identify sender

Can anyone here identify the true sender of an email I belive was a virus. I copied this from the suspected message befor deleting it (it was never opened).
-------------------------------------------------------------
Return-Path: <servpro8571@fuse.net>
Received: from mx2.biz.rr.com ([192.168.201.23]) by fep05.biz.rr.com
(InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP
id <20020710121652.IDYP20850.fep05.biz.rr.com@mx2.biz.rr.com>
for <sue@kahny.com>; Wed, 10 Jul 2002 08:16:52 -0400
Received: from mta01.fuse.net (mx1.fuse.net [216.68.2.90])
by mx2.biz.rr.com (8.11.6/8.11.6) with ESMTP id g6ACGqa21068
for <sue@kahny.com>; Wed, 10 Jul 2002 08:16:52 -0400 (EDT)
Received: from Yzzz ([216.68.40.168]) by mta01.fuse.net
(InterMail vM.5.01.03.01 201-253-122-118-101-20010319) with SMTP
id <20020710121628.HBNB21594.mta01.fuse.net@Yzzz>
for <sue@kahny.com>; Wed, 10 Jul 2002 08:16:28 -0400
From: fireserphant <fireserphant@lycos.com>
To: sue@kahny.com
Subject: Here to continue
----------------------------------------------------------------------------

When I view a message through propieties..message source..ect am I suseptible to attached viruses?

I updated my virus definitions yesterday.

This board is great

 

Looking at properties should be perfectly safe.

Sorry - can't identify the true originator of this.

Interesting note for anyone researching this thing. I did a trace route to 216.68.40.168 and got something I haven't seen before and really can't explain. The last 19 (of 29) entries were bounces between the same to addresses. As follows:

216.68.2.22 68ms 95ms 85ms TTL: 0 (as3.fuse.net ok)
216.68.2.1 64ms 67ms 211ms TTL: 0 (svs1-f2-1.svs.fuse.net ok)
216.68.2.22 90ms 76ms 88ms TTL: 0 (as3.fuse.net ok)
216.68.2.1 81ms 70ms 244ms TTL: 0 (svs1-f2-1.svs.fuse.net ok)
216.68.2.22 (and so on for a total of 19 bounces - never reaching the target address but no errors)

2 more tries gave 11 hops to the target with one pass thru 216.68.2.22 and nothing touching the 216.68.2.1 address.

 

I believe the 216 addy is also forged. Here is a great site to track and forward spam back to the IP that it originated from.

TracingSpam

 

I agree with Newt that the message Properties "say" the originating address is "Yzzz ([216.68.40.168]) " since that is the From location with the earliest time stamp. And the purported sender is fireserphant@lycos.com. 216.68.40.168 could be firesephant's personal IP address or the Domain Name Server address of the LAN/ISP firesephant uses.
Some of this info can be forged, although less likely is forging of the IP Address.

FWIW, search results for: 216.68.40.168

Fuse Internet Access (NETBLK-FUSE-NET-BLK-1)
209 W. Seventh St. 121-920
Cincinnati, OH 45202
US

Netname: FUSE-NET-BLK-1
Netblock: 216.68.0.0 - 216.68.255.255
Maintainer: FIAI

Coordinator:
ZoomTown.Com Operations Center (FIA-ORG-ARIN) hostmaster@FUSE.NET
(513) 565-9707

Domain System inverse mapping provided by:

NS1.FUSE.NET 216.68.1.100
NS2.FUSE.NET 216.68.2.100 "

It is possible ZoomTown.Com /FUSE.NET are just reputable companies in the ISP/server business. However,if you do not want to receive mail from this sender in the future you could try
1) asking your ISP to block or set up a Block Sender rule in OE for this address. (These are the safest routes since you do not get involved with the sending address.)
2) contacting hostmaster@FUSE.NET
(513) 565-9707

From the data you provide, we can't tell if there is a virus. You /we would have to look at the message, itself. You said you had gone into Properties|Details|Message Source. That lets you see the message in a format that cannot trigger a virus, as well as the Header info you reported . Was there a message? If you saw lots of code/gibberish, a virus can be suspected, although even that is not necessarily correct since it could just be an HTML message (graphics, active links, etc. that advertisers often use).
In any event, if you do not know "fireserphant <fireserphant@lycos.com>" (ostensibly the person who sent it), it was a good move to delete the message without opening it. Especially when the Subject line suggested this was just another message from someone who had emailed you before.
To complicate matters, you may know that there are viruses going around that infect one PC and then mail themselves to people in the infected PC's Address Book. The messages therefore seem to come from someone who has your address, presumably a friend or acquaintance. That person, however, does not even know it is happening and you might open an email from a "friend" like firesephant and be caught with a virus.

 

Thanks to all

Fuse and zoomtown are both legitmit isp providers here in Cincinnati. They are both provided by Cincinnati Bell.

The message itself was just code no identifable text and I don't know the sender.

This came in the day after we did recieve a virus that norton av identified. The email that was definatly a virus was opend and deleted befor I had time to get the header to see who it was from. I was looking at this one to see if I could contact the sender and see if they were aware of a virus on their computer. I suspect both came from the same sender.

 

Bill

Due to the nature of how many viruses spread through the address book, when we can identify the sender it usually only tells us which one of our friends was infected and not the originator of the virus.

 

That is the main thing I wanted. I wanted to call who ever it is thats sending to me to tell them they were infected. I was hoping by tracking ip addressess a more specific name than "Fuse" would be identified (Fuse is a huge dial up isp here).

I asked becouse I have heard of the viruses that randomly puts a from address it finds on the infected computer. But since an email server knows who a message is coming from I was hoping it would lead back to somrthing like a specific web name like bill.com

I relize I could go to Fuse and give them this info and they may be able to track what user had that ip at the time but they wouldn't release that to me (I would think).

Thanks to all the info was interesting.

 

Bill Kahny--Do you know fireserphant@lycos.com? That is ostensibly the email address of the person that sent the message. But as discussed, this may be a forgery and could be happening with fireserphant's knowledge.

 

No I don't know fireserphant@lycos.com.

That is why I was hoping a search of the ip address would lead back to a mail server name I could do more with than Fuse.com.

Had it gone back to a name such as mail.kahny.com, (This is not my mail server name but was a few service providers ago) I could contatc someone at that company name.

Thanks for all the help, No new suspicious emails have come in so hopefully this is over.

 

Hope everyone knew I meant to say "this may be a forgery and could be happening without fireserphant's knowledge.