<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [dba-Tech] Norton Firewall</TITLE>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
<META content="MSHTML 6.00.2800.1170" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><SPAN class=015131822-21082003><FONT face=Arial color=#0000ff size=2>I'll
check the last group I got and lookup them up as you did. If there is a pattern
I'll notify the ISP.</FONT></SPAN></DIV>
<DIV><SPAN class=015131822-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=015131822-21082003><SPAN class=015131822-21082003><FONT
face=Arial color=#0000ff size=2>Thanks a bunch!</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=015131822-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=015131822-21082003><FONT face=Arial color=#0000ff size=2>John
B.</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B>
dba-tech-bounces@databaseadvisors.com
[mailto:dba-tech-bounces@databaseadvisors.com]<B>On Behalf Of </B>Drew
Wutka<BR><B>Sent:</B> Thursday, August 21, 2003 4:51 PM<BR><B>To:</B>
Discussion of Hardware and Software issues<BR><B>Subject:</B> Re: [dba-Tech]
Lots of Virii attempts today<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>No, what it means is that a machine called DELLY,
with an IP Address of 68.49.121.92 send you this email.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is the WhoIS info for that IP
Address:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>OrgName:
Comcast Cable Communications, Inc. <BR>OrgID: CMCS<BR>Address: 3 Executive
Campus<BR>Address: 5th Floor<BR>City: Cherry Hill<BR>StateProv:
NJ<BR>PostalCode: 08002<BR>Country: US<BR><BR>NetRange: 68.32.0.0 -
68.63.255.255 <BR>CIDR: 68.32.0.0/11 <BR>NetName: JUMPSTART-1<BR>NetHandle:
NET-68-32-0-0-1<BR>Parent: NET-68-0-0-0-0<BR>NetType: Direct
Allocation<BR>NameServer: NS01.JDC01.PA.COMCAST.NET<BR>NameServer:
NS02.JDC01.PA.COMCAST.NET<BR>Comment: ADDRESSES WITHIN THIS BLOCK ARE
NON-PORTABLE<BR>RegDate: 2001-11-29<BR>Updated:
2002-06-12<BR><BR><BR>TechHandle: IC161-ARIN<BR>TechName: Comcast Cable
Communications, Inc. <BR>TechPhone: +1-856-317-7300<BR>TechEmail:
cips-ip-registration@cable.comcast.com <BR><BR>OrgAbuseHandle:
NAPO-ARIN<BR>OrgAbuseName: Network Abuse and Policy Observance
<BR>OrgAbusePhone: +1-856-317-7272<BR>OrgAbuseEmail:
abuse@comcast.net<BR><BR>OrgTechHandle: IC161-ARIN<BR>OrgTechName: Comcast
Cable Communications, Inc. <BR>OrgTechPhone: +1-856-317-7300<BR>OrgTechEmail:
cips-ip-registration@cable.comcast.com<BR><BR>CustName: Comcast Cable
Communications, Inc.<BR>Address: 3 Executive Campus<BR>Address: 5th
Floor<BR>City: Cherry Hill<BR>StateProv: NJ<BR>PostalCode: 08002<BR>Country:
US<BR>RegDate: 2003-03-19<BR>Updated: 2003-03-19<BR><BR>NetRange: 68.48.0.0 -
68.49.255.255 <BR>CIDR: 68.48.0.0/15 <BR>NetName: DC-3<BR>NetHandle:
NET-68-48-0-0-1<BR>Parent: NET-68-32-0-0-1<BR>NetType: Reassigned<BR>Comment:
NONE<BR>RegDate: 2003-03-19<BR>Updated: 2003-03-19<BR><BR>TechHandle:
IC161-ARIN<BR>TechName: Comcast Cable Communications, Inc. <BR>TechPhone:
+1-856-317-7300<BR>TechEmail: cips-ip-registration@cable.comcast.com
<BR><BR>OrgAbuseHandle: NAPO-ARIN<BR>OrgAbuseName: Network Abuse and Policy
Observance <BR>OrgAbusePhone: +1-856-317-7272<BR>OrgAbuseEmail:
abuse@comcast.net<BR><BR>OrgTechHandle: IC161-ARIN<BR>OrgTechName: Comcast
Cable Communications, Inc. <BR>OrgTechPhone: +1-856-317-7300<BR>OrgTechEmail:
cips-ip-registration@cable.comcast.com<BR><BR># ARIN WHOIS database, last
updated 2003-08-20 19:15<BR># Enter ? for additional hints on searching ARIN's
WHOIS database.</FONT><BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So it's someone that is using Comcast as their
ISP. Sometimes the WhoIs information narrows it down further, but this
looks like a home user. (Most businesses register their own information
within the WhoIs servers.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>You could try to contact Comcast with the numbers
here, and tell them you are receiving virus emails....they may be able to
contact the actual infected person, since they should know which one of their
customers is currently using that IP Address.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Drew</DIV></FONT>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=john@winhaven.net href="mailto:john@winhaven.net">John Bartow</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=dba-tech@databaseadvisors.com
href="mailto:dba-tech@databaseadvisors.com">Discussion of Hardware and
Software issues</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 21, 2003 4:36
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [dba-Tech] Lots of Virii
attempts today</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2>I've been getting deluged by them too this week. Probably 20 a day
since I got back from vacation (Sunday).</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff size=2>I
opened one of them (Outlook 2k) and choose View | Options and copied this
info:</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2>Received: from DELLY [68.49.121.92] by mail.winhaven.net with
ESMTP<BR> (SMTPD32-8.01) id A9CB30F0378; Thu, 21 Aug 2003 09:40:11
-0500<BR>From: <<A
href="mailto:stuartcannon@mindspring.com">stuartcannon@mindspring.com</A>><BR>To:
<<A
href="mailto:techasst@winhaven.net">techasst@winhaven.net</A>><BR>Subject:
Re: Wicked screensaver</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2>Does this mean that Stuart Cannon really is the person that sent this
or can this be masquraded somehow?</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2>John B.</FONT></SPAN></DIV>
<DIV><SPAN class=718413021-21082003><FONT face=Arial color=#0000ff
size=2> </DIV>
<DIV><BR></DIV></FONT></SPAN>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B>
dba-tech-bounces@databaseadvisors.com
[mailto:dba-tech-bounces@databaseadvisors.com]<B>On Behalf Of </B>Drew
Wutka<BR><B>Sent:</B> Thursday, August 21, 2003 2:52 PM<BR><B>To:</B>
Discussion of Hardware and Software issues<BR><B>Subject:</B> Re:
[dba-Tech] Lots of Virii attempts today<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Just a little FYI on this virus. It
DOES NOT use the email address of the infected machine to send out
emails. It sends them out using random email addresses found on the
users machine. What does that mean in English? If your
anti-virus software sends a notice to the sender of a virus (like yours
did here Arthur), you are notifying the wrong person. We have gotten
tons of these notices, because our employee's email addresses are being
spoofed by this virus!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To actually determine what is sending out
these emails, look at the header info of the email. That will give
you the machine name and IP Address of the computer sending out the
viruses. Get the WhoIS information for that IP Address, and notify
the Abuse or Tech person for that IP Address. It may help them if
you include a copy of the header information.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Drew</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=artful@rogers.com href="mailto:artful@rogers.com">Arthur
Fuller</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=dba-tech@databaseadvisors.com
href="mailto:dba-tech@databaseadvisors.com">Discussion of Hardware and
Software issues</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 21, 2003
2:31 PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [dba-Tech] Lots of Virii
attempts today</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=152100418-21082003><FONT face=Arial color=#0000ff
size=2>I just got about the 20th notice today from the company's email
provider. A snip:</FONT></SPAN></DIV>
<DIV><SPAN class=152100418-21082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=152100418-21082003>
<P><FONT size=2>Recipient: <A
href="mailto:afuller@etsys.com">afuller@etsys.com</A></FONT></P>
<P><FONT size=2>Sender: <A
href="mailto:ntbug@microsoft.com">ntbug@microsoft.com</A></FONT></P>
<P><FONT size=2>Subject: Re: Approved</FONT></P>
<P><FONT size=2>Virus name: <A
href="mailto:W32.Sobig.F@mm">W32.Sobig.F@mm</A></FONT></P>
<P><FONT size=2>Attachment: details.pif</FONT></P>
<P><FONT size=2>Status: Messaged deleted</FONT></P>
<P><FONT size=2>Notified: recipient, administrator</FONT></P>
<P><FONT size=2>Thank you for using our services</FONT></P>
<P><FONT size=2>---</FONT></P>
<P><FONT size=2>The Electric Mail Company</FONT></P>
<P><A href="http://www.electricmail.com"><FONT
size=2>www.electricmail.com</FONT></A></P>
<P><SPAN class=152100418-21082003><FONT size=2>My question is, how can
people spoof an email address? Look where it allegedly came
from.</FONT></SPAN></P></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><B><FONT face=Arial
size=2></FONT></B> </DIV></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>dba-Tech
mailing
list<BR>dba-Tech@databaseadvisors.com<BR>http://databaseadvisors.com/mailman/listinfo/dba-tech<BR>Website:
http://www.databaseadvisors.com<BR></BLOCKQUOTE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>dba-Tech mailing
list<BR>dba-Tech@databaseadvisors.com<BR>http://databaseadvisors.com/mailman/listinfo/dba-tech<BR>Website:
http://www.databaseadvisors.com<BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>