Hi there one and all, I got another e-mail recently containing a virus that was picked up and binned well before it hit my inbox, however thought someone could play with the header I can get from it and do a little investigating please. The only reason I ask is that the message came from "[email protected]" but obviously is wasn't 10W that we party with on PPRuNe. I have mailed him and alerted him to the fact I got this mail, and he has given me full permission for me to ask this here. Hope someone can help.

Cheers, 5mb

X-YahooFilteredBulk: 81.103.54.144
Authentication-Results: mta801.mail.ukl.yahoo.com
from=hotmail.com; domainkeys=neutral (no sig)
X-Originating-IP: [81.103.54.144]
Return-Path: <[email protected]>
Received: from 81.103.54.144 (EHLO btinternet.com) (81.103.54.144)
by mta801.mail.ukl.yahoo.com with SMTP; Tue, 15 Mar 2005 20:16:19 +0000
From: [email protected]
To: <my email address removed>
Subject: Re: letter
Date: Tue, 15 Mar 2005 20:16:15 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Your document is attached to this mail.

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com


------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="letter.txt .pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="letter.txt .pif"


------=_NextPart_000_0016----=_NextPart_000_0016--

According to the IP given in the header, it might be someone in the Guildford area who uses NTL as their ISP...

WHOIS results for 81.103.54.144
Generated by www.DNSstuff.com

Location: United Kingdom [City: London, England]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 81.103.48.0 - 81.103.55.255
netname: NTL
descr: NTL Infrastructure - Guildford
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
remarks: INFRA-AW
changed: **********@ntli.net 20021114
source: RIPE
route: 81.102.0.0/15
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: **********@ntli.net 20040929
source: RIPE
role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
trouble: -------------------------------------------------------
trouble: For abuse notifications please -
trouble: file an online case @ http://www.ntlworld.com/netreport
trouble: +44 1633 710142 (Voicemail Only)
trouble: -------------------------------------------------------
trouble: For peering issues/requests please -
trouble: email : *******@ntli.net
trouble: -------------------------------------------------------
admin-c: MH22007-RIPE
admin-c: NR731-RIPE
admin-c: CM1377-RIPE
tech-c: MH22007-RIPE
tech-c: CM1377-RIPE
admin-c: NR731-RIPE
nic-hdl: NNMC1-RIPE
mnt-by: AS5089-MNT
notify: *************@ntl.com
e-mail: *************@ntl.com
changed: **********@ntli.net 20030328
changed: **********@ntli.net 20030401
changed: **********@ntli.net 20030603
changed: **********@ntli.net 20030707
changed: **********@ntli.net 20040303
changed: **********@ntli.net 20040312
changed: **********@ntli.net 20040929
changed: *************@ntl.com 20050307
source: RIPE
[The following lines added by www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com's 'info@' address to report problems regarding the functionality of the service.

[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.