We have the IP address of the originator.  Our admin guy says it's probably
some poor smuck on a home computer.  Question now is what can we do with
this information?  The average user isn't going to know how or where to
check for an IP address and I believe many ISPs generate their IPs
dynamically so it may not be traceable back to a specific machine.

> -----Original Message-----
> From: Bill Brown [mailto:[log in to unmask]]
> Sent: May 20, 2003 3:23 PM
> To: [log in to unmask]
> Subject: Re: Spam e-mail sent to announce-only list
>
> For background on how a virus could do this, check your favorite antivirus
> vendor's site for information on Klez.  It will pick a name from the
> address book on the infected machine and use that as the RFC822 "From:."
> It then sends to every other entry in the address book.
>
> You'll need to look at the logs to see where the message came from.  If
> you have something like a mail relay that shows the RFC821 "Mail From:"
> value, that will be the infected user.  If not, the best you can do is get
> the IP address that it came from.
>
> ---
>
> Inanimate objects rock with glee
> as they conspire to baffle me.  - Ogden Nash
>
> William Brown
> Email/Internet Services
> Erie 1 BOCES
> (716)821-7285
>
>
>
>
>
> Wes Anderson <[log in to unmask]>
> Sent by: LISTSERV list owners' forum <[log in to unmask]>
> 05/20/2003 03:07 PM
> Please respond to LISTSERV list owners' forum
>
>         To:     [log in to unmask]
>         cc:
>         Subject:        [LSTOWN-L] Spam e-mail sent to announce-only list
>
> Also, we are trying to determine who the spammer is and how they managed
> to
> send this e-mail.  Does anyone have any experience in this area?  The
> manager of our Listserv says there was a virus that generated the e-mail
> but
> it's still not clear how a virus could find the admin account to post to
> this list.  Any ideas?