"Robi" <r_buecheler@remove.yahoo.com> wrote:

Dave Trapnell wrote:

Here's a typical sequence...

Return-Path: <jpick@charter.net>
Received: from remt19.cluster1.charter.net ([209.225.8.29])
by sparrow (EarthLink SMTP Server) with ESMTP id
1a2If06CF3NZFjV0 for <dtresearch@earthlink.net>; 
Thu, 25 Sep 2003 19:21:53 -0700 (PDT)
Received: from [24.197.101.170] (HELO ovfr)
 by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 3264321; Thu, 25 Sep 2003 22:21:42 -0400

Here the received lines match and the entry point was (or is)
the PC on IP 24.197.101.170 (cpe-24-197-101-170.spa.sc.charter.com)

Hopefully, you meant charter.NET? 
If not I'll be very confused.

The best would be to alert abuse@charter.com about the virus providing
the email of the virus (with a partially stripped virus load).
Charter can verify who had that IP address at the time and alert
the owner of the PC.

That's the goal. I want to fix the originating machines and
get them on board with anti-virus software. Changing my
address or installing mailwash to delete the virus-laden
email is just putting a band-aid on the problem. 

How much need be sent to the ISP? Would not the just header
be sufficient, or do we need to include enough of the virus
to show that it is not just a bogus virus report? I suppose
I would have to actually TURN OFF Symantec email scanning to
get an intact copy of the virus, as the viruses are
intercepted before reaching any of my email clients.

Here's another example...

Return-Path: <alecandmarylillie@tesco.net>
Received: from mta4-svc.business.ntl.com ([62.253.164.44])
by vulture (EarthLink SMTP Server) with ESMTP id
1a2BOI2Xj3NZFl50
Thu, 25 Sep 2003 12:30:20 -0700 (PDT)
Received: from mvlnsms ([62.252.177.51]) by
mta4-svc.business.ntl.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) 
with SMTP id
<20030925192453.IOQD8268.mta4-svc.business.ntl.com@mvlnsms>;
Thu, 25 Sep 2003 20:24:53 +0100 

Here the host 62.252.177.51 is m307-mp3.cvx2-a.lng.dial.ntli.net

inetnum:	62.252.160.0 - 62.252.191.255
netname:	NTL
descr:		NTL Internet
trouble:	For abuse notifications please -
trouble:	email : abuse@ntlworld.com
trouble:	telephone : +44 2920 305142

so here abuse@ntlworld.com would be the place to alert informing about
the virus and they should contact the user who was on that IP address
at that time.

How did you derive the above information from all the
gobbelty-gook in the header? I see ntl.com but I don't see
ntlworld anywhere.

Thanks again for the additional detailed information. 

BTW, if anyone has an undying need to look 
at my seti stats, here is the URL:
http://setiathome.ssl.berkeley.edu/fcgi-bin/fcgi?email=thedave@pacbell.net&cmd=user_stats_new

My understanding is that since the above email address was
turned off, there will never be any way to transfer my SETI
account to the new one. Is this correct?

Diatribe follows:
Not to get off the subject, but yes, it does waste
electricity. Try running the computer off an invertor and a
battery and you will see how quickly a desktop tower sucks
that battery dry. However, my energy-guzzling
air-conditioner (which I consider essential to my survival)
uses more electricity in an afternoon than the computer uses
in a whole year, and turning the computer on and off two
dozen times a day stresses the components with all the
thermal cycling and wastes my time waiting for the thing to
boot up. At least it's doing something potentially useful
and/or interesting with some of its wasted energy.
End of Diatribe.
Dave.