Dear Andy, That is not true. Far from it. It spoofs both. The from in the envelop is right that it uses the right MX server for the domain in question.
For a LONG time we had one client that got daily notifications claiming he sent viruses. However the senders was from aol, comcast, roadrunner and a few other ISPs. This clients SINGLE computer was virus clean and he's not smart enought to configure his mail on any other machine. Thursday, May 02, 2002, 11:10:24 AM, you wrote: AS> Actually Scott - DECLUDE is much smarter than you give it credit for. AS> In ALL of my many daily KLEZ encounters I have found the following to be AS> true: AS> a) the Message Header "FROM:" is false AS> b) the Envelope "FROM:" always uses an email addresses that matches the host AS> in the first RECEIVED line. AS> Here is a sample from a few minutes ago: AS> Header From: [EMAIL PROTECTED] AS> Envelope From: [EMAIL PROTECTED] AS> Their Server: hbci.com [206.230.105.5] for hbci.com AS> Message ID: <[EMAIL PROTECTED]> AS> I have YET to receive ONE complaint about one of the KLEZ notifications. So AS> I'm pretty confident that the Envelope From may contain the TRUE email AS> address of the infected user. AS> -----Original KLEZ Message Headers----- AS> Received: from mailserv.hbci.com [206.230.105.5] by hm-software.com with AS> ESMTP AS> (SMTPD32-7.07) id A21C3B000C0; Thu, 02 May 2002 11:58:20 -0400 AS> Received: from Zoun (m-0-242.docsis.hbci.com [64.213.219.242] (may be AS> forged)) AS> by mailserv.hbci.com (Switch-2.1.1/Switch-2.1.0) with SMTP id g42FqMi00603 AS> for <[EMAIL PROTECTED]>; Thu, 2 May 2002 10:52:23 -0500 (CDT) AS> Date: Thu, 2 May 2002 10:52:23 -0500 (CDT) AS> Message-Id: <[EMAIL PROTECTED]> AS> From: jnban <[EMAIL PROTECTED]> AS> To: [EMAIL PROTECTED] AS> Subject: Worm Klez.E immunity AS> MIME-Version: 1.0 AS> Content-Type: multipart/alternative; AS> boundary=A8IV6z39Y8a42788G4e5 AS> -----Original Message----- AS> From: [EMAIL PROTECTED] AS> [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry AS> Sent: Thursday, May 02, 2002 12:00 PM AS> To: [EMAIL PROTECTED] AS> Subject: Re: [Declude.Virus] Klez.h >>Hi, how do I tell where the Klez.h is really coming from? Thanks. AS> The only way to know for sure is to check the first Received: header to see AS> the IP address that it was sent from. To find the user it came from, you AS> would need to find someone responsible for the IP address it came from, and AS> hope that they can track down the user. AS> -Scott AS> --- AS> [This E-mail was scanned for viruses by Declude Virus AS> (http://www.declude.com)] AS> This E-mail came from the Declude.Virus mailing list. To AS> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and AS> type "unsubscribe Declude.Virus". You can E-mail AS> [EMAIL PROTECTED] for assistance. You can visit our web AS> site at http://www.declude.com . AS> --- AS> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] AS> This E-mail came from the Declude.Virus mailing list. To AS> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and AS> type "unsubscribe Declude.Virus". You can E-mail AS> [EMAIL PROTECTED] for assistance. You can visit our web AS> site at http://www.declude.com . AS> --- AS> [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231-7777 Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
