|
PureBytes Links
Trading Reference Links
|
Jim wrote:
> I just got the same virus 'seemingly' from Gary Fritz.
Most current viruses hijack email ID's (from the infected
system's address book, or someplace similar) and use these
addresses to forge the "From" address. The "From" address is
useless in these cases. The only way you can get any idea where
the virus actually came from is to look at the full headers of
the message and trace the "Received:" lines. For example:
> Received: from ma101.mailarmory.com (ma101.mailarmory.com
> [216.17.128.129])
> by deimos.frii.net (8.12.9/8.12.9) with ESMTP id h680QU1B011393;
> Mon, 7 Jul 2003 18:26:30 -0600 (MDT)
> Received: from filter (localhost.frii.com [127.0.0.1])
> by localhost.mailarmory.com (MailArmory) with ESMTP
> id 0A3697E370; Mon, 7 Jul 2003 18:26:31 -0600 (MDT)
> Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51])
> by ma101.mailarmory.com (MailArmory) with ESMTP
> id 70A477E281; Mon, 7 Jul 2003 18:26:26 -0600 (MDT)
> Received: from mailgate1.apple.com (A17-128-100-225.apple.com
> [17.128.100.225])
> by mail-out2.apple.com (8.12.9/8.12.9) with ESMTP id h680QIfR027976;
> Mon, 7 Jul 2003 17:26:18 -0700 (PDT)
> Received: from scv1.apple.com (scv1.apple.com) by mailgate1.apple.com
> (Content Technologies SMTPRS 4.2.1) with ESMTP id
> <T634a34f6c0118064e1724@xxxxxxxxxxxxxxxxxxx>; Mon, 7 Jul 2003 17:25:47
> -0700
> Received: from [17.206.14.107] (xxx5.apple.com [17.206.14.107])
> by scv1.apple.com (8.12.9/8.12.9) with ESMTP id h680Pvdi008514;
> Mon, 7 Jul 2003 17:25:57 -0700 (PDT)
You read the headers from the bottom up. These headers are from
a message that originated within Apple corp and was sent to me.
It went from xxx5.apple.com to svc1.apple.com (see the last
header), then to svc1.apple.com, then mailgate1.apple.com, then
mail-out2.apple.com, then ma101.mailarmory.com to me.
mailarmory.com is my ISP's spamtrap. It also intercepts viruses,
including Bugbear, which pretty much makes it impossible for me
to get infected by Bugbear even if I didn't run AV software,
which I do. (And in fact the spamtrap intercepted a Bugbear
virus yesterday afternoon.)
These headers can't be forged by the spammer or virus, because
they're added by individual mail-forwarding systems AFTER the
message leaves the original mailing host. So I know 100% for
certain that the message originated on xxx5.apple.com, regardless
of what the "From:" header says. Note, though, that mail through
the Omega list has all headers from (wherever) to eskimo.com
removed.
Different mailers have different ways of showing the headers.
You'll have to look at your mailer's help to find out how to
display the headers.
Gary
|