[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Virus sender on this list????????? Carl Petersen ????????



PureBytes Links

Trading Reference Links

Jim wrote:
> I just got the same virus 'seemingly' from Gary Fritz.  

Most current viruses hijack email ID's (from the infected 
system's address book, or someplace similar) and use these 
addresses to forge the "From" address.  The "From" address is 
useless in these cases.  The only way you can get any idea where 
the virus actually came from is to look at the full headers of 
the message and trace the "Received:" lines.  For example:

> Received: from ma101.mailarmory.com (ma101.mailarmory.com
> [216.17.128.129])
>  by deimos.frii.net (8.12.9/8.12.9) with ESMTP id h680QU1B011393;
>  Mon, 7 Jul 2003 18:26:30 -0600 (MDT)
> Received: from filter (localhost.frii.com [127.0.0.1])
>  by localhost.mailarmory.com (MailArmory) with ESMTP
>  id 0A3697E370; Mon,  7 Jul 2003 18:26:31 -0600 (MDT)
> Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51])
>  by ma101.mailarmory.com (MailArmory) with ESMTP
>  id 70A477E281; Mon,  7 Jul 2003 18:26:26 -0600 (MDT)
> Received: from mailgate1.apple.com (A17-128-100-225.apple.com
> [17.128.100.225])
>  by mail-out2.apple.com (8.12.9/8.12.9) with ESMTP id h680QIfR027976;
>  Mon, 7 Jul 2003 17:26:18 -0700 (PDT)
> Received: from scv1.apple.com (scv1.apple.com) by mailgate1.apple.com
>  (Content Technologies SMTPRS 4.2.1) with ESMTP id
>  <T634a34f6c0118064e1724@xxxxxxxxxxxxxxxxxxx>; Mon, 7 Jul 2003 17:25:47
>  -0700
> Received: from [17.206.14.107] (xxx5.apple.com [17.206.14.107])
>  by scv1.apple.com (8.12.9/8.12.9) with ESMTP id h680Pvdi008514;
>  Mon, 7 Jul 2003 17:25:57 -0700 (PDT)

You read the headers from the bottom up.  These headers are from 
a message that originated within Apple corp and was sent to me.  
It went from xxx5.apple.com to svc1.apple.com (see the last 
header), then to svc1.apple.com, then mailgate1.apple.com, then 
mail-out2.apple.com, then ma101.mailarmory.com to me. 
mailarmory.com is my ISP's spamtrap.  It also intercepts viruses, 
including Bugbear, which pretty much makes it impossible for me 
to get infected by Bugbear even if I didn't run AV software, 
which I do.  (And in fact the spamtrap intercepted a Bugbear 
virus yesterday afternoon.)

These headers can't be forged by the spammer or virus, because 
they're added by individual mail-forwarding systems AFTER the 
message leaves the original mailing host.  So I know 100% for 
certain that the message originated on xxx5.apple.com, regardless 
of what the "From:" header says.  Note, though, that mail through 
the Omega list has all headers from (wherever) to eskimo.com 
removed.

Different mailers have different ways of showing the headers.  
You'll have to look at your mailer's help to find out how to 
display the headers.

Gary