PDA

View Full Version : Am I forwarding a virus?



benny gsr
14th October 2004, 09:50 PM
A few weeks ago I started getting an email from a known contact

It is a blank subject box with "RE:" in it. It has an attached zip file, and in the email text it says "THE SNAKE"

Since then, I get one of these emails from the same contact on a daily basis, (also the same thing in a different email account from the known contact). The text in the email changes with different names, and passwords. (predators, animals, fotogallery)

I have found from a friend (at least one) in my address book, that he has now been getting the same thing from me, only it is "quarantined" at his work server.

I am not knowingly forwarding these emails, and don't know how to stop it.
Whilst it does not seem to effect me, I would like to stop if it if possible.

Does anyone know what this is, and can anyone help me stop it?

nider
14th October 2004, 10:16 PM
If you've got a mac it is extremely unlikely for it to be you sending the emails. What a lot of email viruses do is use addresses in a person's address book as the from address. For more information about the email view the full email headers.

In Mail do this by selecting View > Message > Raw Source (Apple+Option+U)

By looking at these headers you can usually figure out whether the message actually came from the person the mail is said to come from.

benny gsr
14th October 2004, 10:28 PM
I checked the email headers as you mentioned, but the emails do seem to come from my contacts. I don't understand all of the text underneath, but I don't think that is relevant?

But could a virus have gone through my address book and forwarded them. I've heard that macs can be carriers of a virus, but not infected obviously?

Disko
14th October 2004, 11:41 PM
Fret not - i've been getting the same virii in my mailbox. open them for a laugh -they can't hurt you or windows (l)users in your address book.

Currawong
15th October 2004, 07:44 AM
Benny, what you need to do is look back through the list of machines that handled the email, not the "From" address, which is fake. I've had "you sent a forbidden/virus laden attachment" automatic message from some badly configured mail servers, which clearly were not sent by me, but by someone I know where the virus had used my address in the "From" field.

Anyway, here are the headers from my Everymac registration email, which I'll give as an example for how to trace: Note that I've modified the email addresses with dashes to prevent spam.


Return-path: <nobody@optik.everymac.com>
Envelope-to: ---@currawong.net
Delivery-date: Wed, 13 Oct 2004 21:50:51 -0400
Received: from [207.112.193.26] (helo=optik.everymac.com)
by host.amsnac2.com with esmtps (TLSv1:DES-CBC3-SHA:168)
(Exim 4.43)
id 1CHulW-0007rL-G1
for ---@currawong.net; Wed, 13 Oct 2004 21:50:50 -0400
Received: from optik.everymac.com (localhost.everymac.com [127.0.0.1])
by optik.everymac.com (8.12.9/8.12.9) with ESMTP id i9E2nA7u069563
for <---@currawong.net>; Wed, 13 Oct 2004 21:49:10 -0500 (CDT)
Received: (from nobody@localhost)
by optik.everymac.com (8.12.9/8.12.9/Submit) id i9E2n5xR069561;
Wed, 13 Oct 2004 21:49:05 -0500 (CDT)
Date: Wed, 13 Oct 2004 21:49:05 -0500 (CDT)
Message-Id: <200410140249.i9E2n5xR069561@optik.everymac.com >
To: ---@currawong.net
From: -------@everymac.com (EveryMac.com)
Subject: EveryMac.com Membership
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

This email probably isn't the best example but what we can tell from it is, reading the Received headers backwards is, the messaged was sent by someone connected to "optik.everymac.com" to a mail program or server, which sent it to another mail program or server inside that machine, before being sent to my mail server. Basically, each time a server receives and processes an email, it adds a "Received" line above the previous "Received" lines. The lowest of these lines indicates the source. Sometimes that source is only an ip address, but doing a lookup on that address will determine the domain that the email was sent from, usually a major ISP. That at least will allow you to narrow down who might have the virus.