Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Online fraud

Email Spam Filter:
Try it for free!


How to trace a virus sender

Problem: If you "reply" to a virus mail, you will not reach the owner of the infected computer. All viruses launched over the last three years send virus mails with fake sender addresses, making it difficult to notify the service provider of the owner of the infected computer.

Explanation: Current viruses search the harddisk of a machine the infect for email addresses. When they send out mails to spread themselves, they use email addresses found on the machine for both the recipient and sender address. If person A receives a virus that contains the email address of person B as the sender, chances are that both B will also have received a virus mail from the same source as A. With such viruses, complaining to the administrator of the sender domain is a complete waste of time. You first need to figure out where the virus really came from. Then you can notify the abuse department of the provider whiose network was used to transmit the virus. Only the abuse department can locate the actual sender and ask him to run a virus scanner or block his internet connection.

Solution: The following web form is a tool to let you find out which provider an IP address is assigned to.

WhoisServer: Query:
How to use this form:
  1. Display the mail header in the spam e-mail. How to do this depends on your email client:
    • Outlook Express: File / Properties / Details / Message Source.
    • Microsoft Outlook 98 and 2000 for Windows: Right click on the message and select Options
    • Netscape Messenger 4.7 - 6: Open the email; View / Headers / All
    • Netscape Messenger 6.2 and higher: Go to Netscape Messenger Inbox; View / Headers / All
    • Other mail programs: See here

    You'll see something similar to the following (not all fields will be present):

    Received: from ( 
    	[]) by (Postfix) with ESMTP id 9CB2D827D5
    	for <>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST)
    Subject: Re: My details
    Date: Mon, 21 Jun 2004 19:34:56 +0200
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    X-Priority: 3
    X-MSMail-Priority: Normal
    Message-Id: <>
    This is a multi-part message in MIME format.
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    See the attached file for details.
    Content-Type: application/octet-stream;
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;

  2. Disregard the From-address, because it's fake. I didn't send this virus. Instead, look for Received: lines. There may be more than one. They contain the information needed to track down the sender. With Netsky and other current viruses, only one of the Received-lines is important: the final one.

    Looking at the final Received-line (others omitted here) shows that the virus was sent from a computer identifed as with an IP address of Not all Received-lines containe a valid host name, but all contain an IP address.

  3. If you enter the above IP-address into the search form, you get the following result:

    Asking "" about "":

         OrgName:    RIPE Network Coordination Centre 
         OrgID:      RIPE
         Address:    Singel 258
         Address:    1016 AB
         City:       Amsterdam
         Country:    NL
         ReferralServer: whois://
    RIPE is the internet registry for Europe, Africa and the Middle East. Other registries are APNIC for Australia, New Zealand and Asia and LACNIC for Latin America and the Caribbean.

  4. If the address comes from an address range by one of these regions, go back to the original form and repeat the search, with the correct registry selected. Here's the result:
         % This is the RIPE Whois server.
         % The objects are in RPSL format.
         % Rights restricted by copyright.
         % See
         inetnum: -
         netname:      IP2000-ADSL-BAS
         descr:        BSBGN108 Boulogne Bloc1
         country:      FR
         admin-c:      WITR1-RIPE
         tech-c:       WITR1-RIPE
         status:       ASSIGNED PA
         remarks:      for hacking, spamming or security problems send mail to
         remarks: AND
         mnt-by:       FT-BRX
         changed: 20020924
         changed: 20030318
         source:       RIPE
         descr:        France Telecom
         descr:        Wanadoo France
         remarks:      -------------------------------------------
         remarks:      For Hacking, Spamming or Security problems
         remarks:      send mail to
         remarks:      -------------------------------------------
    As you can see, the correct abuse report address is

    jwSpamSpy, our spamfilter mostly automates this process of determining and notifying the provider.

    Note that will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.

We have developed jwSpamSpy to protect you from both spam and viruses. It stops most spam sent to our mailboxes as well as all current viruses. It's easy-to-use Virus Reporting Assistant greatly simplifies the job of contacting the service provider of virus infected machines. Learn more about it here: jwSpamSpy

Other Anti-Virus Resources:
Computer viruses: Netsky / SomeFool