For background on how a virus could do this, check your favorite antivirus
vendor's site for information on Klez. It will pick a name from the
address book on the infected machine and use that as the RFC822 "From:."
It then sends to every other entry in the address book.
You'll need to look at the logs to see where the message came from. If
you have something like a mail relay that shows the RFC821 "Mail From:"
value, that will be the infected user. If not, the best you can do is get
the IP address that it came from.
---
Inanimate objects rock with glee
as they conspire to baffle me. - Ogden Nash
William Brown
Email/Internet Services
Erie 1 BOCES
(716)821-7285
Wes Anderson <[log in to unmask]>
Sent by: LISTSERV list owners' forum <[log in to unmask]>
05/20/2003 03:07 PM
Please respond to LISTSERV list owners' forum
To: [log in to unmask]
cc:
Subject: [LSTOWN-L] Spam e-mail sent to announce-only list
Also, we are trying to determine who the spammer is and how they managed
to
send this e-mail. Does anyone have any experience in this area? The
manager of our Listserv says there was a virus that generated the e-mail
but
it's still not clear how a virus could find the admin account to post to
this list. Any ideas?