l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Jun 20 21:09

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Spam question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Spam question

I really think that it is probably the klez worm
One of the best antivirus sites is run by Trend.

Link to the Klez virus
Look in the Tech Details tab for details.

The problems with the Klez virus is that the original
sender is only located in the Evelope From field. 
There are a some email systems that will strip this
information (Exchange) and use the forged header info,
so that you will not see it.  The NDR will read the
forged name and bounce the email back to you.  I am
fortunate in that I block executable type attachments
and I have a front end system before it gets to my
Exchange server.

If the NDR has the original message then you can
compare it to the Tech Details description of posible
subj lines and see if it is Klez or one of it's

I get 10-20 bounces a day at work and my conterpart at
the bigger division gets LOTS more.

The header info of the NDR will only have the path from
the postmaster of the system sending you the notice.


Klez harvests email addresses from 

On Thu, 20 June 2002, Nicole Carlson wrote

> Hi guys
> Thanks a bunch for the help.
> I looked up the info on the Klez worm and, much as
I'd like to believe
> that that's what it is, it doesn't seem to match.  So
I must conclude that
> some bastard is using my e-mail as a return address. 
This pisses me off.
> :(  I've alerted the guy who runs my alias, hopefully
he won't yank it.
> Anyhoo.  Here's one of the headers, per Rod's
request; I did an nslookup
> on the origin IPs, and they match.  If there's any
other tricks, I'd love
> to hear them.
> Return-Path: <MAILER-DAEMON>
> Received: from millard.ucdavis.edu
(millard.ucdavis.edu [])
>         by pop10.ucdavis.edu (8.11.4/8.11.0/IT4.6.0)
with ESMTP id
>     g5K6nvK01664
>         for <nnicole@scarlet.ucdavis.edu>; Wed, 19
Jun 2002 23:49:57 -0700
> (PDT)
> Received: from ussenterprise.ufp.org
>     [])
>         by millard.ucdavis.edu
(8.11.4/8.11.0/IT4.6.1) with ESMTP id
>     g5K6nva11006
>         for <nmcarlson@ucdavis.edu>; Wed, 19 Jun 2002
23:49:57 -0700 (PDT)
> Received: from hotmail.com (mc2-s5.law16.hotmail.com
>         by ussenterprise.ufp.org (8.11.1/8.11.1) with
> g5K6ncJ12077
>         for <ana.ng@tmbg.org>; Thu, 20 Jun 2002
02:49:45 -0400 (EDT)
> From: postmaster@mail.hotmail.com
> To: ana.ng@tmbg.org
> Date: Wed, 19 Jun 2002 23:47:10 -0700
> MIME-Version: 1.0
> Content-Type: multipart/report;
> Message-ID: <GtS79AX7U000026b8@hotmail.com>
> Subject: Delivery Status Notification (Failure)
> FWIW: ana.ng@tmbg.org is my alias;
ussenterprise.ufp.org is the server
> that translates alias->real address
> Thanks
> --n twn
> ***
> "If you decided to sell your happiness, for how much
would you sell it?"
> --Moxy Fruvous
> Visit Nicolopolis!
> nmcarlson@ucdavis.edu ana.ng@tmbg.org
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.