is safe to be unpopular."
- --Adlai Stevenson
- -----------------------------------------------------------------
Registered Linux User #189789, Machine #106603
www.sincerechoice.org
Spam related material will be forwarded to:
uce@ftc.gov
(text/plain)