Katie, He can examine the headers of the incoming e-mail to determine the IP address of the source sending server and then use a web site such as www.samspade.org or www.dnsstuff.com to determine the actual source.
Why waste the time & effort though. Here are excerpts from messages which was posted yesterday in a related forum. George -------------------------------------------------------------- >Does anyone else bother to look at the header, do a who is on the IP and >notify the responsible party of the possible problem on their IP? We occasionally do so (that's how we found out that Disney and the Pentagon were infected by Sobig). >I see the IPs in the e-mail headers so if someone was notified do you >think they can >find the actually infected user? Would they bother? They should be able to find the user, and many (but not all) would bother. ------------------------------------------------------------------ The Pentagon? REALLY??? That's friggin scary as hell.... Yup. They got infected about 1PM yesterday, we found out and notified them about 8PM, and they responded quickly saying that they were aware of it. As of a couple hours ago, though, they were still sending them out. ------------------------------------------------------------------------- > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Katie La Salle-Lowery > Sent: Thursday, August 21, 2003 1:09 PM > To: [EMAIL PROTECTED] > Subject: [IMail Forum] WAY OT--Tracking Sobig > > > Hi all, > > Those who don't want to waste their time on non-Imail issues > please move > on now... > > I have a connectivity customer who has an GroupWise mail > server behind a > Symantec Gateway. Sobig isn't getting through to his mail server. > However, the quantity is such that the Symantec Gateway is so > overworked > that his legit mail is suffering a massive slow-down. He has observed > that Sobig spoofs the sending address. I observed the same > when we got > a message to an alias saying that the alias address had sent Sobig. > He's wondering if there is a way to track it back and notify the owner > of the infected machine and thereby hopefully reduce the > volume they are > receiving. > > I've asked him to send me the headers from a quarantined message so I > can investigate. His first attempt to do so was unopenable > to me. I'm > awaiting his next attempt. > > Has anyone had experience or any suggestions for tracking Sobig? I > haven't seen any samples of Sobig.F. YEAH for Imail rules! Maybe not > perfect but helpful, anyway... > > Thanks, > Katie > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%> 40list.ipswitch.com/ > > Knowledge Base/FAQ: > http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
