I keep getting various viruses from this guy…I THINK anyway it from the same guy.
I use Pegasus for my email and there is a option to look at the raw view of any emails you get…while the original email address is always different in the raw view you can see the path the email took to get to you and it looks like the guys’ ISP is Charter Communications.
I emailed Charter and asked if they could investigate but I was wondering whether this really was the origin of the email or if there is a way to hide even further?
These viruses and worms are nothing new(last few were klez and the most recent was a worm called I-worm/Gibe.B) so maybe he isn’t that good at hiding either.
I sent Charter the end email address and the headers of the email…but CAN they trace it farther back or is it a dead end?
Mr. Blue Sky blocking addresses won’t work if a virus “spoofes” the From address. Each time it looks like it’s coming from someone new – you would have to block by IP and if the virus-infected user has a dial-up account he/she would get a different IP each time.
Tommy we had the same issue several months ago. We kept getting the Klez virus sent to a customer. Our computers never go infected because we take great precautions, but it was a nuisance.
We did what you did – since the virus was spoofing the From address each time, we checked the headers to get the originating IP address (that never changed) to get the name of the Service Provider. Then we checked our database to see if we had a customer that matched – we did, it was “Vanessa” in the UK. She had no idea what was happening.
If you contacted the ISP, they may be able to track it down based on their e-mail logs and notify the sender. Or you can try to compare it to anything you’ve ever sent anyone or received from anyone and try to contact the guy yourself. Often those that have Klez (or something similar) are unaware of it.
With spoofed addresses, the From address is usually an innocent, uninfected third party whose address just happened to be on the infected computer. So don’t go bugging those guys.
I sell things online and checked my list of customers with no luck matching email addresses but of course they can have any number of email addresses besides the one I used to deal with them.
Do you think I should send them an email telling them they may be infected?
Also do you think Charter will really investigate or blow smoke up you know where?(I used to have them as my cable provider and they were not exactly the most responsive to complaints)
Yeah, the klez-e worm has been making the rounds lately. I’ve been getting an average of 10 emails a day containing it, nearly all of them disguised as returned unsendable mail containing an executable attachment. It’s gotten to be incredibly annoying at this point. I can’t come up with any way to stop this bounced mail, since it’s spoofed with my email address.
Tommy Don’t e-mail the spoofed address, that person is just another innocent recipient like you (your address could end up in the “from” field at some point).
When poor “Vanessa” kept inadvertantly sending us Klez, the address changed each time. The IP however did not change.
What we did is we kept examining the headers to see if the originating IP stayed the same, when it did, we looked it up and it the IP address was for an ISP in the UK, for the sake of argument, let’s say it was “Fake ISP Inc.” and their usual mail extention would be name@FakeISP.com – we then looked at our database to see if anyone had an email at FakeISP.com and lo, we found “Vanessa.”
What was happening was that everytime she launched Outlook, a new batch of Klez went out. We weren’t able to block her, but we were able to inform her to have her machine checked out.
Shouldn’t I email him anyway? He is an innocent victim or he is the one sending these viruses on purpose…either way he should know he is inadvertantly spreading viruses or on the other hand if it IS him doing this deliberately…He will know I know who it is
My sending an email to him could stop the viruses no matter if this is the bozo or not
I seriously doubt I am the target of this cretin…he is just spreading this crap at random
BTW If it was ME infected and spreading the virus unawares I most certainly would want to know it ASAP…I have thousands of customers and I think if they began getting infected emails from me they wouldn’t be customers for long
Wha Eats_Crayons is saying is that the guy who’s e-mail address is showing up is not only innocent, but he’s also not even inadvertantly spreading the virus. I’m not sure, though, if you’re saying that it’s always the same e-mail address, or that it’s always the same IP. The IP it’s coming from does correspond to someone who’s spreading the virus (almost certainly accidentally), and if you can contact him somehow, you should. But I’ve no idea how you would go about contacting him.
The Charter email address “seems” like it is where the virus begins its’ journey…at least in the last few I’ve checked
In the beginning I never checked that is one of the nice things about Pegasus…most viruses are configured for Outlook…with Pegasus I can take a gander at what someone is sending me without risking getting zapped by whatever nasty thing might be hiding inside the email
The last few anyway seem to be coming from ****1@charter.net
email hidden to protect possibly the innocent
The email shows me as coming from Yahoo but takes several bounces before that and it LOOKS like it’s coming from Charter but you are right even that could be spoofed I guess but what harm could there be in contacting this guy and letting him know he’s a part of the chain…who knows how many other people have been victimized by these viruses?
I do have their IP address too…If I traced that would that be something Charter would be more likely to check out? Like I said above…Charter wasn’t the most enthusiastic at trying to fix any problems when I had them for my cable last year…if I do most of the work myself do you think they might at least make the attempt to investigate?