Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

How to trace a virus sender

Problem: If you "reply" to a virus mail, you will not reach the owner of the infected computer. All viruses launched over the last three years send virus mails with fake sender addresses, making it difficult to notify the service provider of the owner of the infected computer.

Explanation: Current viruses search the harddisk of a machine the infect for email addresses. When they send out mails to spread themselves, they use email addresses found on the machine for both the recipient and sender address. If person A receives a virus that contains the email address of person B as the sender, chances are that both B will also have received a virus mail from the same source as A. With such viruses, complaining to the administrator of the sender domain is a complete waste of time. You first need to figure out where the virus really came from. Then you can notify the abuse department of the provider whiose network was used to transmit the virus. Only the abuse department can locate the actual sender and ask him to run a virus scanner or block his internet connection.

Solution: The following web form is a tool to let you find out which provider an IP address is assigned to.

WhoisServer: Query:
How to use this form:
  1. Display the mail header in the spam e-mail. How to do this depends on your email client:
    • Outlook Express: File / Properties / Details / Message Source.
    • Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
    • Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
    • Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
    • Other mail programs: See here

    You'll see something similar to the following (not all fields will be present):

    Received: from evhr.net (ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr 
    	[81.49.15.78]) by mail.evhr.net (Postfix) with ESMTP id 9CB2D827D5
    	for <eppi@evhr.net>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST)
    From: joewein@pobox.com
    To: eppi@evhr.net
    Subject: Re: My details
    Date: Mon, 21 Jun 2004 19:34:56 +0200
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    	boundary="----=_NextPart_000_0012_000077D0.00000877"
    X-Priority: 3
    X-MSMail-Priority: Normal
    Message-Id: <20040621173455.9CB2D827D5@mail.evhr.net>
    
    This is a multi-part message in MIME format.
    
    ------=_NextPart_000_0012_000077D0.00000877
    Content-Type: text/plain;
    	charset="Windows-1252"
    Content-Transfer-Encoding: 7bit
    
    See the attached file for details.
    
    ------=_NextPart_000_0012_000077D0.00000877
    Content-Type: application/octet-stream;
    	name="my_details.pif"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    	filename="my_details.pif"
    
    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAuAAAAKvnXsbvhjCV74Ywle+GMJVsmj6V44YwlQeZOpX2hjCV74YxlbiGMJVsjm2V
    4oYwlQeZO5XqhjCVV4A2le6GMJVSaWNo74YwlQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp
    dGUgKGMpMTk5OSBJYW4gTHVjay4AAFBFAABMAQMA6ZtBQAAAAAAAAAAA4AAPAQsBBgAASAAA
    APAAAAAAAABCcAEAABAAAABgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIABAAAE
    (continued)

  2. Disregard the From-address, because it's fake. I didn't send this virus. Instead, look for Received: lines. There may be more than one. They contain the information needed to track down the sender. With Netsky and other current viruses, only one of the Received-lines is important: the final one.

    Looking at the final Received-line (others omitted here) shows that the virus was sent from a computer identifed as ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr with an IP address of 81.49.15.78. Not all Received-lines containe a valid host name, but all contain an IP address.

  3. If you enter the above IP-address into the search form, you get the following result:

    Asking "whois.arin.net" about "81.49.15.78":

         
         OrgName:    RIPE Network Coordination Centre 
         OrgID:      RIPE
         Address:    Singel 258
         Address:    1016 AB
         City:       Amsterdam
         StateProv:  
         PostalCode: 
         Country:    NL
         
         ReferralServer: whois://whois.ripe.net:43
    
    RIPE is the internet registry for Europe, Africa and the Middle East. Other registries are APNIC for Australia, New Zealand and Asia and LACNIC for Latin America and the Caribbean.

  4. If the address comes from an address range by one of these regions, go back to the original form and repeat the search, with the correct registry selected. Here's the result:
         % This is the RIPE Whois server.
         % The objects are in RPSL format.
         %
         % Rights restricted by copyright.
         % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
         
         inetnum:      81.49.15.0 - 81.49.15.255
         netname:      IP2000-ADSL-BAS
         descr:        BSBGN108 Boulogne Bloc1
         country:      FR
         admin-c:      WITR1-RIPE
         tech-c:       WITR1-RIPE
         status:       ASSIGNED PA
         remarks:      for hacking, spamming or security problems send mail to
         remarks:      postmaster@wanadoo.fr AND abuse@wanadoo.fr
         mnt-by:       FT-BRX
         changed:      gestionip.ft@francetelecom.com 20020924
         changed:      gestionip.ft@francetelecom.com 20030318
         source:       RIPE
         
         route:        81.49.0.0/16
         descr:        France Telecom
         descr:        Wanadoo France
         remarks:      -------------------------------------------
         remarks:      For Hacking, Spamming or Security problems
         remarks:      send mail to  abuse@wanadoo.fr
         remarks:      -------------------------------------------
    
    As you can see, the correct abuse report address is abuse@wanadoo.fr

    jwSpamSpy, our spamfilter mostly automates this process of determining and notifying the provider.

    Note that abuse@wanadoo.fr will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, abuse@att.net) specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.

We have developed jwSpamSpy to protect you from both spam and viruses. It stops most spam sent to our mailboxes as well as all current viruses. It's easy-to-use Virus Reporting Assistant greatly simplifies the job of contacting the service provider of virus infected machines. Learn more about it here: jwSpamSpy

Other Anti-Virus Resources:
Computer viruses: Netsky / SomeFool