Return addresses are spoofed by the worm. Pay no attention to them.
However, you can check the received-from headers in the email
to see where it was sent from (some may be spoofed as well,
so ignore the servers you don't trust).
For example, I received this email from fumagalli <at> exoffice.com:
Received: from smtpin32.myhosting.com [10.5.8.3] by
mail.inspireinfrastructure.com with ESMTP
(SMTPD32-8.05) id A9205B7053E; Fri, 26 Mar 2004 07:59:12 -0500
Received: from rex ([217.153.27.13])
by smtpin32.myhosting.com
for leo.sutic <at> inspireinfrastructure.com;
Fri, 26 Mar 2004 07:59:09 -0500
Date: Fri, 26 Mar 2004 13:59:11 +0100
To: leo.sutic <at> inspireinfrastructure.com
Subject:
From: fumagalli <at> exoffice.com
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------876506221084734"
X-RCPT-TO: <leo.sutic <at> inspireinfrastructure.com>
Status: U
X-UIDL: 377103200
Looking at the Received: header we see that
mail.inspireinfrastructure.com (which I trust)
received it from smtpin32.myhosting.com (which I trust). And that
smtpin32.myhosting.com
received it from "rex" who is at 217.153.27.13. Doing a nslookup leads
us here:
http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searc
htext=217.153.27.13
address: Ster Projekt S.A.
address: ul. Magazynowa 1
address: 02-652 Warszawa
address: Poland
What has happened is that some guy in Poland got hit by this worm. It
scanned his
Internet Explorer cache and found the fumagalli <at> exoffice.com
address in some
cached webpage, and used it.
/LS
> From: Carlos Araya [mailto:[EMAIL PROTECTED]
