The IP address in the header where it originated is the only way of tracking from the ones I have seen.
John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:IMail_Forum- > [EMAIL PROTECTED] On Behalf Of Katie La Salle-Lowery > Sent: Thursday, August 21, 2003 10:09 AM > To: [EMAIL PROTECTED] > Subject: [IMail Forum] WAY OT--Tracking Sobig > > Hi all, > > Those who don't want to waste their time on non-Imail issues please move > on now... > > I have a connectivity customer who has an GroupWise mail server behind a > Symantec Gateway. Sobig isn't getting through to his mail server. > However, the quantity is such that the Symantec Gateway is so overworked > that his legit mail is suffering a massive slow-down. He has observed > that Sobig spoofs the sending address. I observed the same when we got > a message to an alias saying that the alias address had sent Sobig. > He's wondering if there is a way to track it back and notify the owner > of the infected machine and thereby hopefully reduce the volume they are > receiving. > > I've asked him to send me the headers from a quarantined message so I > can investigate. His first attempt to do so was unopenable to me. I'm > awaiting his next attempt. > > Has anyone had experience or any suggestions for tracking Sobig? I > haven't seen any samples of Sobig.F. YEAH for Imail rules! Maybe not > perfect but helpful, anyway... > > Thanks, > Katie > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
