[LINK] Ponderings on the effects of computer viruses
Saliya Wimalaratne
saliya@hinet.net.au
Thu, 3 Oct 2002 12:30:11 +1000 (EST)
On Thu, 3 Oct 2002, Jan Whitaker wrote:
> At 03:43 PM 2/10/02 +1000, Saliya Wimalaratne wrote:
>
> >Reason being: if your dad/spouse/sysadmin gets infected and the worm
> >pretends to be from them - to you, it looks legit. Of course, once
> >downloaded, *then* you know. But if you're using Outlook - it could be
> >too late :) :)
>
> I'll vouch for this. I just received an infected message from a site that
> I would have trusted implicitly, but it was still infected.
>
> Now the question is about:
> does Bugbear fake its originator, and if it does, do I tell the originator
> of this infected message considering that it may not have been from them at
> all?
You can usually rely on the headers from the 'last-hop-before-yours' -
i.e. the headers that were added by your ISP's mail server. You can't
really rely on any earlier ones since these are readily faked.
Contacting the postmaster of the 'previous-hop' site will, if they are
so inclined and have the logs available, result in finding the
previous hop before them. Postmasters are less and less inclined
to followup on these things in today's Internet because it costs them
time/money that they pretty much can't bill for.
Repeat ad infinitum till you find the originating IP - you can then
take it up with them.
You can't trust the source address.
Regards,
Saliya
----------
For Link list information see http://sunsite.anu.edu.au/link/