On Fri, 29 Aug 2003, Christian Huitema wrote: > >> Can't we just hack the mailman configs to dump mails with X-sender > value > >> of outlook or outlook express? That would solve the problem, no;) > > > > Well, the only problem with that idea is that we explicitly do *NOT* > have > a "Your clue must be ->THIS<- tall to ride the IETF list" > policy... ;) > > The Sobig worm includes its own SMTP code, and places arbitrary values > in the header fields. You mean to say that there is a full MTA tucked away in there? > The source address is forged, and so are various > other fields, including X-Mailer. Perhaps you misunderstood my intentions. My intentions accociated with this post had nothing to do with the worm. > The worm finds target source and > destination addresses by reading files on the user's disk, not by using > a specific Outlook or OE API. It propagates by "social engineering", > when users open some executable attachments. Since when is social engineering a desktop activity. The last time I checked, social engineering was along the lines of thank you for the shiny new job, now i'm going to hide a rouge server on your network. > User can do click on > attachments with many mailers, not just Outlook and OE. In fact, the > latest versions of Outlook automatically strip such attachments. > I'm glad I don't have to click on my mail. > -- Christian Huitema > > > sleekfreak pirate broadcast world tour 2002-3 live from the pirate hideout http://sleekfreak.ath.cx:81/