Is it possible to trace source of messages bearing Netsky.R or .Q?

[Richard Price]

One of my email accounts has been getting a steady stream of messages
for months, infected with what NOD32 calls Win32/Netsky.R (AKA
W32/Netsky-Q or similar by some AV vendors). Not a problem, obviously,
since my AV is stopping them, but if they're all coming from one place
I'd like to let that person know they are infected (presumably it could
be someone I know, who has my address on their PC). Is there any way of
tracing the true source, as opposed to the spoofed From address? I
looked at the headers for a couple of samples but couldn't see anything
obvious.

Richard Price

 

[Vanguard]

One of my email accounts has been getting a steady stream of messages
for months, infected with what NOD32 calls Win32/Netsky.R (AKA
W32/Netsky-Q or similar by some AV vendors). Not a problem, obviously,
since my AV is stopping them, but if they're all coming from one place
I'd like to let that person know they are infected (presumably it
could
be someone I know, who has my address on their PC). Is there any way
of
tracing the true source, as opposed to the spoofed From address? I
looked at the headers for a couple of samples but couldn't see
anything
obvious.

Richard Price

Trace through the Received headers (but be aware that some spammers will
insert a bogus Received header, so you trace back until and if you hit a
bogus one). Since you didn't provide an example of the message (with
your personal data munged out), you'll get vague responses to a vaguely
described e-mail. The folks over at alt.spam might have more expertise
regarding the interrogation of e-mail headers.

 

[Virus Guy]

Is there any way of tracing the true source, as opposed to the
spoofed From address? I looked at the headers for a couple of
samples but couldn't see anything obvious.

Post the header (or at least the first few lines).

Remove any self-identifiying text.

The IP address of the sender is what's useful. If the e-mail is
coming from someone you know (ie they have your e-mail address in
their address list) then it's possible to identify them based on the
IP address. They won't know their computer is sending it to you.

 

[Ernie B.]

One of my email accounts has been getting a steady stream of messages
for months, infected with what NOD32 calls Win32/Netsky.R (AKA
W32/Netsky-Q or similar by some AV vendors). Not a problem, obviously,
since my AV is stopping them, but if they're all coming from one place
I'd like to let that person know they are infected (presumably it could
be someone I know, who has my address on their PC). Is there any way of
tracing the true source, as opposed to the spoofed From address? I
looked at the headers for a couple of samples but couldn't see anything
obvious.

Richard Price

Try going to <http://www.dnsstuff.com/>. Look in the header of your
mail, find the first IP address and paste it into the WHOIS window.
The address will be in the form of: "Received: from outbound-
mail.lax.untd.com ([64.136.28.164])" and WHOIS will tell you that the
IP address belongs to juno.com. Your mail server received the mail
from there.

If there is a different IP address below that one then repeat the
process. That will be the IP address that forwarded or relayed the
mail. HTH...

 

[Virus Guy]

Look in the header of your mail, find the first IP address
and paste it into the WHOIS window.
The address will be in the form of: "Received: from outbound-
mail.lax.untd.com ([64.136.28.164])" and WHOIS will tell you that
the IP address belongs to juno.com. Your mail server received
the mail from there.

If there is a different IP address below that one then repeat
the process. That will be the IP address that forwarded or
relayed the mail.

Tracing back the IP address beyond the first "received" like is
frequently a waste of time because they are forged.

For example, here is the header from a recent spam I received:

--------------
Return-Path: <[email protected]>
Received: from [see note 1 below] ([66.168.108.8]) by
your-email-server.com (the version of SMTP
softwere here) with other shit like SMTP id
AAA247; Sat, 2 Jul 2005 06:33:31 -0400
Received: from ham-2101.ruthless.webtv.net (36.107.21.244)
by falsify-2101.rockabye.webtv.net with scan-SMTP;
Sat, 02 Jul 2005 12:25:56 +0100
Date: Sat, 02 Jul 2005 06:32:56 -0500
Message-ID: <[email protected]>
From: "Tory Charles" <[email protected]>
To: <[email protected]>
Subject: RE: your private invitation Gracie
X-Originating-IP: [216.175.86.44]
X-Mailer: Forte Agent 1.91/32.564
---------------

note 1:
What you see in the square brackets is not to be trusted. Frequently
it will be a forged machine.name@domain, or a forged IP address.
Sometimes it will even be the IP address of your own e-mail server (as
was the case in the above example).

The key is what you see in the first Received line. The IP address
(66.168.108.8) must reverse to match what is in the square brackets
immediately preceeding it. In the above case, a reverse lookup
(nslookup) of 66.168.108.8 fails. I'm not aware of any legitamate
e-mail server where a reverse lookup on it's ip address fails. If I
want to know who owns this IP address, I'll go to www.arin.net and
type it in. In this case it's Charter Communications (not really a
surprise, as they seem to be doing nothing to block port-25 e-mail
sending of infected customer computers).

Because of the inconsistencies in the first Received line, the second
Recieved line is completely bogus and is designed to confuse and
mislead. Lots of other clues that the header has been massively
forged, like seeing "comcast" in the message ID, and seeing yet
another IP address in the "X-originating-IP" line.

If the text in the square brackets of the first Recieved line matched
the IP address in the first line, and if they both indicated a legit
e-mail server (ie "mail.snanet.co.uk" in this case) then I would look
to the second received line for more specific info about the identity
of the source of the e-mail.

In the case of viral e-mails, it is highly unlikely that the e-mail is
being sent through a legit e-mail server (they are all scanning
attachments these days). Viral e-mail is almost always being sent
directly from the infected computer without going through the ISP's
e-mail server, in which case you only need to look at the first
Received line to figure out where it's coming from.

 

[Ernie B.]

Tracing back the IP address beyond the first "received" like is
frequently a waste of time because they are forged.

Sometimes true, sometimes the mail is routed through a second server.

I was trying to answer the question posed in the thread subject; "Is
it possible to ...". It is, with the right tools unless the mail is
routed through a blind relay sometimes called a "zombied computer".

For example, here is the header from a recent spam I received:

See comments in "note 1".

your-email-server.com (the version of SMTP
softwere here) with other shit like SMTP id
AAA247; Sat, 2 Jul 2005 06:33:31 -0400
Received: from ham-2101.ruthless.webtv.net (36.107.21.244)

IP 36.107.21.244 is an IANA reserved address. Everything below here
is probably bogus.

by falsify-2101.rockabye.webtv.net with scan-SMTP;
Sat, 02 Jul 2005 12:25:56 +0100
Date: Sat, 02 Jul 2005 06:32:56 -0500
Message-ID: <[email protected]>
From: "Tory Charles" <[email protected]>
To: <[email protected]>
Subject: RE: your private invitation Gracie
X-Originating-IP: [216.175.86.44]

This could be accurate. IP 216.175.86.44 is
user-vcaulhc.dsl.mindspring.com so I would forward the spam to
(e-mail address removed).

X-Mailer: Forte Agent 1.91/32.564

That's called the "canonical name" of the IP address.

Frequently
it will be a forged machine.name@domain, or a forged IP address.
Sometimes it will even be the IP address of your own e-mail server (as
was the case in the above example).

Most times a reverse DNS on the first IP address fails because the
sending server isn't configured correctly.

The key is what you see in the first Received line. The IP address
(66.168.108.8) must reverse to match what is in the square brackets
immediately preceeding it.

The receiving server, "your-email-server.com", knows the IP address
of the computer that called it, doesn't care much about the canonical
name. I don't know the percentage of servers that check the
canonical name against that received but I doubt that it's very
large.

In the above case, a reverse lookup
(nslookup) of 66.168.108.8 fails. I'm not aware of any legitamate
e-mail server where a reverse lookup on it's ip address fails.

Yep, it does. As above, the most common reason is that the sending
server is misconfigured.

If I
want to know who owns this IP address, I'll go to www.arin.net and
type it in. In this case it's Charter Communications (not really a
surprise, as they seem to be doing nothing to block port-25 e-mail
sending of infected customer computers).

That's the next step all right. Arin.net works fine for American
servers but try this IP address: 194.158.104.67. You will be
directed to the RIPE whois since the IP is located in France.

IMO a better tool is Sam Spade, <http://www.samspade.org/>. You can
either use the tools on that page in a manner similar to dnsstuff or
download the Windows version (free) from
<http://www.samspade.org/ssw/>. Configuration is easy enough, the
biggest hurdle is to enter the IP address your ISPs default name
server.

Because of the inconsistencies in the first Received line, the second
Recieved line is completely bogus and is designed to confuse and
mislead.

Quite often but not always. As above, again, the sending server
could be misconfigured.

Lots of other clues that the header has been massively
forged, like seeing "comcast" in the message ID, and seeing yet
another IP address in the "X-originating-IP" line.

Those can be clues but the entire header must be studied to find out
where the relay happened.

If the text in the square brackets of the first Recieved line matched
the IP address in the first line, and if they both indicated a legit
e-mail server (ie "mail.snanet.co.uk" in this case) then I would look
to the second received line for more specific info about the identity
of the source of the e-mail.

Um, the IP address for "mail.snanet.co.uk" is 212.67.202.41. IP
36.107.21.244 is an IANA reserved IP address, which would be a clue
that anything below it is bogus. IP 216.175.86.44 is a mindspring
dsl user so the "X-Originating-IP:" might be accurate.

Working your way down the chain will usually get you to the ISP and
you can then get in touch with their abuse address.

In the case of viral e-mails, it is highly unlikely that the e-mail is
being sent through a legit e-mail server (they are all scanning
attachments these days).

It's still received from a legit server. I understand that some
trojans install their own mail server on the invaded computer but it
still has to connect to the Internet. The first IP address is all
that can be traced sometimes.

We all hope that our ISP is scanning attachments but I wouldn't
depend on it very much. That's another reason for safe hex; don't
open attachments from unknown senders.

Viral e-mail is almost always being sent
directly from the infected computer without going through the ISP's
e-mail server, in which case you only need to look at the first
Received line to figure out where it's coming from.

Sometimes true but it's good exercise to do a little digging.

 

[Virus Guy]

When looking at the first received line:

- the ip address after the canonical name is the last true source
of the e-mail. That is the machine that sent the e-mail to
your server, which you probably grabbed using a pop client (or
a web-based mail reader).

- If nslookup on the ip (above) fails, most likely the computer
using that ip is not a real mail server but has been "trojaned"
or "zombified" to directly send e-mail (ie smtp engine). If
the e-mail being sent has practically no body, and includes
an attachment that is viral, then the machine is not being
used as a proxy but instead either was infected with a pre-
crafted e-mail list (to send to) or is scanning the infected
computer for anything resembing an e-mail address in any or
all likely source files. If a whois or arin (or ripe, or...)
shows that the ip belongs to a residential DSL or cable ISP,
(and the domain in the "from:" or "reply-to:" doesn't match
the whois) then it's 100% certain that the computer sending
the e-mail is not a legit e-mail server.

- if the canonical name is not a name but instead an ip address,
and if it's the ip address of the *receiving* server (ie your
server), then we have the same situation described above
(the computer is trojanized and is not a legit smtp server).

- if everything points to the sending "server" being an
infected computer, and if there are second or third
received lines, then they will be forged and certainly
they will not contain valid information. The logic behind
this is that if a hacker is directing spam (or viruses)
through the infected machine, he will not have a
second received line contain correct information that
points back to him and his computer as the source of
the e-mail. He wants to break the linkage of where the
e-mail really came from (if indeed it really did come from
some alternate machine originally, which a lot of spam
probably does, but rarely viral e-mail).

Again, still looking at the first received line:

- if the canonical name and the ip match (ie if, say, the
canonical name is "mail.ucla.edu" and the ip address comes
back as belonging to ucla) and if an nslookup on the ip
also comes back with "mail.ucla.edu" or close to it,
then we can be reasonably certain that (a) the e-mail
came from ucla and (b) that it actually came from a legit
e-mail server at ucla. In which case there must be a
second received line (which may or may not include a
canonical name or even ip address of the ultimate source
of the e-mail).

Spam has exploded since 2002, and has grown roughly with the number of
residential DSL or high-speed cable customers, which also coincides
with the appearance of cheap home computers that came with Windows XP
pre-installed. Windows XP, as it came "out of the box" in 2001
through 2003, could be infected in at most 5 minutes of being
connected to a residential high-speed network.

Up until maybe 6 months ago, it was the rule that these infected
machines (the ones that sent spam) sent it directly to the destination
servers (they did not send their spam via the smtp servers of the ISP
that was connecting them to the internet). They could do this because
the ISP wasn't blocking port-25 packets from the infected machines to
the internet at large. There has been increasing pressure on ISP's to
lock-down port-25 and prevent these packets from getting past the
ISP's network. If the ISP's (like comcast, road runner, charter,
shaw, etc) smarten up and put port-25 blocking into place, then the
spammers/hackers will have no choice but to have the infected
computers send spam through the ISP's own servers. That is when you
will have to look at the second received line in the header to
identify the machine that was the source of the spam (or virus). But
spam or viruses sent this way will be few and far between if the ISP's
have decent software to identify the e-mail as spam or viral.

In my experience, the reception of viral e-mail (when it happens)
comes from the same machine (which usually means a some-what constant
IP address) and will usually happen once or twice a day (multiple
times a day is rare). The ip address in the first received line will
tell you where it's coming from (ie it will either be residential or
institutional, you may be able to indentify the city and certainly the
country of origin, and based on this you may know who in that city or
country has your e-mail address somewhere on their computer, and you
may have legitimate e-mail from them where you can compare the IP
addresses). If you receive enough of these viral e-mails, and you
build up a list of the "from:" addresses, you may be able to identify
the sender based on the commonality of the from names being used. In
some cases I have sent an e-mail to all the "from:" names asking them
if they know who (is city X or country Y) we all have in common.

If you have control over your e-mail server, the last resort is to
block the IP address (or sub-net) of the computer sending the viral
e-mail. Again this is the ip address in the first recieved line.

 

[Richard Price]

Post the header (or at least the first few lines).

Remove any self-identifiying text.

The IP address of the sender is what's useful. If the e-mail is
coming from someone you know (ie they have your e-mail address in
their address list) then it's possible to identify them based on the
IP address. They won't know their computer is sending it to you.

Here's the headers of one such message, as requested. I didn't think
they gave much of a clue, but I may well be wrong. (Thanks also for the
very full information you've provided further down this thread.)

Return-Path: <[email protected]>
Original-Recipient: rfc822;****@ukgateway.net
Received: from ukgateway.net (80.41.163.140) by
mk-cpfrontend.uk.tiscali.com (7.2.034.7)
id 427BE477033FB917 for ****@ukgateway.net; Thu, 30 Jun 2005
20:39:16 +0100
Message-ID: <[email protected]>
(added by (e-mail address removed))
From: (e-mail address removed)
To: ****@ukgateway.net
Subject: [virus Win32/Netsky.R worm] Unknown Exception
(****@ukgateway.net)
Date: Thu, 30 Jun 2005 20:39:11 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 1
X-MSMail-Priority: High
X-NOD32Result: Infected, Win32/Netsky.R worm


Richard Price

 

[Virus Guy]

Here's the headers of one such message, as requested. I didn't
think they gave much of a clue, but I may well be wrong. (Thanks
also for the very full information you've provided further down
this thread.)

Return-Path: <[email protected]>
Original-Recipient: rfc822;****@ukgateway.net
Received: from ukgateway.net (80.41.163.140) by
mk-cpfrontend.uk.tiscali.com (7.2.034.7)

If I read thie correctly, 80.41.163.140 is the source, and
ukgateway.net is the claimed canonical name for that machine.

That ip address is assigned to:

Tiscali UK Limited
20 Broadwick Street
W1F 8HT
London, United Kingdom
phone: +44 207 087 2000
fax-no: +44 207 087 2295

Concerning abuse and spam
mailto: (e-mail address removed)

nslookup says the canonical is: dsl-80-41-163-140.access.as9105.com
(which on first glance looks like a DHCP-assigned residential rDNS).

http://www.as9105.com comes back asking for name and password
(interesting).

The domain as9105.com was registered by Tiscali UK. Technical contact
for that domain is:

Hostmaster Role Account (HR00007-TR)
Tiscali UK Ltd
20 Broadwick Street, London
W1F 8HT, UK
phone: +44.2070872000
fax: +44.2070872295

A web-based service that give the geographic location of a given ip
address (which arguably has questionable accuracy) gives the following
as the location of that ip address:

City: Gloucester
Country: United Kingdom

Using: http://www.geobytes.com/IpLocator.htm?GetLocation

It appears that your e-mail address is (e-mail address removed). The
machine sending the e-mail obviously crafted the canonical name to
match the domain of your own e-mail address (ukgateway.net).

You should look at the headers of some legit e-mail that you have from
other people. I suspect that you will also see the same thing on the
first few lines of the header as this one is showing.

But is there a connection between uk.tiscali.com and ukgateway.net?

Well, a whois on ukgateway.net returns the following:

Domain servers in listed order:
NS0.TISCALI.CO.UK 212.74.114.132
NS0.AS9105.COM 212.139.129.130

So yes there is a connection.

So we do not know the true source of the viral e-mail you are
receiving because the full header of the viral e-mail is not being
delivered to you. The e-mails you are receiving is coming from your
own e-mail server, telling you that ->it<- is receiving viral e-mail
destined for you. It is not reproducing the full header of the
original viral e-mail.

You should either phone the following phone numbers and / or send an
e-mail to the following address and explain the situation:

Tiscali UK Limited
20 Broadwick Street
W1F 8HT
London, United Kingdom
phone: +44 207 087 2000
fax-no: +44 207 087 2295

Concerning abuse and spam
(e-mail address removed)

 

[Vanguard]

Post the header (or at least the first few lines).

Remove any self-identifiying text.

The IP address of the sender is what's useful. If the e-mail is
coming from someone you know (ie they have your e-mail address in
their address list) then it's possible to identify them based on the
IP address. They won't know their computer is sending it to you.

Here's the headers of one such message, as requested. I didn't think
they gave much of a clue, but I may well be wrong. (Thanks also for
the
very full information you've provided further down this thread.)

Return-Path: <[email protected]>
Original-Recipient: rfc822;****@ukgateway.net
Received: from ukgateway.net (80.41.163.140) by
mk-cpfrontend.uk.tiscali.com (7.2.034.7)
id 427BE477033FB917 for ****@ukgateway.net; Thu, 30 Jun 2005
20:39:16 +0100
Message-ID: <[email protected]>
(added by (e-mail address removed))
From: (e-mail address removed)
To: ****@ukgateway.net
Subject: [virus Win32/Netsky.R worm] Unknown Exception
(****@ukgateway.net)
Date: Thu, 30 Jun 2005 20:39:11 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 1
X-MSMail-Priority: High
X-NOD32Result: Infected, Win32/Netsky.R worm

Your IP address in your posts is 82.32.27.169 which is allocated to
Telewest/Blueyonder. Yet the ukgateway.com (what the sender claimed was
their ID for their sending host), their IP address of 80.41.163.140, and
your claimed e-mail address with domain ukgateway.com are all properties
of Tascali UK. You post from Blueyonder but your e-mail is back on
Tascali?

The ukgateway.net domain is registered to Gateway, Inc which looks to be
the Gateway computer manufacturer in California, USA; see
http://www.networksolutions.com/en_...0SWUCWMEAPSFEY?whoistoken=0&_requestid=334378.
The nameservers listed for that UK domain registration show they are
using Tascali which is also your mail service (according to the "by"
host in the topmost prepended Received header). The Message-ID for the
sender also shows Tascali. So you have a user on the same domain as you
(if your munged e-mail is correct) sending you e-mail. Use the
Message-ID to report abuse to the sender's e-mail provider (actually
send the entire e-mail, with all headers but minus any attachments, to
Tascali).

From a reverse DNS lookup on 80.41.163.140, I get
dsl-80-41-163-140.access.as9105.com. as9105.com is also registered to
Tascali. A traceroute on 80.41.163.140 goes through tascali.net before
hitting their as9105.net domain. If webadvice is not a username that
you recognize then report the infected e-mails to Tascali. At
senderbase.com, 80.41.163.140 doesn't show a huge amount of traffic.
The sender is a dynamic IP addressed source
(http://www.njabl.org/cgi-bin/lookup.cgi?query=80.41.163.140). Gateway
wouldn't be using dial-up or cable/DSL connected hosts to send out
newsletters.

I suspect the ukgateway.com is bogus in the Received header since that
is the value the e-mail client gets to put into that header in
identifying itself (so it can obviously lie or use whatever it wants).
The 80.41.163.140 for the sending mail server is allocated to Tascali UK
and its rDNS which is on as9105.com is also registered to Tascali UK.
So send the abuse report to Tascali UK ([email protected] and
(e-mail address removed) are both listed by abuse.net).

 

[Richard Price]

[snip lots of good stuff]

So we do not know the true source of the viral e-mail you are
receiving because the full header of the viral e-mail is not being
delivered to you. The e-mails you are receiving is coming from your
own e-mail server, telling you that ->it<- is receiving viral e-mail
destined for you. It is not reproducing the full header of the
original viral e-mail.

That's what I thought, and presumably it's just part of the 'clever' way
Netsky.R (AKA Q) works. With hindsight, perhaps I chose a poor /
confusing example to post, since it happens to come from uk.tiscali.com
which is related to 'my' (email) domain ukgateway.net as you rightly
point out. Most of these viral messages have come from unrelated
domains - unfortunately I've deleted them all irretrievably, so I'll
take a careful look at the next one that comes in to see whether I can
learn more from that.

You should either phone the following phone numbers and / or send an
e-mail to the following address and explain the situation:

I was assuming that because the true source is probably not one of their
customers they wouldn't be interested - and that the same would apply to
the dozen(s) of ISPs corresponding to the spoofed origins of all the
other samples I've received. But you're right, it's at least worth a
try.

Thanks for all your help,

Richard Price

 

[Richard Price]

Your IP address in your posts is 82.32.27.169 which is allocated to
Telewest/Blueyonder. Yet the ukgateway.com (what the sender claimed was
their ID for their sending host), their IP address of 80.41.163.140, and
your claimed e-mail address with domain ukgateway.com are all properties
of Tascali UK. You post from Blueyonder but your e-mail is back on
Tascali?

Yes, several ukgateway.net addresses and a dialup account came free with
my Gateway PC. When Gateway pulled out of retail sales in the UK they
handed these accounts over to Tiscali, but the email addresses didn't
change. When I switched to Blueyonder broadband I kept the same email
addresses for convenience - there's no problem accessing the Tiscali
POP3 server for incoming mail, over my Blueyonder connection, and I post
to the Blueyonder SMTP server with my ukgateway.net address in the From
field. I assume that's all pretty standard practice for people who've
had more than one ISP.

[snip lots of good stuff]

I suspect the ukgateway.com is bogus in the Received header since that
is the value the e-mail client gets to put into that header in
identifying itself (so it can obviously lie or use whatever it wants).
The 80.41.163.140 for the sending mail server is allocated to Tascali UK
and its rDNS which is on as9105.com is also registered to Tascali UK.
So send the abuse report to Tascali UK ([email protected] and
(e-mail address removed) are both listed by abuse.net).

As I mentioned in my reply to Virus Guy I wasn't sure they'd be
interested, but perhaps it is worth a try.

Thanks,

Richard Price

 

[Virus Guy]

That's what I thought, and presumably it's just part of the
'clever' way Netsky.R (AKA Q) works.

Well, it's got nothing to do with Netsky.

Your e-mail server (ukgateway, or Tiscali) detected the virus in the
original e-mail and it essentially discarded the e-mail and generated
it's own message telling you it detected a virus in an e-mail destined
for you. Presumably it will (and has) been doing the same thing for
all viral e-mails where it successfully detected the virus in the
e-mail.

The only time a viral e-mail will get through to you (unmolested, with
a traceable header) is when your e-mail server fails to detect the
attachment as viral.

PS: Unless I'm wrong, it appears that your e-mail is passing through
a US-based machine at some point in it's path to you. This means that
under the US Patriot act, your e-mail can be scrutinized by US law
enforcement agencies with minimal to no justification or judicial
authorization needed.

 

[Richard Price]

Well, it's got nothing to do with Netsky.

Your e-mail server (ukgateway, or Tiscali) detected the virus in the
original e-mail and it essentially discarded the e-mail and generated
it's own message telling you it detected a virus in an e-mail destined
for you. Presumably it will (and has) been doing the same thing for
all viral e-mails where it successfully detected the virus in the
e-mail.

The only time a viral e-mail will get through to you (unmolested, with
a traceable header) is when your e-mail server fails to detect the
attachment as viral.

I'm a little puzzled by that. Surely if the mail server is bothering to
detect and modify viral emails, that modification would include
stripping out the virus itself? But these messages are all identified by
NOD32 as infected with Win32/Netsky.R . Also if I view the message
through a webmail service before downloading (so before NOD32 gets at
it) I can see the MIME encoded payload, and if I save that to a text
file then scan it, NOD32 again identifies it as Netsky.

NOD32 does modify the subject line, adding the prefix "[virus
Win32/Netsky.R worm]". Before that modification the Subject *looks* a
bit like something a mail server might add, e.g. my last three (munged)
were:
Error (****@ukgateway.net)
Unknown Exception (****@ukgateway.net)
Delivery Bot (****@ukgateway.net)

However these are in fact generated by the Netsky.R worm itself, as
documented e.g. here:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=48623

That's why I assumed, perhaps wrongly, that any concealment of the true
source in the headers was also the work of Netsky.

I now have three samples to look at and the headers all follow a similar
pattern. The 'from' IP address in the Received header varies but all
three (80.41.162.227, 80.41.163.140 and 212.139.94.43) do seem to belong
to Tiscali, so I shall take it up with them as you suggested previously.


Richard Price