[PLUG] Virus Hunting
Ian Burrell
ian at znark.com
Sat Apr 3 23:23:02 UTC 2004
dan at fiddlers-green.info wrote:
>
> I'm helping a group track down someone one their mailing list who has gotten the
> W32/Netsky.p at MM virus. That person keeps blasting the entire list with infected
> mails. I was hoping someone might have tips on how to track down the
> individual. Personally I would start with the mail server logs, but beyond that
> I'm a newbie.
>
Try looking at the Received headers in the email. Most important is the
last one, which if you are lucky, will have the IP address of the
sending machine. Reverse DNS or whois will tell you the ISP. You may
be able to correlate this with other email sent by the subscriber.
I have noticed that IP address can be pretty easy to spot with the virus
email. One of our clients got blasted and the IP address was the same
for all of them.
- Ian
--
ian at znark.com
http://www.znark.com/
More information about the PLUG
mailing list