[Dshield] Help on Finding contacts at domains

Bob Savage bsavage at rnr-inc.com
Thu Sep 4 22:02:20 GMT 2003

John, if I understand you correctly, you are getting emails from the system admininstrator saying that your email is undeliverable because it is infected.  If I've misunderstood you and this is NOT what you are asking about, stop reading now!

These are automatically generated notices coming from the antivirus software.  Your address is on the email as the "from".  SoBig.F, and a number of others, picks up both the "to" and "from" addresses from whatever addresses it finds on the infected computer.  It just means your address is in the address list on the infected computer (or in file somewhere on it).  Many system admins configure their anti-virus software to send an "infected" notice to the sender.  It's a nice idea, but outdated.  Most infections today spoof the sender address.

Hope this helps,

Bob Savage
RNR, Inc.

-----Original Message-----
From: John Dalton [mailto:dubuque_1 at msn.com]
Sent: Thursday, September 04, 2003 4:11 PM
To: General DShield Discussion List
Subject: [Dshield] Help on Finding contacts at domains

I need to draw on the excellent resources here on the dshield list :)

In the last week I have had a smattering of emails that were generated
elsewhere and I am the one contacted. I would not be even asking this if the
fact they all come from two ISP's, one who I contacted by phone the other
day, and after getting past the persons attitude while answering (so what is
our users email address, to which I answered his MACHINES IP was x.x.x.x,)
I now have a good slug of ones coming from, shown in headers
(where the victims show them) as:
Received: from  VALUED-078DE3BD ([]
I looked them up to find:
Illinois Century Network
120 west jefferson
suite b
United States

Illinois Century Network
hostmaster at illinois.net

I have emailed to abuse.fraud and hostmaster at illinois.net, I have gone to
www.illinois.net, and tried to find contacts for a email contact. They seem
to be a Provider for Illinois school districts for Internet connectivity.

It is a nuisance for now, but all the emails I am getting about "sending"
infected emails to various companies, all indicate this IP as the origin.

Yes I have made sure I am all patched, and checked several ways to confirm I
am NOT infected.

Can anyone enlighten me to how to pursue this next, and how they came up
with this direction ...

Thanks in advance
John D

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list