Mailing List SIMS@mail.stalker.com Message #12494
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Verifying return-paths
Date: Mon, 10 Feb 2003 14:33:59 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 9:55 AM -0600 2/10/03, Chris Wagner  imposed structure on a stream of electrons, yielding:
Quick question about a recent trend in incoming viruses to our network:

The following is three different headers from messages that came into my
mailbox.

============================================================================
=========================

Return-Path: ahcc@journey.com
Received: from [207.241.128.20] (HELO smtp00.journey.com)
 by atchisonkansas.net (Stalker SMTP Server 1.8b9d14)
 with ESMTP id S.0000207182 for <ismgr@atchisonkansas.net>; Sat, 08 Feb 2003
19:47:30 -0600
Received: from Dbspa (mkc-24-166-176-56.kc.rr.com [24.166.176.56])
   by smtp00.journey.com (Postfix) with SMTP id 2D295246E1
   for <ismgr@atchisonkansas.net>; Sat,  8 Feb 2003 21:31:18 -0500 (EST)
From: postmaster <postmaster@atchisonkansas.net>
To: ismgr@atchisonkansas.net
Subject: Returned mail--"Specials"
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary=X7J8CX82217
Message-Id: <20030209023118.2D295246E1@smtp00.journey.com>
Date: Sat,  8 Feb 2003 21:31:18 -0500 (EST)

============================================================================
=========================

Return-Path: brindom@journey.com
Received: from [207.241.128.20] (HELO smtp00.journey.com)
 by atchisonkansas.net (Stalker SMTP Server 1.8b9d14)
 with ESMTP id S.0000207112 for <ismgr@atchisonkansas.net>; Fri, 07 Feb 2003
19:52:37 -0600
Received: from Iqeciruao (mkc-24-166-176-56.kc.rr.com [24.166.176.56])
   by smtp00.journey.com (Postfix) with SMTP id E4ECC246D6
   for <ismgr@atchisonkansas.net>; Fri,  7 Feb 2003 21:36:24 -0500 (EST)
From: degatewood <degatewood@medicalodges.com>
To: ismgr@atchisonkansas.net
Subject: Sos!
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary=M0NZA168KWbY89h9P2l52iNZXP5Hd4
Message-Id: <20030208023624.E4ECC246D6@smtp00.journey.com>
Date: Fri,  7 Feb 2003 21:36:24 -0500 (EST)

============================================================================
=========================

Return-Path: fccatch@journey.com
Received: from [207.241.128.20] (HELO smtp00.journey.com)
 by atchisonkansas.net (Stalker SMTP Server 1.8b9d14)
 with ESMTP id S.0000207109 for <ismgr@atchisonkansas.net>; Fri, 07 Feb 2003
19:32:25 -0600
Received: from Sxgwzgw (mkc-24-166-176-56.kc.rr.com [24.166.176.56])
   by smtp00.journey.com (Postfix) with SMTP id E77EA24702
   for <ismgr@atchisonkansas.net>; Fri,  7 Feb 2003 21:16:13 -0500 (EST)
From: postmaster <postmaster@atchisonkansas.net>
To: ismgr@atchisonkansas.net
Subject: Returned mail--"BACKGROUND"
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary=F9P1Q06j638jj20k48i9G7sk8
Message-Id: <20030208021613.E77EA24702@smtp00.journey.com>
Date: Fri,  7 Feb 2003 21:16:13 -0500 (EST)

============================================================================
=========================

I know that I have asked something along these lines before, but wanted to
make sure that I am not misunderstanding this.

If I have SIMS setup to verify return paths, can I assume that the mailbox
SIMS says it's coming from is accurate and not spoofed in any way?

No. All SIMS can do is verify that the domain part of the Return-Path exists and has enough DNS to attempt delivery.

It is theoretically possible for an MTA to verify that the address in question is one that a mail server would accept mail for, but even that is a bit problematic to try, and SIMS doesn't try. There is no way for any MTA to positively verify that the Return-Path is in fact the address of the sender.

The reason I ask is this - at least ONE of these accounts hasn't been used
for a very long time, and is coming from a local provider, journey.com.

I talked with the woman who owned that mailbox and she said she hasn't used
that address in many months.

I guess I'm trying to track down and see where these messages are REALLY
coming from.

The Return-Path is iffy, but the Received headers are not.

This looks like some variant of Klez, which grabs targets and forged Return-Paths from many places on the infected machine, then uses whatever mail relay is configured on the machine to send mail out. In this case, you can see that the mail came to you from 207.241.128.20, and that machine got the messages from 24.166.176.56. 24.166.176.56 is the Klez-infected machine.


The attachments vary, from .scr to .bat, but the second file seems to be the
same.

Those are the Klez payload.
--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster