> I am forwarding a message that declude has been sending me. I just want >to see if I interpret this correctly. I have been getting hundreds of these >virus messages, all from the jleclair05 account. I do have a user here by >that name AND, to make matters worse, the 10.200.11.65 address is an >internal DHCP address, but is non routable and would be natted to a >different address in our firewall.
I hate to say it, but I can say with about 99.9% certainty that the virus is on the computer at 10.200.11.65: > > Headers: > > Received: from Yik [10.200.11.65] by mcgraw.elmira.edu > > (SMTPD32-7.05) id A84FB4901FE; Thu, 05 Sep 2002 08:04:34 -0400 > > From: webmaster <[EMAIL PROTECTED]> Since there is only one Received: header, that means that the virus's SMTP engine connected directly to your mailserver. As far as I know, Klez doesn't attempt to forge IP addresses (which would be *extremely* difficult to do on Windows machines, which are the ones that Klez infects, and wouldn't do much to help increase the spread of Klez). If all of the messages are from the jleclair05 account, there's a very good chance that account is the one that is infected, so that would be a good place to start. But, I can almost guarantee that the IP 10.200.11.65 does exist on your network, and is the source of the virus. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.