Right..Some twit is spamming my mailbox with virus infected mails (W32.Ganda.A@mm)

Now I wouldnt mind so much since my Norton thingy keeps the viruses off my comp (hopefully)

But geez I get like 30-40 emails a day with this crap and the spamorama kinda bites

I tried blocking the mail adresses of course..But they keep pouring in from some of them even so !

Also those seem not to be the real adresses either..And recently I had to block one I did not want blocked

So what can one really not so technical dwarf do ?
(I use Outlook express btw)

Thanks in advance.

Get a good ISP.

how'd you try blocking the mail addresses?

tools | message rules | mail

do they all have the same subject? That'd make it easy. Or certain words in the body? Or something?

Anyway... that's about all you can do on your side. The next possibility would be to look at the message headers (right click on message, properties, details) and figure out where the message is really being sent from. Then contact the ISP. I can give more complete instructions for this second part if you're interested.

Sounds like some sort of mailbomb. You should be able to find info on how to get rid of those on the web.

I did:
tools | message rules | list of blocked senders
Then added the adresses to that..Stopped some of them, but not all.




No usually its all empty ?
I´ll have a closer look again though, and see if I can distinguish a pattern.



That would be great thanks !
I did check some of the headers but usually it just says that my Norton thingy has deleted this mail because of the virus..

Thanks guys !

Bummer (hi CD btw) lol, sounds like theres another asshole on the loose with these crazy virus things... Hope you get it sorted, it'll be a pain but in the end if you cant get it done you might have to change your email addres or something, nasty

Hmm.... we've got this "Spam Assassin" thingo on our server, which screens al incoming mail for viruses and spam. I don't know it that would help in your case though...

Worth A shot, surley? surely? surly? maiunno

Thanks guys !
I may have gotten rid of the lil bugger though..For now atleast.

I think I managed to snoop out his real e-mail adress and blocked that, and havent recived any new mails since.

I also have what I belive is his IP adress.
Maybe I should learn how to hack or somesuch..If a bratty lil futt bucker like that can do it, perhaps I can too

Thanks again guys !

Isn't there some one you can report the IP address to? I mean, If its a virus sender, then you gotta do something about it!

Indeed..I will look into that
He can expect no mercy from me hee heee

the mail won't have his IP, just the IP of his mail server. However, you can usually get their ISP that way, and then tattle to them. hmmm....

ok, since I promised to show you how to dissect a message header but didn't deliver, let me right the wrong... first, here's the message header of some spam I received.

X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
Received: from m4.COMSTATENET.NET ([205.235.78.4]) by mc5-f39.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sun, 17 Aug 2003 06:02:03 -0700
To: [My email address]
Date: Sun, 17 Aug 2003 21:00:59 -0500
Message-ID: <1061168459.21032@a.mx.mxdat.org>
X-Mailer: Pine.GSO.4.31
From: "Credit Line Guaranteed" <ifard@mxdat.org>
Return-Path: <ifard@mxdat.org>
Reply-To: <ifard@mxdat.org>
Subject: $5000 - Get the things you need...guaranteed

I'll dissect it piece by piece for anyone interested, at least as much as I can. I'm not an expert, but I know more than most.


X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
I have no idea what this means.

Received: from m4.COMSTATENET.NET ([205.235.78.4]) by mc5-f39.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);

the sending mail server was m4.comstatenet.net with an ip address of 205.235.78.4. I've seen the hostname forged before, but I don't think the I've ever seen a forged IP address. Take the ip, drop to dos, and run 'ping -a 205.235.78.4'. That'll force a DNS lookup on the IP address... in this case, DNS lookup failed. So, I then go to http://all-nettools.com/ to the tools section, and do a smart whois on the ip address. That returned:

205.235.64.0 - 205.235.79.255
Internet America, Inc.
620 B Industry Driv
Tukwila, WA, 98188
US

I then tried to do one on comstatenet.net (NOT m4.comstatenet.net, that won't work) and there is no DNS entry...so, it's a forged domain name. Funny how that works. However, the IP points to Internet America... either a customer (probably), an open-relay mail server that basically anyone can send through (possibly) or a forged ip (probably not).

The rest of that line refers to the receiving mail server and ip, which is hotmail, as well as the version of SMTP the server is running. Doesn't really matter for our purposes, but why not be complete. Next line.

Sun, 17 Aug 2003 06:02:03 -0700

I believe this is the date and time the message was received. This is local time to the server, which is at -7 hours from GMT.

To: [My email address]
duh

Date: Sun, 17 Aug 2003 21:00:59 -0500

I believe this is the date and time the message was sent, local date/time of the sending server. Notice it's at -5 GMT. Since I'm in -7 in central time, that puts the server in Maine, far eastern Canada, or somewhere in South America. Also notice that the times are screwed up... basically, the server sent it after hotmail received it. Typically that just means the timestamp on the server is screwed up, which happens regularly. Of course, that kinda throws the -5 GMT into question as well.

Message-ID: <1061168459.21032@a.mx.mxdat.org>
Anytime an SMTP server (outgoing mail server) sends a message, it gives a unique message ID. In this case, it's 1061168459.21032@a.mx.mxdat.org. Notice how the domain name doesn't match the name further up the message header? Another indication that the hostname is forged.

So, I dropped to dos and pinged mxdat.org. The result? It came back with an ip address of 205.235.78.2. Look familiar? Yep... it's 2 numbers off from the sender's ip address, so probably right. Doing a smartwhois lookup on that ip with all-nettools yields Internet America again. Doing a smartwhois on mxdat.com also yields Internet America. Seeing a pattern?

X-Mailer: Pine.GSO.4.31

This, I believe, defines the mail client used to create the message. In this case, it's Pine and what I assume is the version number. Pine is an old mail client that I used on a VAX system... of course, this is only as accurate as whoever wrote the spamming program wants it to be.

From: "Credit Line Guaranteed" <ifard@mxdat.org>

This is usually forged. It's the sender's 'friendly name' and email address. In this case, it looks like it might actually exist, which is wierd for spam.

Return-Path: <ifard@mxdat.org>

I believe this is where the message goes if it gets bounced before reaching the recipient. A downed mail server or a mail server rejecting the message would probably use this info.

Reply-To: <ifard@mxdat.org>

If you hit 'reply', this is where the reply message gets sent by default.

Subject: $5000 - Get the things you need...guaranteed

duh

X-OriginalArrivalTime: 17 Aug 2003 13:02:03.0338 (UTC) FILETIME=[C0D76AA0:01C364BF]

I suppose this is when the message originally arrived and was probably queued by the mail server. I have no idea what the FILETIME part of the string means. Notice it says UTC, which means it's adjusted to GMT. If you take our original arrival time at the top (6:02:03) and add 7 hours to adjust to GMT, it equals the above time. So it wasn't queued for more than .9661 seconds.

And that, ladies and gentleman, is a dissected mail header for some spam I received on one of my hotmail accounts. Any questions?

lol, nice... mind if i ask what you went through to learn all this?

He didnt, hes just doing what i used to do in the Tech Forum.

what you used to do?