On 7/23/11 5:07 PM, "Chris" <cpoll...@embarqmail.com> wrote:
> Looking for the correct way to handle this. I've been receiving a lot of > infected email lately supposedly bounced messages infected with the > MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way > to report these to the offending ISP? I can find who the admin and tech > contacts are by telneting to whois.ra.net and inputting the ASN which > will give me those then I can telnet to whois.ripe.net or apnic or radb > or whoever to give me the name(s) of these contacts and email address. > Then send them an email with the message headers to show the sender IP. > Is that the correct way? I also have a script that will report these in > conjunction with SA Learn which reports these but it sends the whole > message including the infected attachment, I don't believe this is the > correct way. > You might want to check out SpamCop <http://www.spamcop.net/> to help you locate the offending ISP. Their database is often able to cut through attempts to disguise the true sender using your techniques, but somewhat faster. Another tip for sending infected emails is to compress them with a password before sending as intermediary mail handlers often scan and remove attachments that are recognized malware. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
