Helping people with computers... one answer at a time.

Email viruses come from many sources, usually from other machines infected with a virus. There are clues in email headers, but that's often incomplete.

Today I got a message that I had received two Emails in my box with a virus ... But where [do they] come from?

There's no 100% reliable way to tell who really sent you the virus. The only thing that's likely is that your email address or the address of an email list you are a member of is contained in an address book on the machine that sent it to you, and that that machine is a Windows machine. As to who's machine that might be, you can get clues from the more detailed email headers that you typically don't see, but even then it's often difficult to tell.

This virus and many recent viruses work by emailing a copy to everyone it finds in the address books it finds on infected machines. It also spoofs, or fakes, the "From:" address, to hide where the email is coming from. It looks like this virus uses only certain "from" addresses, but others will actually use other addresses found in the infected machines address book.

"From spoofing" is a little confusing so let's whip up an example.

Peter has both Paul and Mary in his email address book. Paul and Mary do not know each other and have never emailed each other. Unfortunately, Peter's computer becomes infected with one of the viruses we're talking about. The virus starts emailing itself to everyone in Peter's address book and also uses the address book to make fake "from" addresses. As a result, Peter's computer sends email to Mary that looks like it's "from" Paul, even though Paul had nothing whatsoever to do with it. If Mary believes the "from" address, she may get upset with Paul for "sending" her the virus but her anger is misplaced - it's Peter's machine that's infected.

If we take a look at the email header information that comes with each email message, we may be able to track the source a little better. The header information I'm talking about is information that many email clients don't show you by default. As an email message gets passed from computer to computer each will add a informational line to the header saying when the message was received and from what IP address. The first of those should be from the machine that sent the email in the first place.

Unfortunately it's not always that simple. For example a broadband router, firewall, or proxy server can mask a machine's address on the internet. In addition, some of the virii take steps to obscure or spoof the header information.

Outlook and Outlook express are both common mailers as well as common virus targets that hide the headers by default. If you want to have a look at the headers I'm talking about:

Outlook: Right click on the message in the message list and select Options. In the default pain of the options dialog is a box labeled "Internet Headers". The box is almost always smaller than the accumulated header information, so you may want to copy/paste the headers into notepad to view.

Outlook Express: Right click on the message in the message list and select Properties and then on the "Details" tab. The details tab contains the internet headers.

The headers are not meant to be pretty or easy to understand but typically the last "received from" line will tell you the IP address and possibly the machine name that the mail may have originated from. In our example above, it may be easy to identify Peter's machine by his IP address or his machine name ... or that information may still be hidden.

The virus that triggered this question was w32.sober@mm, which you can read more about here at Symantec's site. (They're my recommended virus reference site.)

Article C1857 - November 2, 2003 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

March 10, 2004 6:10 AM

What's the cure? I've already run my virus updates and virus checker - it found absolutely nothing! But all my email contacts are getting being used all over with these fake attachments. Is there any way to protext your address book from being seen by the hackers? Yes, I do have a Norton Personal Firewall and it is set from medium to high depending on where I'm surfing.



March 10, 2004 9:47 AM

Also make sure your email program is fully up-to-date with its latest patches. You didn't say what you're using, but Outlook and Outlook express are the normal targets for these viruses. Outlook can be updated at Office Update, and Outlook Express gets updated via Windows Update, both at

Also know that you didn't need to have the virus to have your email address be abused. I've never been infected with an email virus, and yet I get bounces because of the MyDoom and related viruses all the time. This happens because of SPAM lists, your address in other people's address books (where *they* get infected), and some varients of the virus that even spread the addresses around as they infect, or so I'm told.

It really sucks.

This article may also help explain:



November 27, 2005 5:40 PM

I have scanned all workstations and havent been able to track down the W32.Sober@MM virus. I'm still not sure if our company has the virus since no one claims that they have actually opened the attachment but we are still receiving alot of the W32.Sober@MM emails in our Outlook Inbox. Any idea on how to stop receiving the W32.Sober@MM emails?



December 15, 2005 11:35 AM

Do you use Fortinet? It strips all the infected messages of the virus and simply leaves a text file telling you the malicious file is gone and why. It is probably the best email virus scanner for offices.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.