<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [dba-Tech] Norton Firewall</TITLE>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
<META content="MSHTML 6.00.2722.900" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>No, what it means is that a machine called DELLY,
with an IP Address of 68.49.121.92 send you this email.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is the WhoIS info for that IP
Address:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>OrgName:
Comcast Cable Communications, Inc. <BR>OrgID: CMCS<BR>Address: 3 Executive
Campus<BR>Address: 5th Floor<BR>City: Cherry Hill<BR>StateProv:
NJ<BR>PostalCode: 08002<BR>Country: US<BR><BR>NetRange: 68.32.0.0 -
68.63.255.255 <BR>CIDR: 68.32.0.0/11 <BR>NetName: JUMPSTART-1<BR>NetHandle:
NET-68-32-0-0-1<BR>Parent: NET-68-0-0-0-0<BR>NetType: Direct
Allocation<BR>NameServer: NS01.JDC01.PA.COMCAST.NET<BR>NameServer:
NS02.JDC01.PA.COMCAST.NET<BR>Comment: ADDRESSES WITHIN THIS BLOCK ARE
NON-PORTABLE<BR>RegDate: 2001-11-29<BR>Updated:
2002-06-12<BR><BR><BR>TechHandle: IC161-ARIN<BR>TechName: Comcast Cable
Communications, Inc. <BR>TechPhone: +1-856-317-7300<BR>TechEmail:
cips-ip-registration@cable.comcast.com <BR><BR>OrgAbuseHandle:
NAPO-ARIN<BR>OrgAbuseName: Network Abuse and Policy Observance
<BR>OrgAbusePhone: +1-856-317-7272<BR>OrgAbuseEmail:
abuse@comcast.net<BR><BR>OrgTechHandle: IC161-ARIN<BR>OrgTechName: Comcast Cable
Communications, Inc. <BR>OrgTechPhone: +1-856-317-7300<BR>OrgTechEmail:
cips-ip-registration@cable.comcast.com<BR><BR>CustName: Comcast Cable
Communications, Inc.<BR>Address: 3 Executive Campus<BR>Address: 5th
Floor<BR>City: Cherry Hill<BR>StateProv: NJ<BR>PostalCode: 08002<BR>Country:
US<BR>RegDate: 2003-03-19<BR>Updated: 2003-03-19<BR><BR>NetRange: 68.48.0.0 -
68.49.255.255 <BR>CIDR: 68.48.0.0/15 <BR>NetName: DC-3<BR>NetHandle:
NET-68-48-0-0-1<BR>Parent: NET-68-32-0-0-1<BR>NetType: Reassigned<BR>Comment:
NONE<BR>RegDate: 2003-03-19<BR>Updated: 2003-03-19<BR><BR>TechHandle:
IC161-ARIN<BR>TechName: Comcast Cable Communications, Inc. <BR>TechPhone:
+1-856-317-7300<BR>TechEmail: cips-ip-registration@cable.comcast.com
<BR><BR>OrgAbuseHandle: NAPO-ARIN<BR>OrgAbuseName: Network Abuse and Policy
Observance <BR>OrgAbusePhone: +1-856-317-7272<BR>OrgAbuseEmail:
abuse@comcast.net<BR><BR>OrgTechHandle: IC161-ARIN<BR>OrgTechName: Comcast Cable
Communications, Inc. <BR>OrgTechPhone: +1-856-317-7300<BR>OrgTechEmail:
cips-ip-registration@cable.comcast.com<BR><BR># ARIN WHOIS database, last
updated 2003-08-20 19:15<BR># Enter ? for additional hints on searching ARIN's
WHOIS database.</FONT><BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So it's someone that is using Comcast as their
ISP. Sometimes the WhoIs information narrows it down further, but this
looks like a home user. (Most businesses register their own information
within the WhoIs servers.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>You could try to contact Comcast with the numbers
here, and tell them you are receiving virus emails....they may be able to
contact the actual infected person, since they should know which one of their
customers is currently using that IP Address.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Drew</DIV></FONT>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=john@winhaven.net href="mailto:john@winhaven.net">John Bartow</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=dba-tech@databaseadvisors.com
href="mailto:dba-tech@databaseadvisors.com">Discussion of Hardware and
Software issues</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 21, 2003 4:36
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [dba-Tech] Lots of Virii
attempts today</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff size=2>I've
been getting deluged by them too this week. Probably 20 a day since I got back
from vacation (Sunday).</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff size=2>I
opened one of them (Outlook 2k) and choose View | Options and copied this
info:</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2>Received: from DELLY [68.49.121.92] by mail.winhaven.net with
ESMTP<BR> (SMTPD32-8.01) id A9CB30F0378; Thu, 21 Aug 2003 09:40:11
-0500<BR>From: <<A
href="mailto:stuartcannon@mindspring.com">stuartcannon@mindspring.com</A>><BR>To:
<<A
href="mailto:techasst@winhaven.net">techasst@winhaven.net</A>><BR>Subject:
Re: Wicked screensaver</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff size=2>Does
this mean that Stuart Cannon really is the person that sent this or can this
be masquraded somehow?</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff size=2>John
B.</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2> </DIV>
<DIV><BR></DIV></FONT></SPAN>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B>
dba-tech-bounces@databaseadvisors.com
[mailto:dba-tech-bounces@databaseadvisors.com]<B>On Behalf Of </B>Drew
Wutka<BR><B>Sent:</B> Thursday, August 21, 2003 2:52 PM<BR><B>To:</B>
Discussion of Hardware and Software issues<BR><B>Subject:</B> Re: [dba-Tech]
Lots of Virii attempts today<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Just a little FYI on this virus. It DOES
NOT use the email address of the infected machine to send out emails.
It sends them out using random email addresses found on the users
machine. What does that mean in English? If your anti-virus
software sends a notice to the sender of a virus (like yours did here
Arthur), you are notifying the wrong person. We have gotten tons of
these notices, because our employee's email addresses are being spoofed by
this virus!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To actually determine what is sending out these
emails, look at the header info of the email. That will give you the
machine name and IP Address of the computer sending out the viruses.
Get the WhoIS information for that IP Address, and notify the Abuse or Tech
person for that IP Address. It may help them if you include a copy of
the header information.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Drew</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=artful@rogers.com href="mailto:artful@rogers.com">Arthur
Fuller</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=dba-tech@databaseadvisors.com
href="mailto:dba-tech@databaseadvisors.com">Discussion of Hardware and
Software issues</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 21, 2003 2:31
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [dba-Tech] Lots of Virii
attempts today</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=152100418-21082003><FONT face=Arial color=#0000ff
size=2>I just got about the 20th notice today from the company's email
provider. A snip:</FONT></SPAN></DIV>
<DIV><SPAN class=152100418-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=152100418-21082003>
<P><FONT size=2>Recipient: <A
href="mailto:afuller@etsys.com">afuller@etsys.com</A></FONT></P>
<P><FONT size=2>Sender: <A
href="mailto:ntbug@microsoft.com">ntbug@microsoft.com</A></FONT></P>
<P><FONT size=2>Subject: Re: Approved</FONT></P>
<P><FONT size=2>Virus name: <A
href="mailto:W32.Sobig.F@mm">W32.Sobig.F@mm</A></FONT></P>
<P><FONT size=2>Attachment: details.pif</FONT></P>
<P><FONT size=2>Status: Messaged deleted</FONT></P>
<P><FONT size=2>Notified: recipient, administrator</FONT></P>
<P><FONT size=2>Thank you for using our services</FONT></P>
<P><FONT size=2>---</FONT></P>
<P><FONT size=2>The Electric Mail Company</FONT></P>
<P><A href="http://www.electricmail.com"><FONT
size=2>www.electricmail.com</FONT></A></P>
<P><SPAN class=152100418-21082003><FONT size=2>My question is, how can
people spoof an email address? Look where it allegedly came
from.</FONT></SPAN></P></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><B><FONT face=Arial
size=2></FONT></B> </DIV></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>dba-Tech mailing
list<BR>dba-Tech@databaseadvisors.com<BR>http://databaseadvisors.com/mailman/listinfo/dba-tech<BR>Website:
http://www.databaseadvisors.com<BR></BLOCKQUOTE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>dba-Tech mailing
list<BR>dba-Tech@databaseadvisors.com<BR>http://databaseadvisors.com/mailman/listinfo/dba-tech<BR>Website:
http://www.databaseadvisors.com<BR></BLOCKQUOTE></BODY></HTML>