RE: [cobalt-security] Virus - How to find real source from forged header

["Andy Brown" <andy.brown@xxxxxxxxxxxxx>]

<snip>
Anyway, the 'from header' states that the virus is coming from one of my
email addresses, but I am 99% that this is forged. My question is, how can
find out the real email address from which this virus is being sent. It is
becoming a problem as I'm receiving this upto 50 times per day.
</snip>

This is very difficult to do accurately. Though what you might be able to discover is how to block the offending ip completely.

Have a look at the full headers for the email (If you're unfortunate enough to use outlook then double-click the mail, go view > options to see them)
You'll see something like:


Microsoft Mail Internet Headers Version 2.0
Received: from list.cobalt.com ([12.40.201.23]) by plato.nemi.interv8.co.uk with Microsoft SMTPSVC(5.0.2195.5329);
	 Fri, 8 Nov 2002 10:33:14 +0000
Received: from list.cobalt.com (localhost [127.0.0.1])
	by list.cobalt.com (8.9.3/8.9.3) with ESMTP id CAA06328;
	Fri, 8 Nov 2002 02:32:28 -0800
Received: from ns.achieve-it.com (ns.achieve-it.com [212.67.197.38])
	by list.cobalt.com (8.9.3/8.9.3) with ESMTP id CAA06233
	for <cobalt-security@xxxxxxxxxxxxxxx>; Fri, 8 Nov 2002 02:31:28 -0800
Received: from default (pc369.as1.galway1.eircom.net [159.134.145.113])
	by ns.achieve-it.com (8.10.2/8.10.2) with SMTP id gA8AUWT30718
	for <cobalt-security@xxxxxxxxxxxxxxx>; Fri, 8 Nov 2002 10:30:32 GMT
Message-ID: <>
From: "Achieve Website Design" <info@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>


I've cut all the rest as the bit above is the interesting bit.
Have a look at the last Received: line, and you should spot that its logged your IP address from where you sent this mail to the mailing list.
That should be (providing they aren't spoofing ip) the IP to block, and then report by using a whois tool (www.ripe.net or www.arin.net) and report the abuse to the relevant contact.

Regards,

Andy
andy@xxxxxxxxxx
http://www.raqpak.com  <-- Unofficial FAQs and PKGs