How to trace a virus sender
Problem: If you "reply" to a virus mail, you will not reach the owner of the infected computer. All viruses launched over the last three years send virus mails with fake sender addresses, making it difficult to notify the service provider of the owner of the infected computer.
Current viruses search the harddisk of a machine the infect for email addresses. When they send out mails to spread themselves, they use email addresses found on the machine for both the recipient and sender address. If person A receives a virus that contains the email address of person B as the sender, chances are that both B will also have received a virus mail from the same source as A. With such viruses, complaining to the administrator of the sender domain is a complete waste of time. You first need to figure out where the virus really came from. Then you can notify the abuse department of the provider whiose network was used to transmit the virus. Only the abuse department can locate the actual sender and ask him to run a virus scanner or block his internet connection.
The following web form is a tool to let you find out which provider an IP address is assigned to.
How to use this form:
- Display the mail header in the spam e-mail. How to do this depends on your email client:
- Outlook Express: File / Properties / Details / Message Source.
- Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
- Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
- Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
- Other mail programs: See here
You'll see something similar to the following (not all fields will be present):
Received: from evhr.net (ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr
[188.8.131.52]) by mail.evhr.net (Postfix) with ESMTP id 9CB2D827D5
for <firstname.lastname@example.org>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST)
Subject: Re: My details
Date: Mon, 21 Jun 2004 19:34:56 +0200
This is a multi-part message in MIME format.
See the attached file for details.
- Disregard the From-address, because it's fake. I didn't send this virus. Instead, look for Received: lines. There may be more than one. They contain the information needed to track down the sender. With Netsky and other current viruses, only one of the Received-lines is important: the final one.
Looking at the final Received-line (others omitted here) shows that the virus was sent from a computer identifed as ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr with an IP address of 184.108.40.206. Not all Received-lines containe a valid host name, but all contain an IP address.
- If you enter the above IP-address into the search form, you get the following result:
Asking "whois.arin.net" about "220.127.116.11":
OrgName: RIPE Network Coordination Centre
Address: Singel 258
Address: 1016 AB
RIPE is the internet registry for Europe, Africa and the Middle East. Other registries are APNIC for Australia, New Zealand and Asia and LACNIC for Latin America and the Caribbean.
- If the address comes from an address range by one of these regions, go back to the original form and repeat the search, with the correct registry selected. Here's the result:
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 18.104.22.168 - 22.214.171.124
descr: BSBGN108 Boulogne Bloc1
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: email@example.com AND firstname.lastname@example.org
changed: email@example.com 20020924
changed: firstname.lastname@example.org 20030318
descr: France Telecom
descr: Wanadoo France
remarks: For Hacking, Spamming or Security problems
remarks: send mail to email@example.com
As you can see, the correct abuse report address is firstname.lastname@example.org
jwSpamSpy, our spamfilter mostly automates this process of determining and notifying the provider.
Note that email@example.com will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, firstname.lastname@example.org) specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.
We have developed jwSpamSpy to protect you from both spam and viruses. It stops most spam sent to our mailboxes as well as all current viruses. It's easy-to-use Virus Reporting Assistant greatly simplifies the job of contacting the service provider of virus infected machines. Learn more about it here:
Other Anti-Virus Resources:
Computer viruses: Netsky / SomeFool