I have had several e-mails in the past couple of days including 2 in the past hour, they all have a virus infected attachment which my AV and ZAPro have blocked. They are all "apparently" from the same Ntl source however the IP seems to resolve to a BT account.
The headers.
Return-Path: <hywel.williams@ntlworld.com>
Received: from D5DR2Q0J.com ([194.73.126.114]) by mta01-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
id <20040608082302.QMSM19746.mta01-svc.ntlworld.com@D5DR2Q0J.com>
for <*****@ntlworld.com>; Tue, 8 Jun 2004 09:23:02 +0100
Date: Tue, 08 Jun 2004 09:23:26 +0000
To: "Iadom" <******@ntlworld.com>
From: "Hywel.williams" <hywel.williams@ntlworld.com>
Subject: Re: Yahoo!
Message-ID: <sunrwgtdygxvzefdbja@ntlworld.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------lomwwwltooxwaokhipdm"

Yes the address is most likely to be spoofed. If bt have a facility for reporting abuse fill that in with headers/ ip addresses etc. all the information that you have.

EDIT: abuse@btinternet.com or abuse@btopenworld.com

MB

Yes - these worms always spoof the sender/return path.

Yes the address is most likely to be spoofed. If bt have a facility for reporting abuse fill that in with headers/ ip addresses etc. all the information that you have.

EDIT: abuse@btinternet.com or abuse@btopenworld.com

MB
Thanks for that, report sent to BT.

D'ya think this is a spoofed address?

Return-Path: <elasticwaist@underpants.com>
Received: from ntlworld.com ([80.41.36.193]) by mta05-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20040608192528.IUMY2927.mta05-svc.ntlworld.com@ntlworld.com>
for <********@ntlworld.com>; Tue, 8 Jun 2004 20:25:28 +0100
From: elasticwaist@underpants.com
To: ********@ntlworld.com
Subject: Mail Delivery (failure ********@ntlworld.com)
Date: Tue, 8 Jun 2004 20:27:08 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040608192528.IUMY2927.mta05-svc.ntlworld.com@ntlworld.com>
:D

D'ya think this is a spoofed address?


:D

the email address looks like one of the old screaming.net addresses where you could chose the "humourous" domains as well.

I used to have one along the lines of letsmakelove@yourhouse.com

:D

I have received another 3 from the exact same source, hywel.williams@ntlworld.com with the IP 194.73.126.114 as the first "FROM" in the headers. Apart from the subject line in the e-mail all other details are the same. That makes 10 in the past week from this same PC.

Maybe this guy has a virus and doesn't realise it?

Maybe this guy has a virus and doesn't realise it?I have sent an e-mail to hywel.williams@ntlworld but the IP in the first "from" line resolves to a BT account for someone listed as DDvideo. I have also sent a report to abuse@btnet. It is the first time that I have had 10 infected e-mails from apparently the exact same source, over a period of a week,spoofed or otherwise.

Should people be able to view email headers? Should firewalls have logs? Should the NHS increase coronary care funding? :D I dunno - I just give the Spam folder a quick glance and then choose "Empty folder". The spoofed sender won't have a clue so it's a bit pointless telling them. I get bounced virus-laden emails all the time. I never sent them and there's nothing I can do if someone wants to send emails as me - it's how the system "works". Maybe I'm too relaxed :)