RE: [cobalt-security] Virus - How to find real source from forged header

Fri, 08 Nov 2002 03:16:51 -0800 

<snip>
Anyway, the 'from header' states that the virus is coming from one of my
email addresses, but I am 99% that this is forged. My question is, how can
find out the real email address from which this virus is being sent. It is
becoming a problem as I'm receiving this upto 50 times per day.
</snip>

This is very difficult to do accurately. Though what you might be able to discover is 
how to block the offending ip completely.

Have a look at the full headers for the email (If you're unfortunate enough to use 
outlook then double-click the mail, go view > options to see them)
You'll see something like:


Microsoft Mail Internet Headers Version 2.0
Received: from list.cobalt.com ([12.40.201.23]) by plato.nemi.interv8.co.uk with 
Microsoft SMTPSVC(5.0.2195.5329);
         Fri, 8 Nov 2002 10:33:14 +0000
Received: from list.cobalt.com (localhost [127.0.0.1])
        by list.cobalt.com (8.9.3/8.9.3) with ESMTP id CAA06328;
        Fri, 8 Nov 2002 02:32:28 -0800
Received: from ns.achieve-it.com (ns.achieve-it.com [212.67.197.38])
        by list.cobalt.com (8.9.3/8.9.3) with ESMTP id CAA06233
        for <[EMAIL PROTECTED]>; Fri, 8 Nov 2002 02:31:28 -0800
Received: from default (pc369.as1.galway1.eircom.net [159.134.145.113])
        by ns.achieve-it.com (8.10.2/8.10.2) with SMTP id gA8AUWT30718
        for <[EMAIL PROTECTED]>; Fri, 8 Nov 2002 10:30:32 GMT
Message-ID: <002601c28712$62cf2960$7191869f@default>
From: "Achieve Website Design" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>


I've cut all the rest as the bit above is the interesting bit.
Have a look at the last Received: line, and you should spot that its logged your IP 
address from where you sent this mail to the mailing list.
That should be (providing they aren't spoofing ip) the IP to block, and then report by 
using a whois tool (www.ripe.net or www.arin.net) and report the abuse to the relevant 
contact.

Regards,

Andy
[EMAIL PROTECTED]
http://www.raqpak.com  <-- Unofficial FAQs and PKGs 
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to