Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Klez and other Viruses Inundating me! 2
- Thread starter duffermax
- Start date
I think first you have to receive the mail before you can decide which you throw into the papertray. There are some Mailprograms, which allow you to delete mails on the server but some viruses are faking their sender Adress. Therefore this method will not work reliable.
hnd
hasso55@yahoo.com
hnd
hasso55@yahoo.com
Norton, unfortunately, does not have a mail scanner component (correct me if i'm wrong). If it had, you can configure it so that as the mail comes in and is infected, you can opt to delete or clean it automatically.
I do this with McAfee and have been satisfied so far. Check if NAV 2003 has this (not sure myself).
HTH AVChap
... take my advice, I don't use it anyway!
I do this with McAfee and have been satisfied so far. Check if NAV 2003 has this (not sure myself).
HTH AVChap
... take my advice, I don't use it anyway!
-
1
- #4
"Norton, unfortunately, does not have a mail scanner component"
Actually it does AVChap. duffermax, you could create some message rules and use a word or two from the subject of the emails and choose the 'delete from server' option so they won't be downloaded. In Outlook Express--tools--message rules--mail.
Actually it does AVChap. duffermax, you could create some message rules and use a word or two from the subject of the emails and choose the 'delete from server' option so they won't be downloaded. In Outlook Express--tools--message rules--mail.
I would try to find out where the emails are coming from,via your ISP or webmail provider.We had the same problem on the network I use, where a few people where recieving viruses continually.Using the header information on the emails the system administrator was able to find out that the sender was internal to our network and solve the problem from there!!!
David
David
-
1
- #6
Most of the current virus crop like Klez and Bugbear spoof the return address. The return address can be anything and the virus just gets one from the infected machines address book. The only way to trace to the real originator is to look at the message header, do a little detective work and hope you will get some cooperation from the ISP of the infected individual.
I have had some luck in stopping viruses by notifying the ISP of the infected party with the pertinent information for them to trace the source of the virus. I haven’t done this enough to decide how effective it is, but it has worked for me a few times. Here is what I do.
First I look at the message header of the infected e-mail. Here is an example of a header from a Klez.h infected e-mail we just received today. The names are changed to protect the innocent!
-------------------------------------------------------------------
From redneck_lizard@abc.com Sun, 1 Dec 2002 12:16:37 -0600
From: redneck_lizard <redneck_lizard@abc.com>
To: <jsmith@xyz.org>
Received: from mail.hbcomm.net ([198.247.164.14]) by lmg.ahnet.net with ESMTP id <314758-12693>; Sun, 1 Dec 2002 10:16:39 -0800
Received: from Cmvlv [198.247.169.157] by mail.hbcomm.net
(SMTPD32-7.13) id A1ECEC1B00CC; Sun, 01 Dec 2002 12:16:12 -0600
Message-Id: <200212011216310.SM01500@Cmvlv>
Date: Sun, 1 Dec 2002 12:16:37 -0600
Delivery-Date: Mon, 2 Dec 2002 08:34:51
X-Account: My Account
Status: R
Subject: A IE 6.0 patch
Mime-Version: 1.0
-------------------------------------------------------------------
The pertinent info is on the RECEIVED lines, we want to look at them in reverse order.
* My mail server is “lmg.ahnet.net”, and it received the message from “mail.hbcomm.net”.
* The next line shows that mail.hbcomm.net received the mail from Cmvlv [198.247.169.157].
This is the last RECEIVED entry, and so must be the origin of the message. By reading about Klez, I also know that Klez has it’s own SMTP engine and so that is probably where the “Cmvlv” comes from, it is bogus. But, the IP address 198.247.169.157 is real, it was logged by the receiving system mail.hbcomm.net and can’t be forged.
So... 198.247.169.157 is the IP of the infected system, if it is a system with a static IP address like most broadband connections, then this is all we really need. But, if it is a dial-up account then the IP of the infected computer will be different each time it connects to it’s ISP. In this case the “Message-ID” information may be useful to the ISP in identifying the culprit from their mail logs.
Next, I try to find who the IP 198.247.169.157 belongs to. There are several ways to do this. You can do a DNS look-up and tracert from Just go to this web site and type in the IP address 198.247.169.157.
The DNS lookup shows that the Host name is hbt-b157.carrollsweb.com.
I know that carrollsweb.com is a local ISP, I go the their web site and find that you can e-mail support at support@carrollsweb.com. I send an e-mail to carrollsweb support telling them that we have been receiving e-mails infected with the Klez.h virus. That I believe the infected machine is at IP 198.247.169.157 and I include the e-mail header and tracert information from above.
Then, just hope for the best.
Hope this helps someone. Also, if there are any better ideas out there, or anyone sees a hole in my logic I would appreciate hearing from you.
Jim
I have had some luck in stopping viruses by notifying the ISP of the infected party with the pertinent information for them to trace the source of the virus. I haven’t done this enough to decide how effective it is, but it has worked for me a few times. Here is what I do.
First I look at the message header of the infected e-mail. Here is an example of a header from a Klez.h infected e-mail we just received today. The names are changed to protect the innocent!
-------------------------------------------------------------------
From redneck_lizard@abc.com Sun, 1 Dec 2002 12:16:37 -0600
From: redneck_lizard <redneck_lizard@abc.com>
To: <jsmith@xyz.org>
Received: from mail.hbcomm.net ([198.247.164.14]) by lmg.ahnet.net with ESMTP id <314758-12693>; Sun, 1 Dec 2002 10:16:39 -0800
Received: from Cmvlv [198.247.169.157] by mail.hbcomm.net
(SMTPD32-7.13) id A1ECEC1B00CC; Sun, 01 Dec 2002 12:16:12 -0600
Message-Id: <200212011216310.SM01500@Cmvlv>
Date: Sun, 1 Dec 2002 12:16:37 -0600
Delivery-Date: Mon, 2 Dec 2002 08:34:51
X-Account: My Account
Status: R
Subject: A IE 6.0 patch
Mime-Version: 1.0
-------------------------------------------------------------------
The pertinent info is on the RECEIVED lines, we want to look at them in reverse order.
* My mail server is “lmg.ahnet.net”, and it received the message from “mail.hbcomm.net”.
* The next line shows that mail.hbcomm.net received the mail from Cmvlv [198.247.169.157].
This is the last RECEIVED entry, and so must be the origin of the message. By reading about Klez, I also know that Klez has it’s own SMTP engine and so that is probably where the “Cmvlv” comes from, it is bogus. But, the IP address 198.247.169.157 is real, it was logged by the receiving system mail.hbcomm.net and can’t be forged.
So... 198.247.169.157 is the IP of the infected system, if it is a system with a static IP address like most broadband connections, then this is all we really need. But, if it is a dial-up account then the IP of the infected computer will be different each time it connects to it’s ISP. In this case the “Message-ID” information may be useful to the ISP in identifying the culprit from their mail logs.
Next, I try to find who the IP 198.247.169.157 belongs to. There are several ways to do this. You can do a DNS look-up and tracert from Just go to this web site and type in the IP address 198.247.169.157.
The DNS lookup shows that the Host name is hbt-b157.carrollsweb.com.
I know that carrollsweb.com is a local ISP, I go the their web site and find that you can e-mail support at support@carrollsweb.com. I send an e-mail to carrollsweb support telling them that we have been receiving e-mails infected with the Klez.h virus. That I believe the infected machine is at IP 198.247.169.157 and I include the e-mail header and tracert information from above.
Then, just hope for the best.
Hope this helps someone. Also, if there are any better ideas out there, or anyone sees a hole in my logic I would appreciate hearing from you.
Jim
- Thread starter
- #7
Thanks for the great responses. I liked them all and will try a couple of them. I will let you know as I work through this. Thanks, again; anything that will keep from having to deal with finding and deleting 2 to 3 virus e-mails a day will certainly be welcomed.
Duffermax
Duffermax
AVChap- Status
Similar threads
