Re: [Full-Disclosure] Swen Really Sucks
From: Joe Stewart (jstewart_at_lurhq.com)
Date: 09/24/03
- Previous message: Nick Price: "Re: [Full-Disclosure] Swen Really Sucks"
- In reply to: Jason Coombs: "[Full-Disclosure] Swen Really Sucks"
- Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] Swen Really Sucks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <jasonc@science.org>, <full-disclosure@lists.netsys.com> Date: Wed, 24 Sep 2003 08:50:01 -0400
On Tuesday 23 September 2003 10:49 pm, Jason Coombs wrote:
> and using the "From" address rather than the "From:"
> address for the filter doesn't work, either, because the "From"
> address appears to be a different non-randomized e-mail address,
> possibly the real e-mail address of the infected victim (? haven't
> read any forensic analysis on this point yet...)
The "From" or Return-Path address specified by the MAIL FROM:
transaction in the SMTP session is the real email address of the
infected user, or at least is what they entered on the fake MAPI dialog
that Swen uses to get that information.
-Joe
-- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Nick Price: "Re: [Full-Disclosure] Swen Really Sucks"
- In reply to: Jason Coombs: "[Full-Disclosure] Swen Really Sucks"
- Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] Swen Really Sucks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
