How to track down the true source of an email

I keep explaining this on every non-technical messageboard I visit whenever a member gets a virus. Rather than keep typing it out every time, I decided to do it up really nice one final time.

How to track down the true source of an email

This guide shoud let just about anyone figure out how to analyze the virus and spam emails they get to find the true source, and what to look at to help figure out whose PC it is that’s sending out this garbage. I hope this helps someone out there learn a little more, and I hope it helps stop some of the needless blame that innocent victims get when their email address is spoofed as the sender (note that it just as easily could’ve been your address that the email was “from” and the other person’s address that it was sent to).

I’m also going to rant a bit about stupid mail server AV programs. I know that every Netsky virus mail has a spoofed sender address. I know that every Bagle email has a spoofed sender address. Everybody knows that these (and other) email worms use spoofed addresses. So why do these “state of the art” AV programs tell the mail server to bounce the message back to the “from” address? If an attachment infected with CIH is detected, alert the sender. CIH is a file virus – it spreads between files on one PC. If the attachment has CIH, then other files on that PC have CIH also. Bouncing the message back to the sender lets them know they have a virus.

However, bouncing a Netsky/Bagle message back to the “sender” address only tells the person that somewhere a PC with their email address on it has a virus. It’s possible that an infected PC could send out an email with the owner’s address as the “from” address, but it’s just as possible for any other PC to send it out as being from that address. Alerting the “sender” of the email most likely will just confuse an innocent bystander whose PC isn’t infected. Vendors, add a simple check in your super-duper AV program that says “if detectedvirus.type == spoofing, then don’t bounce email”. That’s all it takes, just one little check. I don’t think I’m that much smarter than you guys, but I guess I could be…

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: This post is over 5 years old. You may want to check later in this blog to see if there is new information relevant to your comment.