I am receiving a steady stream of messages containing this new doom virus.

So far, they haven't done me any harm - a combination of up to date anti virus softeware and common sense.

However, I would like to track them back to their source and see if I can persuade the offender to stop sending them.

Although the messages seem to have come from lots of different people, looking at the header says they all come from one address - 82.35.99.35

tracert turns this into 82-35-99-35.cable.ubr05.dals.blueyonder.co.uk


Anyone got any suggestions as to how I can get in touch with them to ask them to stop?

BlueYonder would probably be able to identify the accountn which is sending those emails, however for YOU to get those details would most likely require a court order, which you wouldn't be able to get.

Best bet ? Send an email aND a fax to BlueYonder, explaining how you've done your detective work, and let them do the rest.

Cannot help with the tracking bit but for all who have been caught see the following:

Please be on the defense when opening your GroupWise or home email. There is a new virus that is very difficult to pin-point how it will look in your inbox. (Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)) If you do not know the sender or were not expecting an email with an attachment, please delete it.

Further Virus Information:
Please be aware that the recently announced W32/Mydoom@MM virus has been detected within the networks. We are continuing to work to secure and deploy the latest DATs to protect against this virus. More information on this virus is available via the links below:

>>> <[email protected]> 01/26/04 03:17PM >>>
Alert
This is a High-Outbreak Threat Alert for W32/Mydoom@MM.

Justification
W32/Mydoom@MM has been deemed High-Outbreak due to prevalence.

Read About It
Information about W32/Mydoom@MM is located on VIL at:
http://vil.nai.com/vil/content/v_100983.htm

Detection
W32/Mydoom@MM was first discovered on 01/26/2004 and detection will be
added to the 4319 dat files (Release Date: 1/26/2004). The EXTRA.DAT
is available.

If you suspect you have W32/Mydoom@MM, please submit a sample to
http://www.webimmune.net.

Risk Assessment Definition
For further information on the Risk Assessment and AVERT Recommended
Actions please see:
http://www.networkassociates.com/us/security/resources/risk_assessment.htm

Hope it helps someone?
YYZ

Symantec (http://www.symantec.com) have a checker & cleaner for those in need.

Be aware that your chances of backtracking are remote to nil, why, because the mydooms are said to build and use a from mail address that you might recognise - see Symantec writeup on the link indicated above.

For those in need of an antivirus - can recommend AVG (http://www.grisoft.com), its free for a "home" user and so far (says he touching wood very firmly) over the last 3 or so years its kept things away from my machine - it can be set up to indicate on incoming and outgoing mails that it tested them and which version was used (just in case). At least it give my e-Mail receipiants a little more confidence in my professionality.

Also you home users - a home firewall is to be recommended - as is anti pop-up and anti-spyware (see sticky's at the start of this thread - but those are not the only products!):D :cool: :D

Actually, the possibility of backtracking is very good, porvided you can get some co-operatin from the ISP

Looking at the header on my email messages, I see



Sender: [email protected]
Received: from colt-telecom.com (82-35-99-35.cable.ubr05.dals.blueyonder.co.uk [82.35.99.35])
by siaag2ad.compuserve.com (8.12.9/8.12.7/SUN-2.12) with ESMTP id i120T8EN015731
for <me>; Sun, 1 Feb 2004 19:29:12 -0500 (EST)
Message-Id: <[email protected]>


The xxxx@colt -telecom is obviosly spoofed, but the IP address is genuine as far as I know - that is the 82.35.99.35

So, if Blueyounder both to read the emails I have sent to them, they can identify the machine easily.

Nearly 12 hours after emailing administrator, postmaster and abuse @ blueyonder.co.uk, all I've had is an automated reply from abuse
Thank you for your message to [email protected]. Your email has been received and will be processed in due course. This particular reply has been used because the mail was sent from a non-blueyonder address.

Due to the overwhelming amount of email received at this address, you may not receive a human response. Please be assured that your message will be read and your concern will be noted.

If your message is a complaint regarding Unsolicited Email or Newsgroup abuse originating from an blueyonder account, please be sure to include ALL header information in your complaint. Complaints without full header information cannot be processed.

blueyonder's Acceptable Use Policy does not permit the sending of Unsolicited Commercial Mail or Newsgroup abuse and such activities are not tolerated.

We will investigate to determine if there has been a breach of our Acceptable Use Policy. If there has, we will contact our customer and mandate that the activity ceases. Further breaches will lead to termination of the customers' account and, where appropriate, legal action.

If you are a blueyonder customer and your message is a complaint regarding Unsolicited Email or Newsgroup abuse originating from outside of blueyonder please be aware that there is little we can do to stop this. We are planning user-definable mechanisms to deal with this problem which will become available in due course.

Thank you for your cooperation.

Regards,

The blueyonder Abuse Team.


oh, and yes, I am still getting virus e-mails from the same tcp/ip address!!!