Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Klez: a closer look 204

sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!
This discussion has been archived. No new comments can be posted.

Klez: a closer look

Comments Filter:
  • Nice article (Score:5, Insightful)

    by stevenbee ( 227371 ) on Monday July 08, 2002 @09:01AM (#3841303)
    I appreciate the fact that they acknowledge the role played by social engineering as a vector.
    As I have tried to explain to my more gullible user-friends, a little crankiness goes a long way
    towards virus protection!

    : )

  • "Message Labs shows it as being the biggest email-transmitted virus of all time by some way"

    From what I have seen, I agree with this. Klez has arrived more times in my inbox than all other worms/trojans/etc combined. The other ones I see (saw) most often are MyParty and Hybris (Dwarf4u). What distributions are other people seeing?

    • While I have seen Klez in my inbox a few times, lately I see Yaha-E all the time. (Seems right now, Yaha-E is the biggest in the Netherlands - one wonders what the maker has against us poor Dutchies... *G*)
    • Personally I get the enlarge your penis by up to three inches distribution quite a bit. I'm thinking a lot of my male associates must have some ... errr deficiencies... that they keep opening that particular email up and spreading it to me.
    • KlezH@mm

      lots of different delivery methods.. same annoying virus.

      lately I've been seeing HiGuy and a little Yaha, and the old classic magistrB.

    • I agree... I get the virus notifications from everyone on our network; recently that's 233 Klez-G, 7 Klez-H and a very brief spurt of Yaha_E just recently. Klez is miles ahead...
    • I'm getting various Klez emails in my Hotmail at the rate of about 6 a day : Clearly these viruses are scanning the newsgroups as they are not coming from people I know or converse with (I use my Hotmail account as a reply for newsgroup postings, so I get about 60 spams a day). I find it humorous, and of the potential for conspiracy theorists, that shortly after Hotmail started selling memberships for expanded storage space, I started getting a warning every 2 days or so about running out of space : Of course I'd check my account to find that 90% of the space suckage were various Klez viruses (which Hotmail does not, at least up until yesterday, filter out. Again, warm up the conspiracy machine...).

      It should be noted that only a small proportion of the messages contain "Klez" in the subject. I've seen it with subject lines that seem faintly related to newsgroups that I've posted in : SQL Server terms, HTML phrases, CSS selectors, etc.
  • by tcd004 ( 134130 ) on Monday July 08, 2002 @09:04AM (#3841329) Homepage
    Klez has been great for my company! We just classify every copy of Klez we receive as "corporate acquistion of capital" and assign it a monetary value. We've got 6.2 billion in Klez inventory baby! [lostbrain.com]

    But seriously...127K seems to be the magic number for Klez.
    So couldn't a filter simply be set up to block all emails 127k in size?

    tcd004
    • by jandrese ( 485 ) <kensama@vt.edu> on Monday July 08, 2002 @09:11AM (#3841380) Homepage Journal
      Maybe we should start doing that for all mail trojans? I know I'd be thrilled to discover that man of various random sizes might disappear at my mail filter because it just happens to be the same size as a worm. Seems to me it'd be better just to block the worm directly...oops, many companies already do this.
      • by jd142 ( 129673 ) on Monday July 08, 2002 @11:37AM (#3842736) Homepage
        Um, that sort of security is just stupid and provides a false sense of security. If you were being sarcastic, I missed it. What happens when klez mutates into a slightly different size?

        True story: I was helping a user send out emails to a group of students. Her subject was "Important message about your scholarship." She kept getting messages back that the mail was infected with the Melissa virus. Well, she wasn't sending any attachments, so I thought we had a variant that piggybacked on outgoing mail messages. I searched her machine. I moved her to a different machine and searched it. Same thing. I re-imaged a machine. Same thing.

        I also couldn't figure out where it was being caught. The message wasn't coming from our server because the infected message wasn't the same.

        I traced it back to the main university's mail servers. So I called them up and told them that their anti-virus software was catching a virus that we couldn't find and could they tell us what they were using. They said they weren't using anti-virus scanning software.

        Turns out some bright bulb had written a perl script that flagged every outgoing message with a subject that contained "Important message" as being infected with the Melissa virus.

        A half a day wasted trying to track down a non-existant virus. And as soon as the Melissa virus changed its subject line, the script would let it through. What a joke.

        • I think you missed the point. When I said block the worm directly, I'm talking about those filters that scan attachements and look for the worm itself. If it finds the worm attached to your messages, it cleans off the worms and warns the sender that they may be infected. Sometimes they just drop the message entirely. Your admin should be dopeslapped for writing such a bonehead script, but that doesn't mean that proper filtering is useless. It's certainly better than just discarding every 127k message, especially as the size of the bogus message isn't always the same.
  • ....made the messages easy to filter:

    If Subject contains "klez" move to folder "garbages"!

  • I havn't recieved a e-mail virus in about a year.
    Boo Hoo ;-)

    Carrot007.

  • This is really from the looking-at-PURE-EVIL dept. Or maybe they got hit by a virus.
  • by CountBrass ( 590228 ) on Monday July 08, 2002 @09:07AM (#3841350)
    We use outlook and exchange server where I work. Never, ever, seen a virus in the two and a half years I've worked here. Why ? because the admins know what they're doing and catch all the viruses before they ever get anywhere near us delicate users. I'm not an especial fan of MS (I'm a bastion of Java in a sea of MS where I work) but all the sniping at Outlook is just bs. People target outlook and other MS products because it's popular. I mean, why bother writing a virus that targets some system only a couple of geeks ever run ? The key factor is competent admins, properly configuring and defending the systems they're responsible for.
    • Not to be a shameless Linux promoter, but it seems that to a point, most of the people who are competent admins are running Linux servers, and not MS. Note that this does not insist that all competent users are running Linux, or that all users running Linux are competent.
    • by autechre ( 121980 ) on Monday July 08, 2002 @09:49AM (#3841792) Homepage

      Not all of the complaints about Outlook are "bs". Certainly, a lot of people seem to like the interface. This is one point that has probably kept it on users' desktops.

      However, it will randomly refuse to work with perfectly functional IMAP servers. Some people have had it delete everything in their inbox. And many aspects of its design make it an easy target for virus writers. Up until recently, even if you knew what you were doing and wanted to, you couldn't prevent Outlook from displaying HTML (and everything associated with it, such as Javascript and Web bugs). It's gotten a bit more difficult to have it automatically execute attachments, but apparently not difficult enough. (In all fairness, it should be pointed out that a large section of the population would simply execute those attachments themselves anyway).

      It's easy to say that you're safe at work. You're sitting behind various filters set up by competant administrators. But many people at home don't have that option. If an ISP started filtering out attachments by file type, many would doubtless scream bloody murder. Home users are the main problem here (not that it's necessarily their fault). In an unprotected environment, Outlook still makes it too easy for virus writers, and while I would love to be in a world where everyone was shielded by competent admins (hello big job market for me!), we currently aren't.

    • by Sloppy ( 14984 ) on Monday July 08, 2002 @10:17AM (#3842136) Homepage Journal
      People target outlook and other MS products because it's popular.

      Outlook is targeted because it's the only email client that anyone has ever heard of (probably the only email client in the history of the world) that executed a script mailed to it, without user interaction. (Yes, that has been fixed, but it's still in people's heads.) It's also the only email client I've seen (though probably not the only on in history in history) that will allow a user to execute an attached script just by clicking on it. Traditionally, email clients aren't desktop shells; they might go to the trouble to display static attachments such as pictures, but executing scripts is way over the line. Traditionally, if you want to execute an attachment, you have to save it and execute it seperately. A sane and responsible software designer would never entertain such an idea for more than a few seconds. Microsoft did.

      Outlook's reputation is deserved. You're lucky your mail is so well filtered by good Admins, because as an Outlook user, you would be in unusual danger without those Admins.

  • And today alone, Klez virus e-mails were 90% of my e-mail by bytecount.

    Are you really getting that many hits from Klez? Does anyone else have this problem? I have 4 email accounts that all see a fair amount of activity, and I've only gotten a couple of Klez hits in the last month... I think Hemos must be the target of the an underground Kluz spreading cult or something.
    • The amount of virusses recieved by a certain user has a strong relation with the amount of friends or enemies that run outlook one has. A true nerd will never give his email adress to anybody who uses MS software, so he will hardly see any viruses, however, some people have a social life wich involves normal people as well (yes, really!), so they are very likely to receive this type of viruses.

      Also note that the percentage is much higher when one recieves just one email (spam, most likely) per week because he has no friends at all.
      • I have a theory 1. I get about one or two a day to my home email address. I know nobody that uses outlook/outlook express. 2. I am subscribed to several Linux mailing lists (tag,RH, gnome etc) 3. I have had a few with spoofed addresses like webmaster@gnome.org and various other linux notables that post to these lists) So there must be quite a few work only subscribers that use outlook to peruse these lists. Bloody outlook - even gets you if you stick to linux sites
    • Re:90%? really? (Score:3, Informative)

      by Patrick13 ( 223909 )
      In the height of the Klez infections (about 2 1/2 months ago), I got 76 emails infected with Klez in one morning.

      The trick with Klez is that it spoofs the "from" header, and chooses an address at random from the infected computer's address book and its web cache.

      I got tons of infected emails from people who had only surfed into a page containing one of my email addresses. Since I have 25 or design clients, this can add up to quite a few "webmaster@" email addresses. While my busiest site gets about 700 unique visitors daily, overall, my email accounts are exposed to ca. 4500 uniques daily.

      That's a lot of novice users who think that getting an email that has the subject:

      "A Excite Game"

      and a body message that runs something like:

      This is a excite game I made. It is my first try at a game. I hope you like it!

      is a legit email. I have personally gotten this one over and over again, with the adjective randomized (a FUNNY game, a NEW game, etc.).

      I can't believe that people open it, but they do. And they get infected, and then I get mails from them, spoofed to appear to be coming someone in their address book, or their browser cache.

      Which makes it a drag, because you can't easily track down the offending individual.

      The reason I think this virus is so prevalent (aside from the fact that most users are so gullible) is simply because you can't email the infected party and say "hey, you are infected with Klez", but with other viruses, such as SirCam and what not, you could, therefore stopping the virus infection, eventually.
    • Yes, really. My mailbox is constantly full of the damn things (well, that, and SPAM from Korea). I have a number of readers of my small fanfiction page, and I think they all use Windows/Outlook Express, so there you go. They are not computer geeks; they know how to use a computer to read and send e-mail, to browse the web, and to write stuff/design websites in some cases, but, like most Windows users, their computers are tools to get a job done, not a way of life.

      I, on the other hand, am a programmer who uses Linux at home; I didn't get infected by those damn Klez viruses, nor do I even download them--I limit fetchmail on the size of attachment and inspect the oversized mails thru my ISP's web interface every few days. Almost everytime, they are Klez viruses, though I'm also seeing some Goldfish thingy, starting recently.

      I'm really, really sick of this crap filling up my mailbox. It's viral spam: an unspeakable hybrid of two of the worst internet evils.

  • OK maybe this is totally off the wall but I don't really see the point of using an address book anyway. Most of the time you're replying to a mail, or writing to someone whose address you know (come on geeks, who can't remember a handful of e-mail addresses?). And no address book = no klez.
    • You'll see the value once you start to make more friends. Especially if your friends have ugly email addresses on a variety of providers. Besides, there's an easier way to avoid spreading virusues than avoiding your addressbook: just avoid Outlook.
    • ...that require semi-regular contact with many people. Personally, I am the IT Manager and Corporate Buyer for the company that I work for.

      Small company, so I wear a few hats. Anyway, I have a fairly decent sized Address book that contains virtually all of the vendors that I have to deal with, business contacts at both client sites as well as my geek contacts that let me bounce ideas off of them.

      Sure, if you are a "house-geek" or a college geek, you probably only have a small number of people to E-mail. (Mostly your 3733t friends and such.) However, once you hit the "real" world you find that your boundless memory actually has a few boundries.

      -.-
    • Klez doesn't read your addressbook, it just snoops the network interface. Far more effective.
  • by Anonymous Coward on Monday July 08, 2002 @09:08AM (#3841361)
    Set up an E-Mail address at your domain, called something like:

    ignoreme@example.net

    and publish it on your webpage, as an address for UCE only, and ask people not to send correspondence to it.

    Then, filter all E-Mail received in your other mail boxes, against all of the mail received by ignoreme, and any that matches, delete.
  • by karot ( 26201 ) on Monday July 08, 2002 @09:10AM (#3841370)
    ...is when even viruses don't send you mail :-(

    Steve ;-)
  • Hemos, CmdrTaco (Score:5, Insightful)

    by Lxy ( 80823 ) on Monday July 08, 2002 @09:13AM (#3841385) Journal
    Silly question:

    Whenever Hemos or CmdrTaco posts about a Windows virus, they always end with "yadda yadda 90% of my e-mail yadda...". How is it that you can run the #1 geek news site and still have e-mail viruses infaltrating your inbox? Is it that much trouble to install MIMEDefang [roaringpenguin.com]? If you'd like, I'll offer up my services as a consultant to install virus scanning software on your e-mail server, since you two obviously can't figure it out, but I hope that isn't neccesary.
    • Re:Hemos, CmdrTaco (Score:5, Informative)

      by _xeno_ ( 155264 ) on Monday July 08, 2002 @09:54AM (#3841855) Homepage Journal
      They still have to download the crap before they can filter it, right? How do you know that they aren't filtering it all out and aren't looking at a report that says "Filtered e-mail: 90% Klez, 9% Spam, 0.45% Troll, 0.45% Flamebait, 0.05% Stupid, 0.04% Real, 0.02% Complaints About Slashdot Math"?

      Maybe Hemos came up with the figure by checking his e-mail and watching as 90% of it was filtered into the bitbucket. Maybe he still filters it by hand - regardless, when a massive collection of your inbox is junk, you still have to watch it go through the filter. (Well, OK, not always - there are filter setups where you don't see it, but let's not get too technical, alright?)

      The bottom line is this: they may filter it, but they still have to deal with the incoming bytes in some way. The "90%" figure probably comes from either a filter report, or from watching the data be filtered if they're using client-based filtering. Just because they know that 90% of their incoming e-mail is crap doesn't mean they manually sort it.

    • Yeah but if all the viruses are gone the spam won't have anything to keep it company :)
    • I'd like to know exactly what logic you use to equate "filtered" with "didn't get it in the first place".
    • and still have e-mail viruses infaltrating your inbox? Is it that much trouble to install MIMEDefang

      If you instal MIMEDefang your mailbox will still fill up with virii that get sent to you, they'll just be "defanged".

      -
  • Question (Score:5, Informative)

    by Mr_Silver ( 213637 ) on Monday July 08, 2002 @09:14AM (#3841394)
    Unless I'm misreading this, isn't the major thing about this virus that it runs automatically using an IE exploit?

    I mean, that the whole going through your contacts/sent items list and mailing them is all very well, but I can write some perl that does that with your Pine folders easily enough.

    I posted an article a while ago on this but it was rejected. It's a Wired article entitled "The Great MS Patch Nobody Uses [wired.com]". Granted it is Microsoft's fault this stupid stupid exploit happened in the first place, but it's also interesting to note that the fix for 80% of these problems have been available for over a year virtually unnoticed.

    And finally, if you're running procmail then:

    :0 B
    * Content-Disposition: attachment
    * name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
    {
    # Stick it somewhere
    :0 B:
    /home/accountname/mail/viruses
    }

    does a pretty good job of filtering out that sort of junk.

    • Re:Question (Score:3, Insightful)

      by Your_Mom ( 94238 )
      Granted it is Microsoft's fault this stupid stupid exploit happened in the first place, but it's also interesting to note that the fix for 80% of these problems have been available for over a year virtually unnoticed.
      Oh, it has been noticed. But unfortunately, it breaks more then it fixes, 'normal' (as in /real/ normal, not this "open up the word document in the e-mail thing") attachment use is broken beyond belief. Attachments get randomly locked, certain file associations get wiped out across the system. The reason why no one downloads it is because it breaks more then it fixes. I rolled it out on two machines as a test run and they had nothing but complaints, jst to see how bad it was I downloaded it onto my machine and i nearly pulled all my hair out trying to repair what I had before that this nasty patch wiped out. Not fun. I had to reinstall Lookout on every machine that got it and applied their "lite" version of their patch included in the Office Service Pack which had most of the anal restrictions removed.
    • Re:Question (Score:2, Informative)

      by indiigo ( 121714 )
      That "great MS patch" does not block a significant variety of HTML and js born code. There have been about 7 exploits each on 2002 and 2000 that work on Outlook messages if html is enabled, regardless of that patch. They were just patched last month, in fact.
    • Bah. Patch distribution is *part* of the designer's responsibility. If there are a lot of vulnerable systems out there, it doesn't matter that there's a patch out if the vendor did a poor job of notification or whatever.

      You can't say "well, I have a bunch of holes, but I made a patch, so the fact that I put out tons of vulnerable systems and 95% of them are still vulnerable doesn't count".
  • I am an avid Outlook user, I love the ease of use, and all the features. I have received like 2 viruses in my whole time using my computer. Maybe I'm just unpopular, or I just use virus protection with hueristics scanning. Or maybe my Microsoft based Email Server actually does a pretty decent job of blocking all the crap from flowing down the pipe. I agree with another post in that kiddies write virii for Outlook cuz everyone uses it. Hense M$'s Market Share. If everyone used pine, it would be Pine Bashing time. Now Mod me down now because I flamed LInux like you always do.
    • You were infected with 2 viruses? That's not something to brag about.

      If you mean you just saw two viruses, then that means you are not receiving any. I would be much more impressed if you said you received thousands of viruses, but that you have proof that Outlook de-fanged or filtered them.


  • This article is very timely for me. I had never received an email virus until about a week ago. Now I get Klez virtually every day.

    Fortunately I look the descision a long time ago not to use Outlook as my email client (I use Eudora). However, Klez is still a nightmare because it can randomly choose an address for the "From:" field from the computer it has infected, which means that if someone you know gets infected, you can get irate emails from people telling you not to send them viruses!

    Nightmare.

  • by RhettLivingston ( 544140 ) on Monday July 08, 2002 @09:23AM (#3841484) Journal

    My wife and I both use Outlook for all of our email. Neither of us have ever been infected by the virus because we've kept up with updates to Outlook that block you from opening programs (and we know better).

    She receives several copies a day of the Klez virus. I've never received it despite having about the same overall email traffic.

    I think that the difference lies in who we know. I'm a Computer Engineer and she's a counselor. Thus, the average individual with my email address is a lot more computer savvy than those with her email address.

  • i still find it funny that all the guys who run this site...

    use windows on thier desktop.

    tisk tisk.
  • 1. set up mail filter to punt any attachments to .jpg, .gif, .txt, .zip 2. There is no step two.
  • How about YAY USER ERROR! I have NEVER gotten a virus in my life, and I have three email accounts all going through outlook. All it takes is a little bit of common sense to avoid them. Hell, I don't even have a virus scan installed.. I check once a month or so using an online scan.

    On another note, just push your mail providers to install a virus scanner on ther mailer daemon side... my school recently did this and it seems to be working very well.
    • Comment removed based on user account deletion
    • just push your mail providers to install a virus scanner on ther mailer daemon side..

      Not necessarily something a provider wants to do. For starters, scanning thousands upon thousands of incoming e-mails puts a heavy strain on the servers. More importantly, however, is that by doing so a provider implicitly admits legal responsibility for what their users are doing on their systems. If you can read through users' e-mails to determine if they're infected with a virus, Big Bad Government is going to come in to ask you to scan for evidence of illegal actions as well.

      For this reason, my employer has, for now, decided to forego server side virus scanning, and I pretty much would agree with him.
  • A question (Score:3, Interesting)

    by pubjames ( 468013 ) on Monday July 08, 2002 @09:36AM (#3841634)
    If I receive emails with the Klez virus attached, that means someone I know is probably infected, doesn't it?

    In which case (since the From: field is not necessarily indicative of who it came from) how can I find out who it came from so that I can tell them that they're infected?
    • You can't. That's the whole point.
    • In outlook express you can view the source of the email and all the headers, usually you can find clues there like the actual e-mail address, the ip or at least the ISP.
    • Comment removed based on user account deletion
    • Re:A question (Score:1, Informative)

      by Frogking ( 126462 )
      Your best bet is to look at the full headers of the message to see what IP address the virus came from. Next, use something like ARIN Whois (http://www.arin.net/whois/index.html) to find out what ISP that IP address belongs to. Then forward the original message to this ISP *as an attachment* (this preserves the headers with the IP address and timestamp) and ask that they contact their customer. Most ISPs can check to see what user was connected to a certain IP address at a specific time, thus telling them who is infected. Most ISPs won't actually tell you who the sender is (mostly for privacy reasons, but also to prevent people from getting in fistfights over a virus that probably wasn't sent on purpose to begin with!).
    • If I receive emails with the Klez virus attached, that means someone I know is probably infected, doesn't it?

      Not necessarily. I find that I get most of mine from infected spammers.

    • Well, I got a Klez the other day. First one I'd seen in months, and it was from a friend I hadn't heard from in a while. So, I wrote him back after checking the mail headers.

      ======================

      Hey man, long time no see.

      I got this today with your name on it. It's a copy of the Klez virus, which may mean some of your computers at work may have that virus on them. I'd check to make sure.

      On the other hand, the mail trail says it originated from someotherisp.net. I don't know anyone who uses that service, but perhaps you do. If so, they could be sending out mails in your name, so you might want to check with them.

      Anyway, how are things?
  • that the company that perpetually promises to make everyones computer more secure still ships Outlook Express, probably the most insecure software product ever released, I would have written sold there but I believe they give it away; how unamerican, but then again how could they possibly justify charging for it.
  • by AdamBa ( 64128 ) on Monday July 08, 2002 @09:42AM (#3841704) Homepage
    Since the detail link up there is /.ed...I keep getting these emails like "your email was rejected by our virus filter" and then there is an email attached, which looks like it came from me, that has Klez in it. Most of these are from people I have never contacted via email that are not in my address book.

    So can I just assume that Klez is just generating these on its own and it's actually the *other* guy who is infected? Because I run Norton AntiVirus with the latest filters...or am I actually infected with Klez and I am really generating all this email that is bouncing at the other end?!?

    Inquiring minds want to know. Thanks.

    - adam

  • Klez Variant? (Score:2, Interesting)

    by olethrosdc ( 584207 )

    Recently I received something that could be a new variany of Klez. The difference is that it does not look at your own computer for contacts. It looks at web-pages. This is how it seems to work:

    1. Download a random web-page.
    2. Rip all the addresses.
    3. Choose a small phrase from the web-page
    4. Spoof an email from one address to another, using the key-phrase.
    5. Go to 1.
    This seems to be a much better option than using the outlook addressbook, because it is more probable that emails will be read by the corresponding parties. Why? Because they are both mentioned on the same web-page, so they must have some common interest. The subject line can be something related to their interest too... it is not like getting a pr0n email from a priet in Nevada or something B]
  • by frankie ( 91710 ) on Monday July 08, 2002 @09:52AM (#3841834) Journal
    Klez is not really such a smart virus, compared to some of the earlier Outlook scripts that would grab a real document off the luser's HD and send it. The thing that makes it a major PITA is the forgery.

    The only way to track down a Klez sender is to follow the Received: headers back to the ISP, and ask them to search their RADIUS &/or DHCP logs to figure out which user was at that address at the time the message was sent. Most ISP's that I've contacted would rather not bother, so the infected PCs remain blissfully ignorant.

    Alternately, the ISP could require authenticated SMTP, and attach the real user ID to every message in some way. Or install a virus filter on the outbound connection. But once again, they don't want to bother. It's the tragedy of the commons.
  • Do I really need to say why? heh.
  • Forged sender (Score:2, Interesting)

    I know that Klez forges the "From:" line in the header. There is a "From" (no colon) line at the top of email messages. I believe that this line comes from another source not forged by Klez. Usually, this line appears to be correct. The "From" (no colon) email address tends to agree with the first mail server that relayed the message. Is my understanding correct?

    Two or three times, I have tried to warn users that they are infected by sending messages to the "From" (no colon) address. It never has worked. Why not? Every time, I have ended up emailing the administrators of the domain or mail server. (BTW, most places do a terrible job of monitoring email to postmaster.) I always have included the headers so that the administrator could track down the infected user by date and IP address. Each time, the administrator then contacted the user and put a stop to the problem. How come the user never fixes it? Shouldn't my emails have gotten through? Did the users just ignore my warnings or was there something else at work?
    • It really is what's called the "envelope sender". In the SMTP protocol, you have to specify who the message is from, and what addresses to deliver to. These don't necessarily have any relation to the From: and To: headers in the message itself.

      I have noticed the same thing you have, I believe that the envelope sender is the correct person to contact.
  • Klez Quick Fix? (Score:3, Interesting)

    by N8F8 ( 4562 ) on Monday July 08, 2002 @10:52AM (#3842449)
    Last month my work PC was infected with Klez. Although Norton apparently can detect the virus it doesn't seem to be able to destroy it. I went to the Nortin site and tried the Klez cleaner and insturctions, but it didn't do any good. Then I noticed that Klez runs under the Guest account. I changed the password on the Guest account tand the problem seemed to go away.
  • New poll! (Score:5, Funny)

    by Webmoth ( 75878 ) on Monday July 08, 2002 @11:16AM (#3842610) Homepage
    The virus I've had the hardest time getting rid of:

    [ ] Nimda
    [ ] Klez
    [ ] ILoveYou
    [ ] Sircam
    [ ] Hybris
    [ ] Whatever CowboyNeal has

  • by FattMattP ( 86246 ) on Monday July 08, 2002 @11:44AM (#3842794) Homepage
    I use this procmail rule to catch Klez viruses:

    :0 B
    * ! ^Received:
    * 9HyTO130D42FAAAAU1bo5RoAAGoAi9joFC4AAIvwi0UIg.YBVm hmB0EAjbgsAQAA6MMaAABQ
    klez

    The lameness filter is putting a space in the string of characters above so be sure to remove it when you put this in your procmailrc file. Also remove the space before the :0 B in the first line.

  • how I deal with Klez (Score:3, Informative)

    by Dr. Awktagon ( 233360 ) on Monday July 08, 2002 @11:49AM (#3842854) Homepage

    Well, the anti-virus companies won't tell you how to block Klez (except by buying their products) but I funnel all my mail through a custom filter and this is the algorithm I use to get rid of Klez-like messages, once and for all:

    If message contains multipart/alternative entity,
    and entity has a part with a filename,
    and the filename's extension doesn't match the entry in /etc/mime.types,
    then drop the message.

    You could also, I think, send a "you're an idiot" bounce message to the envelope MAIL FROM: address (not the header From:, it's wrong). That one usually looks correct. Not sure though, probably best to just drop them.

    There are other clues in the message, such as IFRAME code, etc., but this seems foolproof, and I can't imagine any normal email program generating multipart/alternative sub-parts with a filename.

  • by Indy1 ( 99447 ) on Monday July 08, 2002 @12:14PM (#3843066)
    my dedicated slashdot spam account gets roughly 2-5 emails with klez per week. I dont know if some virus writing moron has a address harvester or what, but thats the only way i ever get email viruses. I should clarify, my mail server catches the bugs, squashes em, then mails me the paticular details so my actual email client never gets infected.

Single tasking: Just Say No.

Working...