On Thu, 2006-09-14 at 13:05 -0500, Mike McCarty wrote: > Ok, here's an example. I turned on all headers. The actual message > in this case is one that my ISP caught, and clobbered the attachment > which the ISP claims contains a copy of a virus. In cases like this, > the attachment is 0 bytes long. The message sent to me purports > to be a delivery failure. I know for a fact that I did not send > any such message. As pointed out by others, this may be the results > of yet another party who is infected, and who is unknowingly spoofing my > e-mail address. It has been more than a year since I last booted > Windows XP on my machine, and when I do boot it I am never connected > to the net. I have never set up XP on this machine to be able to > send or receive email. > > -M-E-S-S-A-G-E---B-E-G-I-N-S- > Your AT&T Yahoo! Mail Virus Protection detected the virus > 'W32.Mydoom.M@mm' in the file 'Document.pif', attached to the enclosed > email message. We scanned the file using Norton AntiVirus but were > unable to clean it. Therefore, we removed the content of the attachment > from the message. Please contact the message sender if you want to > receive the attachment. They must clean the file and resend it before we > can deliver it to you safely. > > > > AT&T Yahoo! Mail successfully cleans most infected attachments, which > protects you from viruses. > > > > > Subject: Delivery reports about your e-mail > From: "Mail Administrator" <MAILER-DAEMON@xxxxxxxxxxxxx> > Date: Wed, 13 Sep 2006 14:23:40 +0000 > To: mike.mccarty@xxxxxxxxxxxxx > X-Apparently-To: mike.mccarty@xxxxxxxxxxxxx via 216.252.101.37; Wed, 13 > Sep 2006 11:07:33 -0700 > X-Originating-IP: [162.39.117.147] > Authentication-Results: > mta101.sbc.mail.mud.yahoo.com from=sbcglobal.net; domainkeys=neutral (no > sig) > Received: from 207.115.57.79 (EHLO ylpvm48.prodigy.net) (207.115.57.79) > by mta101.sbc.mail.mud.yahoo.com with SMTP; Wed, 13 Sep 2006 11:07:33 -0700 I'm guessing that SBC are outsourcing some of their mail handling to Yahoo! - is that right? 207.115.57.79 is within the network that SBC's inbound mail servers use, so since the mail was addressed to you at sbcglobal.net, it looks like a valid Received: header and that the mail is then forwarded to Yahoo! for virus scanning etc. So this one looks genuine to me. > X-Originating-IP: [162.39.117.147] > Received: from sbcglobal.net (h147.117.39.162.ip.alltel.net > [162.39.117.147]) by ylpvm48.prodigy.net (8.13.6 inb/8.13.6) with ESMTP > id k8DI7NKK019802 for <mike.mccarty@xxxxxxxxxxxxx>; Wed, 13 Sep 2006 > 14:07:31 -0400 This is the only remaining Received: header so it stands to reason that the source identified here (h147.117.39.162.ip.alltel.net [162.39.117.147]) is where the infection is. A further giveaway is that the sender pretended to be sbcglobal.net (i.e. your domain), in order to try to throw people off the scent when identifying the source; this is a typical trick employed by spammers, yet it gives them away so easily to people that understand Received: headers. Since this is almost certainly a dynamic IP address, there's not a lot further you can do to identify the actual person that's infected short of forwarding the message to abuse@xxxxxxxxxx and let them figure out who was connected at that time. Paul.