| |
How to trace a virus sender
Problem: If you "reply" to a virus mail, you will not reach the owner of the infected computer. All viruses launched over the last three years send virus mails with fake sender addresses, making it difficult to notify the service provider of the owner of the infected computer.
Explanation:
Current viruses search the harddisk of a machine the infect for email addresses. When they send out mails to spread themselves, they use email addresses found on the machine for both the recipient and sender address. If person A receives a virus that contains the email address of person B as the sender, chances are that both B will also have received a virus mail from the same source as A. With such viruses, complaining to the administrator of the sender domain is a complete waste of time. You first need to figure out where the virus really came from. Then you can notify the abuse department of the provider whiose network was used to transmit the virus. Only the abuse department can locate the actual sender and ask him to run a virus scanner or block his internet connection.
Solution:
The following web form is a tool to let you find out which provider an IP address is assigned to.
How to use this form:
- Display the mail header in the spam e-mail. How to do this depends on your email client:
- Outlook Express: File / Properties / Details / Message Source.
- Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
- Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
- Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
- Other mail programs: See here
You'll see something similar to the following (not all fields will be present):
Received: from evhr.net (ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr
[81.49.15.78]) by mail.evhr.net (Postfix) with ESMTP id 9CB2D827D5
for <eppi@evhr.net>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST)
From: joewein@pobox.com
To: eppi@evhr.net
Subject: Re: My details
Date: Mon, 21 Jun 2004 19:34:56 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_000077D0.00000877"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040621173455.9CB2D827D5@mail.evhr.net>
This is a multi-part message in MIME format.
------=_NextPart_000_0012_000077D0.00000877
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
See the attached file for details.
------=_NextPart_000_0012_000077D0.00000877
Content-Type: application/octet-stream;
name="my_details.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="my_details.pif"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAuAAAAKvnXsbvhjCV74Ywle+GMJVsmj6V44YwlQeZOpX2hjCV74YxlbiGMJVsjm2V
4oYwlQeZO5XqhjCVV4A2le6GMJVSaWNo74YwlQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp
dGUgKGMpMTk5OSBJYW4gTHVjay4AAFBFAABMAQMA6ZtBQAAAAAAAAAAA4AAPAQsBBgAASAAA
APAAAAAAAABCcAEAABAAAABgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIABAAAE
(continued)
- Disregard the From-address, because it's fake. I didn't send this virus. Instead, look for Received: lines. There may be more than one. They contain the information needed to track down the sender. With Netsky and other current viruses, only one of the Received-lines is important: the final one.
Looking at the final Received-line (others omitted here) shows that the virus was sent from a computer identifed as ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr with an IP address of 81.49.15.78. Not all Received-lines containe a valid host name, but all contain an IP address.
- If you enter the above IP-address into the search form, you get the following result:
Asking "whois.arin.net" about "81.49.15.78":
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL
ReferralServer: whois://whois.ripe.net:43
RIPE is the internet registry for Europe, Africa and the Middle East. Other registries are APNIC for Australia, New Zealand and Asia and LACNIC for Latin America and the Caribbean.
- If the address comes from an address range by one of these regions, go back to the original form and repeat the search, with the correct registry selected. Here's the result:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 81.49.15.0 - 81.49.15.255
netname: IP2000-ADSL-BAS
descr: BSBGN108 Boulogne Bloc1
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: postmaster@wanadoo.fr AND abuse@wanadoo.fr
mnt-by: FT-BRX
changed: gestionip.ft@francetelecom.com 20020924
changed: gestionip.ft@francetelecom.com 20030318
source: RIPE
route: 81.49.0.0/16
descr: France Telecom
descr: Wanadoo France
remarks: -------------------------------------------
remarks: For Hacking, Spamming or Security problems
remarks: send mail to abuse@wanadoo.fr
remarks: -------------------------------------------
As you can see, the correct abuse report address is abuse@wanadoo.fr
jwSpamSpy, our spamfilter mostly automates this process of determining and notifying the provider.
Note that abuse@wanadoo.fr will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, abuse@att.net) specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.
We have developed jwSpamSpy to protect you from both spam and viruses. It stops most spam sent to our mailboxes as well as all current viruses. It's easy-to-use Virus Reporting Assistant greatly simplifies the job of contacting the service provider of virus infected machines. Learn more about it here:
|
Other Anti-Virus Resources:
Computer viruses: Netsky / SomeFool
|