Helping people with computers... one answer at a time.
Email viruses come from many sources, usually from other machines infected with a virus. There are clues in email headers, but that's often incomplete.
Today I got a message that I had received two Emails in my box with a virus ... But where [do they] come from?
There's no 100% reliable way to tell who really sent you the virus. The only thing that's likely is that your email address or the address of an email list you are a member of is contained in an address book on the machine that sent it to you, and that that machine is a Windows machine. As to who's machine that might be, you can get clues from the more detailed email headers that you typically don't see, but even then it's often difficult to tell.
This virus and many recent viruses work by emailing a copy to everyone it finds in the address books it finds on infected machines. It also spoofs, or fakes, the "From:" address, to hide where the email is coming from. It looks like this virus uses only certain "from" addresses, but others will actually use other addresses found in the infected machines address book.
"From spoofing" is a little confusing so let's whip up an example.
Peter has both Paul and Mary in his email address book. Paul and Mary do not know each other and have never emailed each other. Unfortunately, Peter's computer becomes infected with one of the viruses we're talking about. The virus starts emailing itself to everyone in Peter's address book and also uses the address book to make fake "from" addresses. As a result, Peter's computer sends email to Mary that looks like it's "from" Paul, even though Paul had nothing whatsoever to do with it. If Mary believes the "from" address, she may get upset with Paul for "sending" her the virus but her anger is misplaced - it's Peter's machine that's infected.
If we take a look at the email header information that comes with each email message, we may be able to track the source a little better. The header information I'm talking about is information that many email clients don't show you by default. As an email message gets passed from computer to computer each will add a informational line to the header saying when the message was received and from what IP address. The first of those should be from the machine that sent the email in the first place.
Unfortunately it's not always that simple. For example a broadband router, firewall, or proxy server can mask a machine's address on the internet. In addition, some of the virii take steps to obscure or spoof the header information.
Outlook and Outlook express are both common mailers as well as common virus targets that hide the headers by default. If you want to have a look at the headers I'm talking about:
Outlook: Right click on the message in the message list and select Options. In the default pain of the options dialog is a box labeled "Internet Headers". The box is almost always smaller than the accumulated header information, so you may want to copy/paste the headers into notepad to view.
Outlook Express: Right click on the message in the message list and select Properties and then on the "Details" tab. The details tab contains the internet headers.
The headers are not meant to be pretty or easy to understand but typically the last "received from" line will tell you the IP address and possibly the machine name that the mail may have originated from. In our example above, it may be easy to identify Peter's machine by his IP address or his machine name ... or that information may still be hidden.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.