Today I got a message that I had received two Emails in my box with
a virus … But where [do they] come from?
There’s no 100% reliable way to tell who really sent you the virus.
The only thing that’s likely is that your email address or the address
of an email list you are a member of is contained in an address book
on the machine that sent it to you, and that that machine is a Windows
machine. As to who’s machine that might be, you can get clues from
the more detailed email headers that you typically don’t see, but even
then it’s often difficult to tell.
Become a Patron of Ask Leo! and go ad-free!
This virus and many recent viruses work by emailing a copy to
everyone it finds in the address books it finds on infected machines.
It also spoofs, or fakes, the “From:” address, to hide where the email
is coming from. It looks like this virus uses only certain “from”
addresses, but others will actually use other addresses found in the
infected machines address book.
“From spoofing” is a little confusing so let’s whip up an example.
Peter has both Paul and Mary in his email address book. Paul and
Mary do not know each other and have never emailed each other.
Unfortunately, Peter’s computer becomes infected with one of the
viruses we’re talking about. The virus starts emailing itself to
everyone in Peter’s address book and also uses the address book to make
fake “from” addresses. As a result, Peter’s computer sends email to
Mary that looks like it’s “from” Paul, even though Paul had
nothing whatsoever to do with it. If Mary believes the “from” address,
she may get upset with Paul for “sending” her the virus but her anger
is misplaced – it’s Peter’s machine that’s infected.
If we take a look at the email header information that comes with
each email message, we may be able to track the source a little
better. The header information I’m talking about is information that
many email clients don’t show you by default. As an email message gets
passed from computer to computer each will add a informational line to
the header saying when the message was received and from what IP
address. The first of those should be from the machine that sent the
email in the first place.
Unfortunately it’s not always that simple. For example a broadband
router, firewall, or proxy server can mask a machine’s address on the
internet. In addition, some of the virii take steps to obscure or spoof
the header information.
Outlook and Outlook express are both common mailers as well as
common virus targets that hide the headers by default. If you want to
have a look at the headers I’m talking about:
Outlook: Right click on the message in the message list and
select Options. In the default pain of the options dialog is a box
labeled “Internet Headers”. The box is almost always smaller than the
accumulated header information, so you may want to copy/paste the
headers into notepad to view.
Outlook Express: Right click on the message in the message list and
select Properties and then on the “Details” tab. The details tab
contains the internet headers.
The headers are not meant to be pretty or easy to understand but
typically the last “received from” line will tell you the IP address
and possibly the machine name that the mail may have originated
from. In our example above, it may be easy to identify Peter’s machine by
his IP address or his machine name … or that information may still be