From owner-freebsd-security  Wed Mar 14  5: 8:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231])
	by hub.freebsd.org (Postfix) with ESMTP id 4979B37B71A
	for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 05:08:19 -0800 (PST)
	(envelope-from bmw@borderware.com)
From: "Bruce M. Walker" <bmw@borderware.com>
Message-Id: <200103141308.f2ED84E11909@fusion.borderware.com>
Subject: Re: Sophos and Virus return mail
In-Reply-To: <Pine.BSF.4.21.0103132338550.27904-100000@shazam.int> from Jim Durham
 at "Mar 13, 2001 11:54:01 pm"
To: Jim Durham <durham@w2xo.pgh.pa.us>
Date: Wed, 14 Mar 2001 08:08:04 -0500 (EST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL66 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Jim Durham wrote:
> 
> I thought of rewriting the script to use the "From: " address
> to reply. I think that would usually work, but I'm not sure
> that address always appears either.

Unhappily not:

  From: Hahaha <hahaha@sexyfun.net>

You can see the IP of the host that sent it to you in the Received:
headers if you inspect them, but that will be simply the Windows
PC that itself has been infected.  Snowhite contains a complete
SMTP send-only implementation and it delivers to its targets directly.

I'm afraid you're stuck with these things.

(This is one case where blocking of port 25 by ISPs is a good thing.)

-bmw

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message