RE: [Full-Disclosure] Swen Really Sucks

From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 09/25/03

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] SAM Switch - Win2k/XP password-less login" 
    To: <full-disclosure@lists.netsys.com>
Date: Thu, 25 Sep 2003 11:27:28 -0500

    > -----Original Message-----
    > From: Joe Stewart [mailto:jstewart@lurhq.com]
    > Sent: Wednesday, September 24, 2003 7:50 AM
    > To: jasonc@science.org; full-disclosure@lists.netsys.com
    > Cc: secure@microsoft.com
    > Subject: Re: [Full-Disclosure] Swen Really Sucks
    >
    > The "From" or Return-Path address specified by the MAIL FROM:
    > transaction in the SMTP session is the real email address of the
    > infected user, or at least is what they entered on the fake
    > MAPI dialog
    > that Swen uses to get that information.
    >
    Please tell me you don't believe this is true. If you know anything
    about SMTP you know that the MAIL FROM: can be anything you want it to
    be. And Swen certainly forges the sender, as the hundreds of bounces I
    get will testify. There is *nothing* in an SMTP transaction that you
    can rely on except the headers *if* you know how to read headers. If
    you don't, even those will fool you.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] SAM Switch - Win2k/XP password-less login"

    Relevant Pages

    • Re: Exchange 2003 SMTP error messages.
      ... > transaction logs rather than the truncated stuff exchange mails out by ... > server actually produced the error during the SMTP transaction and b) ...
      (microsoft.public.exchange.admin)
    • Re: Spam Mail with wrong address
      ... > Can anyone explain how come I get a shitload of spam mail that isn't even ... The "To:" address field isn't even known to the MX server until the SMTP ... SMTP RCPT TO phase of the transaction. ... stripped from the email message by the Mail Delivery Agent, ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Exchange 2003 SMTP error messages.
      ... Is there any way to get Exchange to mail back proper SMTP error ... transaction logs rather than the truncated stuff exchange mails out by ... user@domain2.com unknown user account> ...
      (microsoft.public.exchange.admin)
    • RE: No IP address logging on internal email.
      ... The headers you describe are SMTP ... the same server MAPI doesn't add anything to the SMTP header. ... "Send-As" permission is sending-as these users, so check mailbox rights. ...
      (microsoft.public.exchange2000.transport)
    • Re: Strange SPAM with no tracks...!?
      ... the destination domain generates a NDR for the recipient in your domain whose email address was spoofed in headers. ... If the destination domain did a SenderID check and you had SPF records published, it would have been easy to determine that the sending host is not authorized to send for your domain and this sort of thing can be avoided. ... For assistance, contact your system administrator. ... Searching for co.sutter.ca.us in the Exchange SMTP logs gives me no hits at all. ...
      (microsoft.public.exchange.admin)