While it probably can't hurt to drop a line, doesn't it
seem plausible that the virus was passed out of an address
book without the owner even knowing?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Merlin
Sent: Friday, November 17, 2000 12:23 AM
To: opensrs-discuss
Subject: On the trail of that pesky Virus Poster.
and dont say it's nothing to do with this list......
The Header: (the interesting part anyway)
==============
X-Authentication-Warning: opensrs.org: majordomo set sender to
[EMAIL PROTECTED] using -f
Received: from bom3.vsnl.net.in (bom3.vsnl.net.in [202.54.4.24])
by opensrs.org (8.9.3/8.9.3) with ESMTP id AAA23481
for <[EMAIL PROTECTED]>; Fri, 17 Nov 2000 00:37:43 -0500
Received: from default (unknown [203.197.52.124])
by bom3.vsnl.net.in (Postfix) with SMTP id 20A102AEE
for <[EMAIL PROTECTED]>; Fri, 17 Nov 2000 11:07:04 +0530 (IST)
From: Hahaha <[EMAIL PROTECTED]>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
=====================
$ ping 203.197.52.124
PING 203.197.52.124 (203.197.52.124): 56 data bytes
64 bytes from 203.197.52.124: icmp_seq=1 ttl=108 time=1860.361 ms
64 bytes from 203.197.52.124: icmp_seq=2 ttl=108 time=2190.421 ms
64 bytes from 203.197.52.124: icmp_seq=3 ttl=108 time=1810.393 ms
So the turkey is home....
Lets see where he comes from.
$ dig -x 203.197.52.124
;; 124.52.197.203.in-addr.arpa, type = ANY, class = IN
;; AUTHORITY SECTION:
197.203.IN-ADDR.ARPA. 2h34m30s IN SOA dns.vsnl.net.in.
helpdesk.giasbm01.vsnl
.net.in. (
$ whois giasbm01.vsnl.net.in
Server Name: GIASBM01.VSNL.NET.IN
IP Address: 202.54.1.18
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
So I'd say a polite message to [helpdesk.giasbm01.vsnl.net.in] giving them
the IP and name of the offender may do it.
Others may be able to obtain even more detailed info about the particular
host....
Bob
