Katie,

He can examine the headers of the incoming e-mail to determine the IP
address of the source sending server and then use a web site such as
www.samspade.org or www.dnsstuff.com to determine the actual source.  

Why waste the time & effort though.  Here are excerpts from messages which
was posted yesterday in a related forum.

George

--------------------------------------------------------------

>Does anyone else bother to look at the header, do a who is on the IP and
>notify the responsible party of the possible problem on their IP?

We occasionally do so (that's how we found out that Disney and the Pentagon
were infected by Sobig).

>I see the IPs in the e-mail headers so if someone was notified do you
>think they can
>find the actually infected user?  Would they bother?

They should be able to find the user, and many (but not all) would bother.


------------------------------------------------------------------
The Pentagon?  REALLY???  That's friggin scary as hell....

Yup.  They got infected about 1PM yesterday, we found out and notified them 
about 8PM, and they responded quickly saying that they were aware of 
it.  As of a couple hours ago, though, they were still sending them out.

-------------------------------------------------------------------------

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Katie La Salle-Lowery
> Sent: Thursday, August 21, 2003 1:09 PM
> To: [EMAIL PROTECTED]
> Subject: [IMail Forum] WAY OT--Tracking Sobig 
> 
> 
> Hi all, 
> 
> Those who don't want to waste their time on non-Imail issues 
> please move
> on now...
> 
> I have a connectivity customer who has an GroupWise mail 
> server behind a
> Symantec Gateway.  Sobig isn't getting through to his mail server.
> However, the quantity is such that the Symantec Gateway is so 
> overworked
> that his legit mail is suffering a massive slow-down.  He has observed
> that Sobig spoofs the sending address.  I observed the same 
> when we got
> a message to an alias saying that the alias address had sent Sobig.
> He's wondering if there is a way to track it back and notify the owner
> of the infected machine and thereby hopefully reduce the 
> volume they are
> receiving. 
> 
> I've asked him to send me the headers from a quarantined message so I
> can investigate.  His first attempt to do so was unopenable 
> to me.  I'm
> awaiting his next attempt.  
> 
> Has anyone had experience or any suggestions for tracking Sobig?  I
> haven't seen any samples of Sobig.F.  YEAH for Imail rules!  Maybe not
> perfect but helpful, anyway...
> 
> Thanks, 
> Katie
> 
>  
> 
> 
> 
> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
> List Archive: 
> http://www.mail-archive.com/imail_forum%> 40list.ipswitch.com/
> 
> Knowledge Base/FAQ: 
> http://www.ipswitch.com/support/IMail/
> 


To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Reply via email to