OT: W32.Swen.A@mm
 

Is there any way to resolve the person who sends me constantly W32.Swen.A@mm worm emails? I'd like to ask the sender to clean his computer.

Re: OT: W32.Swen.A@mm
 

I had to have my ISP help me figure out who was spoofing me.

Re: OT: W32.Swen.A@mm
 

<font size="2" face="sans-serif, arial, verdana">Block him and any one who sends you a virus. It is the only way to control the tide.

Re: OT: W32.Swen.A@mm
 

AT, most email viruses send themselves out by stealing address books, and fake their origin. The person that is "sending" the virus probably is not even aware they have it.

Re: OT: W32.Swen.A@mm
 

Yes, it fakes its source. I got a copy claiming to be from Microsoft itself in the 'From:' line! http://forum.shrapnelgames.com/images/icons/icon7.gif Fortunately I have Norton AV and it prevented the thing from being downloaded and activated. Are you reading all of the headers to get this source? You need to dig into other headers than the 'From:' line to find out where it is really coming from.

Re: OT: W32.Swen.A@mm
 

<font size="2" face="sans-serif, arial, verdana">I know that is why you block everything that comes in with it attached. I did this when that Last virus was being spread around a few weeks ago and presto no more problems.

The best way to get a person who has an infected system to address the problem is to post about it or reply to all of the mail - without send the attachment back.

But 99.9% of the emails you will receive are from people you don't know, so just block them.

Re: OT: W32.Swen.A@mm
 

AT... just blocking everyone it comes from is not necessarily a good idea. What about all those people that you do know and want to get emails from? http://forum.shrapnelgames.com/images/icons/tongue.gif

Re: OT: W32.Swen.A@mm
 

<font size="2" face="sans-serif, arial, verdana">Yeah I know all that. The person whose computer sends the virus mails to me aren't aware of it (I suppose). So I'd like to contact him and ask if he could remove the virus. But where I can dig out his email address? Here is the part of headers but I don't know if it's even possible resolve the user from that information.

</font><blockquote><font size="1" face="sans-serif, arial, verdana">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;"> Received: from gjkx ([195.156.180.209]) by fep07.tmt.tele.fi
(InterMail vM.5.01.03.13 201-253-122-118-113-20010918) with SMTP
id &lt;20031106193527.CUQU25859.fep07.tmt.tele.fi@gjk x&gt;;
Thu, 6 Nov 2003 21:35:27 +0200</pre><hr /></blockquote><font size="2" face="sans-serif, arial, verdana">

Re: OT: W32.Swen.A@mm
 

Does stuff in the "code" tags display much smaller than the rest of the post text for you?

Unless that is your IP address listed in there (or that of your email provider) along with that DNS, look into who owns the domain. That might at least tell you what domain the address is from. Other than that, I have no idea what most of it means. http://forum.shrapnelgames.com/images/icons/icon12.gif

Re: OT: W32.Swen.A@mm
 

<font size="2" face="sans-serif, arial, verdana">Nope. The text in code tags are same size than elsewhere, just a different font.

<font size="2" face="sans-serif, arial, verdana">No, it's not my IP address. I did whois query and now I know who owns the domain. But that's not enough. I need to know the person's username or email address as well before I can do something. The person uses dial up so he has a different IP address every time he logs in.

Is there anything I can do if he's Online and I know his IP (this is the case if I'm Online when I get the virus message)? Any way to send a message to a computer just knowing its IP?

Re: OT: W32.Swen.A@mm
 

As this particular worm just uses your basic email forgery examine the headers for a line begining X-From: and the address after that is the address of where the email came from.

I'm now flooded with these things after someone picked up my email address from a Usenet group

EDIT: See the below headers for an example and also if you dont want to contact the person directly contact the ISP with the message ID

X-UIDL: 1069597232.H632161P27369.imailg2.svr.pol.co.uk
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-From_: sales@thingsgraphics.com Sun Nov 23 14:20:32 2003
Return-path: <sales@thingsgraphics.com>
Envelope-to: kris@kirok.fsnet.co.uk
Delivery-date: Sun, 23 Nov 2003 14:20:32 +0000
Received: from [65.220.84.2] (helo=mail.webgeneral.com)
by imailg2.svr.pol.co.uk with esmtp (Exim 4.14)
id 1ANv5g-0006T2-DC
for kris@kirok.fsnet.co.uk; Sun, 23 Nov 2003 14:19:56 +0000
Received: from bkakl [138.88.19.242] by mail.webgeneral.com
(SMTPD32-7.15) id A63329E901FA; Sun, 23 Nov 2003 08:29:23 -0500
FROM: "MS Network Security Center" <yoxfuwtbsvn@news.com>
TO: " " <elzbesy.topegvvapq@news.com>
SUBJECT: New Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ymxuezhhziklftgay"
Message-Id: <200311230830437.SM00361@bkakl>
Date: Sun, 23 Nov 2003 09:17:33 -0500

[ November 24, 2003, 00:50: Message edited by: Kirok ]