No. All SIMS can do is verify that the domain part of the Return-Path exists and has enough DNS to attempt delivery.Quick question about a recent trend in incoming viruses to our network: The following is three different headers from messages that came into my mailbox.============================================================================ ========================= Return-Path: [EMAIL PROTECTED] Received: from [207.241.128.20] (HELO smtp00.journey.com) by atchisonkansas.net (Stalker SMTP Server 1.8b9d14) with ESMTP id S.0000207182 for <[EMAIL PROTECTED]>; Sat, 08 Feb 2003 19:47:30 -0600 Received: from Dbspa (mkc-24-166-176-56.kc.rr.com [24.166.176.56]) by smtp00.journey.com (Postfix) with SMTP id 2D295246E1 for <[EMAIL PROTECTED]>; Sat, 8 Feb 2003 21:31:18 -0500 (EST) From: postmaster <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Returned mail--"Specials" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=X7J8CX82217 Message-Id: <[EMAIL PROTECTED]> Date: Sat, 8 Feb 2003 21:31:18 -0500 (EST) ============================================================================ ========================= Return-Path: [EMAIL PROTECTED] Received: from [207.241.128.20] (HELO smtp00.journey.com) by atchisonkansas.net (Stalker SMTP Server 1.8b9d14) with ESMTP id S.0000207112 for <[EMAIL PROTECTED]>; Fri, 07 Feb 2003 19:52:37 -0600 Received: from Iqeciruao (mkc-24-166-176-56.kc.rr.com [24.166.176.56]) by smtp00.journey.com (Postfix) with SMTP id E4ECC246D6 for <[EMAIL PROTECTED]>; Fri, 7 Feb 2003 21:36:24 -0500 (EST) From: degatewood <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Sos! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=M0NZA168KWbY89h9P2l52iNZXP5Hd4 Message-Id: <[EMAIL PROTECTED]> Date: Fri, 7 Feb 2003 21:36:24 -0500 (EST) ============================================================================ ========================= Return-Path: [EMAIL PROTECTED] Received: from [207.241.128.20] (HELO smtp00.journey.com) by atchisonkansas.net (Stalker SMTP Server 1.8b9d14) with ESMTP id S.0000207109 for <[EMAIL PROTECTED]>; Fri, 07 Feb 2003 19:32:25 -0600 Received: from Sxgwzgw (mkc-24-166-176-56.kc.rr.com [24.166.176.56]) by smtp00.journey.com (Postfix) with SMTP id E77EA24702 for <[EMAIL PROTECTED]>; Fri, 7 Feb 2003 21:16:13 -0500 (EST) From: postmaster <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Returned mail--"BACKGROUND" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=F9P1Q06j638jj20k48i9G7sk8 Message-Id: <[EMAIL PROTECTED]> Date: Fri, 7 Feb 2003 21:16:13 -0500 (EST) ============================================================================ ========================= I know that I have asked something along these lines before, but wanted to make sure that I am not misunderstanding this. If I have SIMS setup to verify return paths, can I assume that the mailbox SIMS says it's coming from is accurate and not spoofed in any way?
It is theoretically possible for an MTA to verify that the address in question is one that a mail server would accept mail for, but even that is a bit problematic to try, and SIMS doesn't try. There is no way for any MTA to positively verify that the Return-Path is in fact the address of the sender.
The Return-Path is iffy, but the Received headers are not.The reason I ask is this - at least ONE of these accounts hasn't been used for a very long time, and is coming from a local provider, journey.com. I talked with the woman who owned that mailbox and she said she hasn't used that address in many months. I guess I'm trying to track down and see where these messages are REALLY coming from.
This looks like some variant of Klez, which grabs targets and forged Return-Paths from many places on the infected machine, then uses whatever mail relay is configured on the machine to send mail out. In this case, you can see that the mail came to you from 207.241.128.20, and that machine got the messages from 24.166.176.56. 24.166.176.56 is the Klez-infected machine.
The attachments vary, from .scr to .bat, but the second file seems to be the same.
Those are the Klez payload. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
