As this particular worm just uses your basic email forgery examine the headers for a line begining X-From: and the address after that is the address of where the email came from.
I'm now flooded with these things after someone picked up my email address from a Usenet group
EDIT: See the below headers for an example and also if you dont want to contact the person directly contact the ISP with the message ID
X-UIDL: 1069597232.H632161P27369.imailg2.svr.pol.co.uk
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-From_:
sales@thingsgraphics.com Sun Nov 23 14:20:32 2003
Return-path:
Envelope-to: kris@kirok.fsnet.co.uk
Delivery-date: Sun, 23 Nov 2003 14:20:32 +0000
Received: from [65.220.84.2] (helo=mail.webgeneral.com)
by imailg2.svr.pol.co.uk with esmtp (Exim 4.14)
id 1ANv5g-0006T2-DC
for kris@kirok.fsnet.co.uk; Sun, 23 Nov 2003 14:19:56 +0000
Received: from bkakl [138.88.19.242] by mail.webgeneral.com
(SMTPD32-7.15) id A63329E901FA; Sun, 23 Nov 2003 08:29:23 -0500
FROM: "MS Network Security Center"
TO: " "
SUBJECT: New Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ymxuezhhziklftgay"
Message-Id: <200311230830437.SM00361@bkakl>
Date: Sun, 23 Nov 2003 09:17:33 -0500
[ November 24, 2003, 00:50: Message edited by: Kirok ]
Re: OT: W32.Swen.A@mm
Linear Mode
