RE: Virus sent last Thursday - Anyone use RoadRunner?

[pat_thaler@agilent.com]

Mark, 

This has come up on this list before. There are a group of viruses that
use addresses that they find on the infected computer as the from 
address on the infected emails they send.  

When people get an infected email, they should check to see where
it really came from and not assume that it was really send by the
person in the from line. To do this for outlook, one uses View
Options which has a box containing the internet headers (not very 
intuitive). 

Regards,
Pat

-----Original Message-----
From: Mark Bakke [mailto:mbakke@cisco.com]
Sent: Tuesday, August 27, 2002 8:37 AM
To: IPS
Subject: Virus sent last Thursday - Anyone use RoadRunner?



Sorry this is a bit off-topic, but I want to clear this up.

Last Thursday I had received a lot of email responses from virus
scanning software from recipients on the ips mailing list mentioning
a virus that appeared to be sent by me.  Since I don't use Windows
for email, it seemed odd that I could have sent anything.

It turns out I didn't send it, but I want to figure out where it
came from.

Here's what happened.  The email to the ips list was sent from
a machine at austin.rr.com (RoadRunner), with the From: line set
to my address.  SMTP lets you do this; you can send an email that
appears to be "From:" anyone you want.  Here are the recieve
headers from the machines that sent to majordomo:

Received: 
from sm13.texas.rr.com (sm13.texas.rr.com [24.93.35.40]) by ece.cmu.edu (8.11.0/8.10.2)
with ESMTP id g7N3Koo15994 for <ips@ece.cmu.edu>; Thu, 22 Aug 2002 23:20:51
-0400 (EDT)

Received: 
from Cudhz (cs24243252-119.austin.rr.com [24.243.252.119]) by sm13.texas.rr.com
(8.12.1/8.12.0.Beta16) with SMTP id g7N3OVDg010776 for <ips@ece.cmu.edu>; Thu, 22
Aug 2002 22:24:32 -0500

Does anyone recognize the account or host named cs24243252-119?

Thanks,

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054