Here's the complete message header, etc. which this e-mail's attachement contained a W32.Beagle.DN@mm virus (sent to me)... ========================= X-Symantec-TimeoutProtection: 0 X-Symantec-TimeoutProtection: 1 X-Symantec-TimeoutProtection: 2 X-Symantec-TimeoutProtection: 3 X-Symantec-TimeoutProtection: 4 X-Symantec-TimeoutProtection: 5 X-Symantec-TimeoutProtection: 6 X-Symantec-TimeoutProtection: 7 X-Symantec-TimeoutProtection: 8 X-Symantec-TimeoutProtection: 9 X-Symantec-TimeoutProtection: 10 X-YPOPs-Folder: @B@Bulk X-RocketYMUMID: AGomvs4AAFLcQ/7grw27sl9bWuc X-Apparently-To: 'me'@'XXX'.com via 206.190.38.106; Fri, 24 Feb 2006 02:32:15 -0800 X-Rocket-Spam: 202.163.199.197 X-YahooFilteredBulk: 202.163.199.197 X-Originating-IP: [202.163.199.197] Return-Path: <chelo_rayo@yahoo.com> Authentication-Results: mta106.mail.mud.yahoo.com from=yahoo.com; domainkeys=neutral (no sig) Received: from 202.163.199.197 (HELO lizette7.com) (202.163.199.197) by mta106.mail.mud.yahoo.com with SMTP; Fri, 24 Feb 2006 02:32:15 -0800 Date: Fri, 24 Feb 2006 18:32:07 +0800 To: 'me'<'me'@'xxx'.com> From: "Chelo" <chelo_rayo@yahoo.com> Subject: Gwd: Hello :-) Message-ID: <wlqnsskfbptumvwwech@yahoo.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------ehdxsbdytgeujmdaxscj" Content-Length: 17134 X-NAS-Language: English X-NAS-Bayes: #0: 2.09228E-071; #1: 1 X-NAS-Classification: 0 X-NAS-MessageID: 6327 X-NAS-Validation: {4FFF9F5B-0862-47C2-858F-'xxxxxxxxxx'} ----------ehdxsbdytgeujmdaxscj Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> Ok. Please, have a look at the attached file. </body></html> ----------ehdxsbdytgeujmdaxscj Content-Type: plain/text; name="Norton AntiVirus Deleted-1.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Norton AntiVirus Deleted-1.txt" Tm9ydG9uIEFudGlWaXJ1cyByZW1vdmVkIHRoZSBhdHRhY2htZW50OiB3d3cuY3Vtb25oZXJm YWNlLnNjci4NClRoZSBXMzIuQmVhZ2xlLkROQG1tIHRocmVhdCB3YXMgZGV0ZWN0ZWQgaW4g dGhlIGF0dGFjaG1lbnQu ----------ehdxsbdytgeujmdaxscj Content-Type: application/octet-stream; name="Description.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Description.txt" eW91J3ZlIGdvdCB0aGVtIGFscmVhZHk= ----------ehdxsbdytgeujmdaxscj-- ========================= I submitted the IP address (202.163.199.197) to the WhoIs site (http://www.whatsmyip.org/whois/) by entering the IP address in the first dialog box and this's the resulting info that it came up with.... ========================= OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU ReferralServer: whois://whois.apnic.net NetRange: 202.0.0.0 - 203.255.255.255 CIDR: 202.0.0.0/7 NetName: APNIC-CIDR-BLK NetHandle: NET-202-0-0-0-1 Parent: NetType: Allocated to APNIC NameServer: NS1.APNIC.NET NameServer: NS3.APNIC.NET NameServer: NS4.APNIC.NET NameServer: TINNIE.ARIN.NET NameServer: NS-SEC.RIPE.NET NameServer: DNS1.TELSTRA.NET Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse Comment: RegDate: 1994-04-05 Updated: 2005-05-20 OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@apnic.net # ARIN WHOIS database, last updated 2006-02-23 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 202.163.199.192 - 202.163.199.199 netname: RAINBOWCOMP1-PH descr: Rainbow Computer II descr: UP Shopping Mall Diliman QC country: PH admin-c: AA123-AP tech-c: AA123-AP mnt-by: MAINT-PH-INFOCOM changed: framirez@info.com.ph 20010920 status: ASSIGNED NON-PORTABLE source: APNIC changed: hm-changed@apnic.net 20020827 person: Alberto Alaman address: Aurora Blvd Araneta country: PH phone: +63-2-714-2829 e-mail: alva@netasia.net nic-hdl: AA123-AP mnt-by: MAINT-PH-INFOCOM changed: framirez@info.com.ph 20010919 source: APNIC February 24, 2006, 4:24 pm =========================== My question here is, would I be needing to send the e-mail I received (i.e.; a copy of the message header, etc., and/or forward the original e-mail) back to this "Alberto Alaman" at "alva@netasia.net"? I suspect sending it might simply be telling the guy that I know it was him that sent the virus to me, but it seems I need to send him the "Please do not spam me" if it's only a legal effort in assuring that something might be done about any further e-mails this guy might plan on sending me, no? =========================== I then submitted the IP address (202.163.199.197) to the WhoIs site (http://www.whatsmyip.org/whois/) by entering the IP address in right side dialog box ( that had a default entry of "IP Address") and this's the resulting info that it came up with.... adsl-199-197.info.com.ph ..apparrentl;y this is the domain name for the person's e-mail server? And as I'm uncertain which and/or if both searches revealed useful info in my quest to try and do whatever I can about this malicious person. ============================ I suspect that the "HELO lizette7.com" might be the e-mail server of the malicious person and I need to figure out if this's true or if not, who the server is so I can get the spammer's website shutdown, right? Any expertise in getting this guy shut down and/or even prosecuted would be nice. Thanks in advance for any help. Regards and hap-e-trails, Steve Hopper

I doubt that the address you have is the one that the bad guy has. He has probably spoofed the address. Just sit back, relax and do not seek revenge and take care!

Start using MailWasher Pro to screen your mail. Looking for revenge is a waste of life. Finding revenge -- is life. Lete him come to you. MailWasher will allow you to see who is sending what, without allowing the damage. Over time if he is kind enough to countinue to send you data, you will be able to nail him. Tomorrow the Stars!

Obviously the right person hasn't yet read this post. The two reasons being, there is enough info here to identify the computer and originating server, plus doing the right thing is not revenge, it is the right thing and that is to take the time and report the computer and notify the origiating server. As WhoIs clearly shows the computer is in the Philippines, even his e-mail address is pretty assuredly alva@netasia.net, and the server is one or all of these: NS1.APNIC.NET, NS3.APNIC.NET, NS4.APNIC.NET, TINNIE.ARIN.NET, NS-SEC.RIPE.NET and DNS1.TELSTRA.NET. As for the current replies, thanks but seeking to disuade me from acting responsibly and wishing me well at the same time, is not what's needed here. This is a serious matter and is criminal behaviour requiring that whatever can be done, is done. This is not revenge. Revenge would be if I were to go and find this person and do to him what might be done by a third world countryman. This person's computer is traceable and so is the originating server, no? I'm certain someone reading this post (who is knowledgible) will see that there's enough info to go beyond merely asking Yahoo to 'pretend' to take action on chelo_rayo@yahoo.com Regards and hap-e-trails, Steve Hopper

Steve, just a question, since you are so knowledgeable, and have all the necessary information to take the appropriate action, why did you waste your time posting? Go ahead a do whatever you want. Please let us know the details of what to happens the individual when justice occurs. I suggest you take a look at what Steve Gibson had to do to track down the culprit in a denial of service attack that happened to him. Trust me, WHOIS was not how he solved the case. Just in case you do not know who Steve Gibson is, he is the president of Gibson Research. The website that provides us all with Shields Up, and other security support and help.

Even if you manage it then the sender is likely to seek revenge on you too. He is probably clever enough to make a very good job of it and spam you to death. The best thing to do is report it. It's just a bit sickening when someone asks for help and then proceeds to insult those who respond. It is not the best way to get results. DerekW

I can understand the frustration Steve has, but the fact that the "originating" ip resides in the philippines is usually a good indication that the address is spoofed(could be wrong tho). But for all you know it could be your next door neighbor. Plus alot of isps don't use static ips so that certain ip could belong to a number of computers at different times not to even mention proxies (notice how sometimes even your own ip changes?). So the only offensive for a homeuser/novice is to use a good firewall antivirus combo, and reporting the ip to your email provider (most have spam filters). And sorry for repeating this, but most spammers are usually tech savy so if you get back at them, they WILL get back at you, usually alot worse than you expected, think id theft, dos, etc... The thing is not to take spamming that personally it happens to everyone at some point. This is not a defitist attitude but you usually have to learn alot before you can even get back at them which just doesn't rest well with most people unless they're really interested. In case you really are just google computer security. Truth can become lie, but if lies become truth we're in trouble.