What to do to virus e-mail

You're reading Mikko Saari's blog Life and opinions. This entry was written 08/ 6/2004, at 13:12.

If you want read more of my entries in the same topic, this entry belongs to the category of Geek stuff.

Previous entry: Interview
Next entry: Engaging

I've been in the receiving end of rather heavy loads of virus e-mails. I've received dozens of messages each day from two or three senders. It's a huge annoyance, but fortunately something that can be dealt with. Here's how:

Check the full headers of the virus e-mail. Look for the Received:-lines. Follow the chain and find where the message came from. Here's an example:

Received: from mail.melankolia.net ([XX.XX.XXX.XXX]) by shadow.nebula.fi (8.11.6/8.11.6) with SMTP id i74Ba7D28962 for <tefomed@melankolia.net>; Wed, 4 Aug 2004 14:36:07 +0300

This was the only one in the message, so the message came straight from the virus-infested computer to me. shadow.nebula.fi is my Internet home. mail.melankolia.net is also my address, but that's fake. The correct source is the IP (which I've replaced with X's to protect the innocent). Feed the IP to RIPE Whois Database to get a domain name.

Then just send a copy of a virus mail (without any attachments, but with full headers) to abuse at whatever the domain is. That should do the trick, in most cases.

Here's another example:

Received: from mail.melankolia.net (dsl-olugw3p44.dial.XXXX.fi [XX.XXX.XXX.XX]) by shadow.nebula.fi (8.11.6/8.11.6) with SMTP id i744mCD24543

for <weni@melankolia.net>; Wed, 4 Aug 2004 07:48:13 +0300

This time the plain-text part tells us all we need to know. It's a dsl line for XXXX ISP. RIPE would confirm. Ripe will also tell that correct abuse e-mail is abuse@XXXX.fi.

These two were the worst offenders - I would get something like 40-50 emails a day from both on most days. I complained about both and that's it, no more virus mail anymore.

Trackback Pings

TrackBack URL for this entry:


Post a comment

Remember Me?