R 
		
								
				
				
			
		Richard Jones
I'm trying to track down some persistent virus emails, and just want
to make sure I'm not missing a spoof.
Messages (mostly MyDoom) are coming direct to my SMTP server, which
attaches a single Received: line, such as ...
Received: from lucent-2.jcisd.k12.mi.us (HELO jacc-mi.net)
(204.38.111.4)
by xxx.activeservice.co.uk (62.164.xxx.xxx) with ESMTP; 04 Apr 2004
23:53:40 -0000
AFAIAW the IP of the sending machine (204.38.111.4) can't be spoofed,
although the HELO obviously always is. I.e. this is telling me either
that 204.38.111.4 (which resolves to lucent-2.etc) is the infected
machine, or more likely it's a gateway behind which the infected
machines(s) are connected.
Is there anything wrong in this assumption? I just want to be sure
before I start jumping all over these people - more than 50% of the
incoming infections are from this one address.
I'd also be interested to know how many other people are get large
volumes from this source.
TIA
Rick Jones
				
			to make sure I'm not missing a spoof.
Messages (mostly MyDoom) are coming direct to my SMTP server, which
attaches a single Received: line, such as ...
Received: from lucent-2.jcisd.k12.mi.us (HELO jacc-mi.net)
(204.38.111.4)
by xxx.activeservice.co.uk (62.164.xxx.xxx) with ESMTP; 04 Apr 2004
23:53:40 -0000
AFAIAW the IP of the sending machine (204.38.111.4) can't be spoofed,
although the HELO obviously always is. I.e. this is telling me either
that 204.38.111.4 (which resolves to lucent-2.etc) is the infected
machine, or more likely it's a gateway behind which the infected
machines(s) are connected.
Is there anything wrong in this assumption? I just want to be sure
before I start jumping all over these people - more than 50% of the
incoming infections are from this one address.
I'd also be interested to know how many other people are get large
volumes from this source.
TIA
Rick Jones
 
	 .  It
.  It