NK - Re: Virus Warning

Darin K. Herndon darin-herndon at utulsa.edu
Wed Mar 7 00:23:31 PST 2001 

>First, Etienne, after your last two posts I received two copies of the "Snow
>White and the seven dwarfs- the Real Story" e-mail.  Might need to scan your
>system.

JP, thanks for the note.  Our system is a Macintosh; the VB payload 
does not work on our machine.  Also, we do not use MS Outlook and so 
have no address book that the virus can read and spread from.  And I 
hesitate to admit such a thing but... you are not in the address book 
we have (I always check on a mailing list if I need to find your 
address).

If you look in the two emails you received (at the full header 
information, not the abreviated), despite the "from" address there 
will be info showing you the path from which the message actually was 
sent.  For example, your message to me includes the following in the 
full header:

Received: from blackstar.ansteorra.org 
(adsl-216-62-214-29.dsl.austtx.swbell.net [216.62.214.29])
	by barnard.utulsa.edu (8.11.1/8.11.0) with ESMTP id f275bbo22279;
	Tue, 6 Mar 2001 23:37:37 -0600
Received: (from majordom at localhost)
	by blackstar.ansteorra.org (8.9.3/8.9.3) id XAA15451
	for northkeep-outgoing; Tue, 6 Mar 2001 23:36:25 -0600
Received: from mail.nomadics.com (mail.nomadics.com [209.131.181.162])
	by blackstar.ansteorra.org (8.9.3/8.9.3) with ESMTP id XAA15448
	for <northkeep at ansteorra.org>; Tue, 6 Mar 2001 23:36:23 -0600
Received: from duron
           (adsl-64-217-12-50.dsl.okcyok.swbell.net [64.217.12.50])
           by mail.nomadics.com (Post.Office MTA v3.1.2 release (PO205-101c)
           ID# 0-45962U100L2S100) with SMTP id AAA172
           for <northkeep at ansteorra.org>; Tue, 6 Mar 2001 23:51:39 -0600

By the last "Received:" entry, Duron (your PC?) handed off this 
message to the mail server (mail.nomadics.com) addressed for 
"northkeep at ansteorra.org".  I write all of this simply to ask if you 
will (assuming you still have one of the messages) check the full 
header and see where it actually originated.  Please feel free to 
email me directly rather than the list.  I include this much here so 
that others can learn how to check original senders on emails they 
receive.

I would be very interested in checking the original sender of the 
messages you received.  Especially if they originate from utulsa.edu 
or bswintl.com.  I think what you received being timed after my 
message was a coincidence but I would like to be sure.

Etienne

More information about the Northkeep mailing list