Q

Informing an infected sender

By looking into the e-mail header, I can tell the IP address of the infected computer that sends me a virus. What is the best way that I can inform the sender of the infection? A ping will provide me the name of the ISP, but informing the ISP may not have immediate results. Do you have any good suggestions?

VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.

Assuming it is a legitimate e-mail address that has inadvertently sent a virus that was not caught by the sender's antivirus software, I think it is within reason to simply reply to the individual with a notification. In fact, there are some corporate antivirus solutions that can be configured to automatically notify not only the recipient but also the originator of the infected message.

On the other hand, if a reply does not prompt the user to take action to clean the originating machine of the virus or worm, then you may want to report the e-mail address abuse to the user's ISP. You can perform a 'whois' against the IP address to get additional contact information for the ISP.


MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

While it does allude to it, the advice in your article fails to highlight the issues of spoofing. It is very common for viruses/worms to spoof the sender e-mail address, so responding to the named sender is almost useless. In fact, the automated responses to this type of mail by AV solutions are a major concern within the IT security community and are seen as more of an annoyance than a help.

Even if you go deeper into the headers and obtain the sender IP address this too can be spoofed. While spoofing the sender IP is rarer than the sender e-mail address, it is still possible.

Until the move to signed e-mails (with trusted and verified digital signatures) is made, tracking this sort of mail back to the original infector will remain difficult and auto responding software should be viewed with caution and skepticism.
—Adeel H.

******************************************

There really are no infections that are not from spoofed addresses. The question asks about using the IP address that is in the message header, which I believe is not spoofed. I am getting hit with numerous infected messages from an IP address that is on Comcast's Eastern network. How do we get the information to a user that we only have an IP address for?
—Mark B.

******************************************

Your expert did not pay close attention to the question. The 'poser' obviously knows the "From" e-mail address is spoofed and is looking at the e-mail headers where the IP address of the sending machine can be found. They want to know if there is a way to inform the user of the computer at that IP address that they have an infection.
—David W.

******************************************

I disagree with your green light to send an e-mail to the 'sender' of the infected message. With the multitude of unprotected computers and the address harvesting worms, viruses and bots in the wild, it is impossible to know the true sender. This problem will only be solved by the development of authentication protocols that prevent address spoofing.
—Cliff C.

******************************************

I think your comments are right on the mark. I did not assume that the user knew that the mail was spoofed, which I should have, or that they would not have been reading the header in the first place. That was definitely my mistake. Here is what I would recommend:

My intent with the answer was not to encourage the generation of auto-responses by enterprise antivirus systems, and I do apologize for the generic statement. It is a difficult process to notify a person of an infected machine, as it is difficult to know who actually sent the virus with surety.

The first step is to identify if the e-mail address has been spoofed. Since e-mail address spoofing is most common, you should also look at the source IP address. Unfortunately, in many cases the source IP address could be invalid. Therefore, you also need to identify the validity of the source IP address. One detective tool I have found extremely helpful in determining the validity of a source IP address is Sam Spade. It is a freeware tool that can be downloaded here.

If the source address is in a block of IP addresses registered to an Internet Service Provider (ISP), government agency or corporation, it will be difficult for you to notify the individual. Most administrators will take abuse notifications seriously, so that is probably your best bet, even though it may not be immediate.

Abuse notification e-mail addresses are published by most ISPs and are even available when you perform a WHOIS on the ISP's Domain. The Sam Spade tool will even allow you to gather the information and then compose and send an abuse mail from within the tool. Make sure you do your research well before sending the abuse notice. There is a tutorial included with the Sam Spade help that will walk you through the detection process. I recommend it highly.
—Richard Luckett, Antivirus and Antispam Expert


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Learning Center: 10 security tips in 10 minutes
  • Reference Center: Virus Protection


  • This was first published in June 2005

    Dig deeper on Exchange Server Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close