> At 07:29 PM 7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
> >Can somebody more familiar with such confirm whether that is indeed
> >Richard Erlacher's machine that sent the following copy of Klez? (Headers
> >only follow)
On Tue, 30 Jul 2002, John Foust wrote:
> One trick of Klez is that it harvests e-mail addresses
> from your mailboxes and uses them to spoof the From: line,
> in order to make it seem (on casual inspection) that
> person has the virus. They don't. Someone who received
> mail from Erlacher (perhaps a list subscriber) has Klez.
NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with
Klez, and it put a false FROM: of JPLCSCH_at_aol.com
MOST varieties of Klez put a bogus FROM:, but leave the
Return-Path: intact.
Return-Path: <edick_at_idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin_at_xenosoft.com>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin_at_xenosoft.com>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036_at_mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH_at_aol.com>
To: cisin_at_xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
Received on Tue Jul 30 2002 - 21:55:00 BST
This archive was generated by hypermail 2.3.0
: Fri Oct 10 2014 - 23:35:03 BST