Dave Trapnell wrote:

Since my original post, the rate of arrival in my inbox has
diminished from about ten per hour to about one per two
hours. I doubt if there is any connection, but the
infestation seems to be blowing over. 

[...]

Martin <ml_news@ddnospamddml1dd.co.uk.dd> wrote:

(Just in case you didn't get the hint. DO NOT REPLY TO VIRUS/WORM MAIL. 
It shouldn't take any intelligence to reason why.)

Replying to the Return-Path: is not quite the same as simply
replying to the email. The Return-Path: field is less
obviously bogus than the From: field. 

Side note [they can all be just as bogus]

"Robi" <r_buecheler@remove.yahoo.com> wrote:

The following lines can be forged:
From:
Return-Path:
Reply-To:
You can only go by the
Received:
lines, and there you need to tread carefully, 
because they can be inserted by the sending mailer (spoofed), 
but the mail exchangers have to add a 
Received: line above the previous Received: line.
That way you can trace back from top down 
where the message probably came from.

Here's a typical sequence from an actual occurrance
in which the Return-Path domain matches that of the
Received: sequence:
Return-Path: <jpick@charter.net>
Received: from remt19.cluster1.charter.net ([209.225.8.29])
by sparrow (EarthLink SMTP Server) with ESMTP id
1a2If06CF3NZFjV0 for <dtresearch@earthlink.net>; 
Thu, 25 Sep 2003 19:21:53 -0700 (PDT)
Received: from [24.197.101.170] (HELO ovfr)
 by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 3264321; Thu, 25 Sep 2003 22:21:42 -0400

(slightly reformatted to fit on the page). If I'm
understanding you correctly, the e-mail enters the system
"at the bottom", and entries are appended upwards as the
document wends through the system?

In principle, tat's correct, although, as I mentioned, 
received lines can be "pre inserted" to fake a bogus
originating system.
Here the received lines match and the entry point was (or is)
the PC on IP 24.197.101.170 (cpe-24-197-101-170.spa.sc.charter.com)
jpick can be very bogus.
The best would be to alert abuse@charter.com about the virus providing
the email of the virus (with a partially stripped virus load).
Charter can verify who had that IP address at the time and alert
the owner of the PC.

Here's an example in which the Received: domain and the
Return-Path: domains do not appear to match:

Return-Path: <alecandmarylillie@tesco.net>
Received: from mta4-svc.business.ntl.com ([62.253.164.44])
by vulture (EarthLink SMTP Server) with ESMTP id
1a2BOI2Xj3NZFl50
Thu, 25 Sep 2003 12:30:20 -0700 (PDT)
Received: from mvlnsms ([62.252.177.51]) by
mta4-svc.business.ntl.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) 
with SMTP id
<20030925192453.IOQD8268.mta4-svc.business.ntl.com@mvlnsms>;
Thu, 25 Sep 2003 20:24:53 +0100 

Thus I suppose we can assume that
<alecandmarylillie@tesco.net> may be a perfectly valid
address that the virus has plucked from somewhere and
planted into this message.

And that's why I said jpick@charter.net can be very bogus.

Here the host 62.252.177.51 is m307-mp3.cvx2-a.lng.dial.ntli.net

inetnum:      62.252.160.0 - 62.252.191.255
netname:      NTL
descr:        NTL Internet

trouble:      For abuse notifications please -
trouble:      email : abuse@ntlworld.com
trouble:      telephone : +44 2920 305142

so here abuse@ntlworld.com would be the place to alert informing about
the virus and they should contact the user who was on that IP address
at that time.

That way you can trace back from top down 
where the message probably came from.

But does the bottom entry actually give us anything we can
actually use? 

usually yes, unless it's a proxy, which could receive a message injected
from anywhere on the planet, or the virus or the spammer added received
lines to cover the trace, which would mean that the received line above
the "bogus received line(s) would be the one to check, and that's why
it is imperative to follow the path from top do bottom.

Thanks, by the way, for the detailed explanation.

you're welcome :)


-- 
Robi
(2.8#@ 2.69 yrs)