So from the information below which IP address is first received header? And
what is the Envelope from variable that Andy mentioned. Thanks
Scott/Everyone, Declude and this list are a great help to me.
Mike
Declude Virus v1.51 caught the : W32/Klez.H@mm virus in Lottery.pif
from [EMAIL PROTECTED] to: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] Recipients of the E-mail
Date: 05/02/2002
Going: incoming
Host: scm.ca
From: [EMAIL PROTECTED]
MesageID: <20020502155838.RXR28252@Eoqjmed>
Num Of Recip: 1
Queue File: D687c096.SMD
Recip Host: scm.ca
Remote Domain: uab.ca
Remote IP: 206.191.82.42
Sender Host: uab.ca
Subject: NUMBERS END
Time: 10:25:37
File Name: Lottery.pif
Virus Name: : W32/Klez.H@mm
Headers: Received: from mailhost1.attcanada.net [206.191.82.42] by
mail.scm.ca with ESMTP
(SMTPD32-6.06) id A87C25A70096; Thu, 02 May 2002 10:25:32 -0600
Received: from Eoqjmed ([142.154.13.134]) by mailhost1.attcanada.net
(InterMail v03.02.07.03 118-128) with SMTP
id <20020502155838.RXR28252@Eoqjmed> for <[EMAIL PROTECTED]>;
Thu, 2 May 2002 15:58:38 +0000
From: ppayant <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: NUMBERS END
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=CTYkHL01Zb3FG1F
Message-Id: <20020502155838.RXR28252@Eoqjmed>
Date: Thu, 2 May 2002 15:58:38 +0000
Declude Version:1.51
----- Original Message -----
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 02, 2002 09:59
Subject: Re: [Declude.Virus] Klez.h
>
> >Hi, how do I tell where the Klez.h is really coming from? Thanks.
>
> The only way to know for sure is to check the first Received: header to
see
> the IP address that it was sent from. To find the user it came from, you
> would need to find someone responsible for the IP address it came from,
and
> hope that they can track down the user.
> -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> This E-mail came from the Declude.Virus mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus". You can E-mail
> [EMAIL PROTECTED] for assistance. You can visit our web
> site at http://www.declude.com .
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
