Return addresses are spoofed by the worm. Pay no attention to them. However, you can check the received-from headers in the email to see where it was sent from (some may be spoofed as well, so ignore the servers you don't trust).
For example, I received this email from fumagalli <at> exoffice.com: Received: from smtpin32.myhosting.com [10.5.8.3] by mail.inspireinfrastructure.com with ESMTP (SMTPD32-8.05) id A9205B7053E; Fri, 26 Mar 2004 07:59:12 -0500 Received: from rex ([217.153.27.13]) by smtpin32.myhosting.com for leo.sutic <at> inspireinfrastructure.com; Fri, 26 Mar 2004 07:59:09 -0500 Date: Fri, 26 Mar 2004 13:59:11 +0100 To: leo.sutic <at> inspireinfrastructure.com Subject: From: fumagalli <at> exoffice.com Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------876506221084734" X-RCPT-TO: <leo.sutic <at> inspireinfrastructure.com> Status: U X-UIDL: 377103200 Looking at the Received: header we see that mail.inspireinfrastructure.com (which I trust) received it from smtpin32.myhosting.com (which I trust). And that smtpin32.myhosting.com received it from "rex" who is at 217.153.27.13. Doing a nslookup leads us here: http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searc htext=217.153.27.13 address: Ster Projekt S.A. address: ul. Magazynowa 1 address: 02-652 Warszawa address: Poland What has happened is that some guy in Poland got hit by this worm. It scanned his Internet Explorer cache and found the fumagalli <at> exoffice.com address in some cached webpage, and used it. /LS > From: Carlos Araya [mailto:[EMAIL PROTECTED]