Skip to main content

How do you identify where a virus/worm email is coming from?

You may be informed by someone that their computer is mass mailing Contacts in their Address Book using their Email Address.  The person reporting the problem believes the email is coming from their computer because the From field of the email displays their email address.  In fact, the problem may not be on their computer.  Anyone can send an email using a spoofed From field.  Many Internet Service Providers attempt to prevent this but it is typically very easy to accomplish.  There are a variety of computer worms that mass mail contacts from a harvested Address Book using a spoofed From field.  The Address Book may be your Microsoft Outlook Express/Microsoft Windows Address Book, Microsoft Outlook Address Book or it may be a Webmail Address Book such as a Yahoo Mail Address Book.  The first thing to do is to pay special attention to the To: field of the email being sent.  You will want to determine which address book is being utilized.  This will help you with the second part which is determining where the email is being sent from.  It is possible that the email is not being sent from an infected home or business computer but rather from a compromised email account on a Mail Server.  You may only need to change your mail account password.
  1. In Outlook, double-click the spam email so that it opens up the email message.

  2. Click View and then Options.

  3. At the bottom is what is called the Message Header. In Outlook it is called Internet Headers. Highlight and copy the IP Address found after X-Originating-IP.

  4. Browse to the following website: http://www.dnsstuff.com/

  5. Paste the X-Originating-IP Address into the WHOIS Lookup.

  6. Click the arrow to perform the WHOIS Lookup.

  7. If the WHOIS Lookup returns as webmail.yahoo.com, this is an indication that you may need to change your Yahoo Mail Account password.  You may also need to contact Yahoo to inform them of the issue.  The WHOIS Lookup may instead return the mail server of your Internet Service Provider.  You may then need to change the password for your POP3/SMTP mail account with your Internet Service Provider.  If the WHOIS Lookup returns as your IP Address or possibly one used by a friend, you may need to remove the problem on the infected computer using Malwarebytes Anti-Malware,  Advanced System Care and Microsoft Security Essentials.  You may need to restore Microsoft Windows Security Center and Microsoft Windows Firewall to default settings and install all Microsoft Office and Microsoft Windows Updates. 
http://www.smartnetadmin.com
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

Event ID: 7001 - Source: VSS - Unable to create a shadow copy

When using Microsoft Windows Server, you may encounter the error message: "Unable to create a shadow copy."  In the Event Viewer, you may find the following Event: "Event ID: 7001 - Source: VSS - Unable to create a shadow copy."  This event involves the Volume Shadow Copy Service (VSS).  Most likely the Server was rebooted while creating a Shadow Copy.  Many websites describe deleting or renaming the C:\WINDOWS\SYSTEM32\WBEM directory used by Windows Management Instrumentation to resolve this issue.  This is not correct.  Following are the steps to resolve this issue: Double-click My Computer. Right-mouse click the Hard Drive causing the problem. Click the Shadow Copies tab. Select the appropriate Volume. Click Disable. Click OK. Click Start - Control Panel - Administrative Tools - Scheduled Tasks. Delete all tasks related to the Volume Shadow Copy Service. Reboot the Server. Double-click My Computer. Right-mouse click the Hard Drive causing the problem. Cl...
Post a Comment
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more