Even though the return address is being spoofed (in most recent virus
incarnations), how about capturing the IP address from the original
Received header? The parsing may be tricky, since fake Received headers
are sometimes added after the original, but it is possible. This
original IP address can not be faked, AFAIK, but occasionally can be a
dead end if it is for a mail re-sender.
I have reported virus-spam to the "Abuse" address at an IP owner's
domain when I have received repeated mail from the same IP. This seems
to have worked in stopping those emails.
Stefanie Ploof wrote:
> On Tue, 30 Mar 2004, Chris Moran wrote:
>>These days it seems silly to just turn a blind eye to it all. People
>>should know better than to open any old email attachment. And if not, they
>>should be immediately educated.
> I'm sure TSG will respond before I even press ctrl-x to send, but we
> intentionally don't send an email to the "sender" because many virus
> messages are spoofed these days. So, the recipient of the "you're
> infected" message is confused because they have a Mac, isn't a valid
> address, or is really ticked off when Sally's infected computer sent out
> John's email address 1000+ times which generates (SPAM) in return to John.
> We're not doing anything with eyeballs...
Donald Tripp, Sr Project Analyst
AIS/CIT, 238 Waterman, 656-2038
[log in to unmask]
aim: uvm ais don