Roger Musson is entirely correct.

While it's extremely easy to send e-mails with a fake address (Even
without the help of viruses Outlook Express in particular seems to have an
easy to find setting specifically for this!!), it's very much harder to
cover up the genuine (numerical) unique IP (Internet Protocol server or
PC)  address behind the name at the top of the e-mail.

Normally all the messy looking addressing and tracking details are covered
up for convenience, but if you hit the "H" (or equivalent) button and show
the full header, you can soon find the real originating e-mail address
from this.

Genuine JISCMAIL postings should have a UK academic IP address, probably
starting 130...  For example Roger's Natural Hazards List posting actually
came from IP address 130.246.192.55, though with several different servers
at the Appleton Rutherford Laboratory (which currently provides JICS)
then the last few digits might be a bit different, e.g. 130.246.192.55
came through on an other recent posting.

If the originating IP address is very different, e.g. it starts 202.. (as
many of the current wave of fake virus-carrying e-mails do) then it's not
from the genuine source.

In theory at least you can find out where the fakes are coming from via
the web directories of IP number allocations and then send an "abuse"
e-mail to whoever is supposed to be in charge.  Start with with the
"WHOIS" search window on the home page of the original American Registry
for Internet Numbers (ARIN) which is at http://www.arin.net/  If the
offending machine is at an American- registered address you will find
which  and an "abuse" address which you can notify.

If the series of numbers has been allocated elsewhere then there will be a
link to the appropriate registry from that group of numbers.  A few months
ago there were millions of spam and virus-carrying e-mails a day coming
from Netherlands-registered sites, but the Pacific and Latin American
groups of IP addresses are also causing a great deal of trouble at the
moment (and the regional registries that are supposed to police these and
shut down offending sites) seem much less active that they ought to be.

Nevertheless, there are systems there which certainly do work. (To my own
knowledge, within the past couple of weeks bodies as diverse a the
International Red Cross and Microsoft have acted against very convincing
looking fake sites that were "phishing" for bank and credit card details).

The problem is that 99.9% of the time we just hit the delete button and
don't take the 30 seconds or so needed to trace the origin and and
notify the Registry responsible about virus spreaders, fraudsters and
porn & pharmaceuticals merchants.  However, if every e-mail user took the
time to do this just a couple of times a week we might soon reduce the
spam traffic from it's current estimated 80% or so of all e-mail to
something more manageable.



Patrick

=====================

(Prof.) Patrick J. Boylan
(Professor Emeritus, City University London)

HOME:
2A Compass Road
Scraptoft Lane
Leicester LE5 2HF
UK

Tel.: (+44) (0)-116.220.5496

E-mail: [log in to unmask]

====================






On Wed, 23 Feb 2005, Musson, Roger MW wrote:

> My understanding is that these viruses spoof the sender address, picking out origins from the user's mail archive. Therefore someone receiving ordinary mails from the jisc server will seem to get virus emails from this source also.
>
> Roger
>
> British Geological Survey
> West Mains Road
> Edinburgh EH9 2NA
> Scotland
>
> tel:+44-(0)131-650-0205
> fax:+44-(0)131-667-1877
> email: [log in to unmask]
>
> -----Original Message-----
> From: Natural hazards and disasters [mailto:[log in to unmask]]On Behalf Of David Crichton
> Sent: 23 February 2005 11:58
> To: [log in to unmask]
> Subject: Virus issues
>
>
> Sorry to bother you, I have been receiving a spate of infected emails this week most of them purporting to be from the jisc server which runs this mailbase.  Mainly the Beagle virus but also some Netz cases.  I know that these can come from third party machines using another address as a disguise, but I am getting more than 20 a day giving a jisc address.  Is anyone else having this problem? (I have emailed Philip Buckle, but it was returned undelivered.)
> My firewall has no problems stopping them and my virus software is updated weekly and the computer scanned, so I think I am ok.  it is just a nuisance.
>
> Regards,
>
> David
>
>
> >From Professor David Crichton, 1 Quarryknowe Crescent, Inchture, PH14 9RH Scotland
> Tel. +44 (0)1828 686493
> If you have received this in error, please let me know.
> I use the latest firewall and virus checking software, but you should not rely on this, or on any advice contained in this email or its attachments.
>
>
>
> *********************************************************************
> This e-mail message, and any files transmitted with it, are confidential and intended solely for the use of the  addressee. However, the information contained in this e-mail may subsequently be subject to public disclosure under the Freedom of Information Act 2000 and, unless the information is legally exempt from disclosure, the confidentially of this e-mail and your reply cannot be guaranteed. If this message was not intended for you, you have received it in error and any copying, distribution or other use of any part of it is strictly prohibited. Any views or opinions presented are solely those of the sender and do not necessarily represent  those of the British Geological  Survey.  The  security of e-mail communication  cannot be guaranteed and the BGS accepts no liability  for claims arising as a result of the use of this medium to  transmit messages from or to the BGS.   http://www.bgs.ac.uk
> *********************************************************************
>
>