Ed Foster's Gripelog || Spam Notifications to Forged Sender Addresses

» All 33 InfoWorld Newsletters Technology & Business Daily

INFOWORLD GRIPE LINE BY ED FOSTER

Bookmark this page

Spam Notifications to Forged Sender Addresses

By Ed Foster, Section The Gripelog
Posted on Fri Jan 27, 2006 at 12:03:06 AM PDT

Why do people insist on sending warning e-mails to the supposed sender of virus-laden spam? After all, doesn't it merely add to the amount of unwanted e-mail we all receive? It's something I've often wondered about, as did a reader recently.

"This is a gripe about both manufacturers and users of e-mail anti-virus software," the reader wrote. "I run the IS department for a civil engineering firm with about 100 employees. Every day I get from 5 to 50 automated e-mails from notifying me that userX@ourfirm has sent infected email to someone at their site. Often this is an account that doesn't even exist."

"Invariably this is based on the 'From:' field of the infected e-mail!" the reader continued. "How many viruses do you know of that use the real sender's e-mail address? It's even more annoying, when the headers they send back with the message show the e-mail did not originate at our IP address! Why can't the makers of the software put the default to not send these useless responses out or the folks configuring these systems turn it off? I get enough junk mail each day without having to deal with this as well."

Would we be better off, as the reader suggests, if anti-virus software wasn't set to send out these alerts? Let us know what you think by posting your comments below or writing me at Foster@gripe2ed.com.

< Licensed Users or Licensed Machines? | Starting a EULA Library >

Spam Notifications to Forged Sender Addresses | 39 comments (39 topical) | Post A Comment

Absolutely absurd[ Reply to This ] (none / 0) (#1)
by wantobe on Fri Jan 27, 2006 at 03:17:26 AM PDT

I agree with the user; it makes no sense at all to send a warning to the "from" address of a virus or spam email. The one thing you can almost be sure of is that the address in the "from" field is THE person the mail did NOT come from. Most personal anti-virus programs don't have this setting, I believe, but coporate products do, and it's stupid.

Rob Miles
--
There are 10 kinds of people in the world; those who understand binary and those who don't.
[ Reply to This ]

Clueless admins[ Parent | Reply to This ] (none / 0) (#19)
by Anonymous User on Tue Jan 31, 2006 at 06:54:49 PM PDT

I've had the policy of not "informing" the 'from' field address of a virus laden message since the first couple of zombie mailer worms. It's a shame that there are products and admins out there still doing so.

[ Parent | Reply to This ]

ask[ Parent | Reply to This ] (none / 0) (#38)
by masa on Mon Mar 10, 2008 at 06:11:09 PM PDT

H@@
fZfbfNfXftfOef"fh
--`<l
fffŠfofŠ[fwf<fX
fGfbf`
fGf
fAff<fgfrfffI
-³C³"® °°°æ
--`<l
f[fvf °°°f"fh
fffŠfwf<
fGf"® °°°æ
fGf
fGfbf`"® °°°æ
fGfbf`
lÈ
n--
,¦,Á,¿
-³C³
ffŠfRf"
fZfbfNfX
SM
fAff<fg"® °°°æ
fAff<fg
--`
,¨,Ü,ñ,±
,¨,ß,±
fIfifj[
fGf
fGfbf`
fGfbf`
fGfbf`
fAff<fgfrfffI
fGfbf`
fGfbf`
-³C³
fGffTfCfg
--`<l
-³C³"® °°°æ
-³C³"® °/°°æ
fZfbfNfXftfOef"fh
fZfbfNfXftfOef"fh
fZfbfNfXftfOef"fh
fZfbfNfXftfOef"fh

[ Parent | Reply to This ]

sd[ Parent | Reply to This ] (none / 0) (#61)
by masa on Thu May 15, 2008 at 12:51:53 PM PDT

<h2>fLfffbfVf"fO<h2>

fLfffbfVf"fOf[f"fLfffbfVf"fOf[f"fLfffbfVf"fOf[f",ð"äŠr
fLfffbfVf"fOfLfffbfVf"fOfLfffbfVf"fO"äŠrfTfCfg
fLfffbfVf"fO^ê----fLfffbfVf"fO^ê----fLfffbfVf"fO^ê----
fLfffbfVf"fO"äŠrfLfffbfVf"fO"äŠrfLfffbfVf"fO,¾,æI
fLfffbfVf"fOfLfffbfVf"fOfLfffbfVf"fO
<H2>o °°°ï,¢<H2>

V,µ,¢o °°°ï,¢,ª,·,®,Å,«,é,±,ÆŠÔ ^á,¢,È,¢,Å,µ,å,¤I
o °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfg^ê----
-³--¿o °°°ï,¢-³--¿o °°°ï,¢-³--¿o °°°ï,¢fTfCfg
o °°°ï,¢fJftfFo °°°ï,¢fJftfFo °°°ï,¢fJftfF,Ä °°°½
`Ò,¿‡,í,¹`Ò,¿‡,í,¹`Ò,¿‡,í,¹,Í,Ç,±
o °°°ï,¢fTfNf °°°o °°°ï,¢fTfNf °°°o °°°ï,¢fTfNf °°°,É'...,¨t,¯
-³--¿o °°°ï,¢-³--¿o °°°ï,¢-³--¿o °°°ï,¢fTfCfg
--D--Ço °°°ï,¢--D--Ço °°°ï,¢--D--Ço °°°ï,¢W‡
o °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfgf °°°f"fLf"fO
o °°°ï,¢o °°°ï,¢o °°°ï,¢,½,¢,·,×,Ä,Ìo °°°ï,¢fT[frfX,ð-³--¿,Å'ñ<Ÿ,µ,Ä,¨,è,Ü,·B
o °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfg,ð`I,Ô
o °°°ï,¢,¾,æo °°°ï,¢o °°°ï,¢OenfTfCfg,Ä °°°½H ,
o °°°ï,¢OenfTfCfgo °°°ï,¢OenfTfCfgo °°°ï,¢,Å--V,Ú,¤I
o °°°ï,¢U--ªo °°°ï,¢U--ªo °°°ï,¢U--ª,·,é,É,Í
-³--¿o °°°ï,¢-³--¿o °°°ï,¢-³--¿,Åo °°°ï,¦,é,ÌH
--D--Ço °°°ï,¢--D--Ço °°°ï,¢--D--Ço °°°ï,¢,ÌffŠfbfg,ÍH
o °°°ï,¢`Š'ko °°°ï,¢`Š'ko °°°ï,¢`Š'k,Å,«,é,Ì
o °°°ï,¢`ÌOe±o °°°ï,¢`ÌOe±'ko °°°ï,¢`ÌOe±'k,Í,±,¿,ç
o °°°ï,¢f}fjf...fAf<o °°°ï,¢f}fjf...fAf<o °°°ï,¢f}fjf...fAf<,Í, ,é,Ì
o °°°ï,¢fTfNf °°°o °°°ï,¢fTfNf °°°o °°°ï,¢fTfNf °°°åWI
o °°°ï,¢fJftfFo °°°ï,¢fJftfFo °°°ï,¢fJftfF,Ä °°°½H
^«"¿o °°°ï,¢^«"¿o °°°ï,¢^«"¿o °°°ï,¢,¾,æ
o^§<óŠÔo^§<óŠÔo^§<óŠÔ,Å--V,Ô
fZftfOefZftfOefZftfOe,ªW,¤fTfCfg
`Ò,¿‡,í,¹`Ò,¿‡,í,¹`Ò,¿‡,í,¹,²Šó-]
--öl--öl--öl,ª--~,µ,¢
<h2>fGf</h2>
fGf"® °°°æfGf"® °°°æfGf,¾,æ
fGffGffGf,µ,©,Ë,È
fGf"® °°°æfGf"® °°°æfGf"® °°°æ,ð'T,·
fGf"® °°°æfGf"® °°°æfGf"® °°°æ,ðOe©,é
fGffGffGf,ð'T,·B
fGffGffGfâ`Î
fGffGffGfW‡
fGf °°°æ`oefGf °°°æ`oe fGf °°°æ`oeŽûW °°°Æ
fGffTfCfgfGffTfCfgfGffTfCfg,Å,à
fGffGffGf,Å-ž`«
fGffGffGf,ª,Ý,½,¢
<h2>--`</h2>
*--`--`--`,ðï,Ô
*--`<l--`<l--`<lL
*--`--`--`îñ
--`<l--`<l--`<låW
f[fvf °°°f"fhf[fvf °°°f"fhf[fvf °°°f"fh,Å--V,Ô
<h2>fffŠfofŠ[fwf<fX<h2>
fffŠfofŠ[fwf<fXfffŠfofŠ[fwf<fXfffŠfofŠ[fwf<fX,Å--V,Ú,¤
<h2>fffŠfwf<</h2>
fffŠfwf<fffŠfwf<fffŠfwf<,ðOeÄ,Ú,¤
fffŠfwf<fffŠfwf<fffŠfwf<,ðï,Ô
<h2>fZfbfNfX</h2>
fZfbfNfXfZfbfNfXfZfbfNfX,µ,½,¢
fZfbfNfXftfOef"fhfZfbfNfXftfOef"fhfZfbfNfXftfOef"fh,ð'T,·
fZfbfNfXfZfbfNfXfZfbfNfXfsfXfgf<fY
fZfbfNfXfZfbfNfXfZfbfNfX,µ,½,¢lŽð<
fZfbfNfXftfOef"fhfZfbfNfXftfOef"fhfZfbfNfXftfOef"fh,ð`I,Ô
fZfbfNfXftfOef"fhfZfbfNfXftfOef"fhfZfbfNfXftfOef"fh,ð`I,Ô
fZftfOefZftfOefZftfOefLfX
<h2>fGfbf`</h2>
fGfbf`fGfbf`fGfbf`ê-å,Å
fGfbf`"® °°°æfGfbf`"® °°°æfGfbf`"® °°°æ
fGfbf`fGfbf`fGfbf`,·,²,¢
fGfbf`fGfbf`fGfbf`,µ,½,¢,Ë
H H H,Å,¢,
<h2>,¦,Á,¿<h2>
,¦,Á,¿,¦,Á,¿,¦,Á,¿,ðOe©,Â,¯,é
<h2>fAff<fg</h2>
fAff<fgfAff<fgfAff<fg,ðOe©,é
fAff<fg"® °°°æfAff<fg"® °°°æfAff<fg"® °°°æ,ð'T,·
fAff<fg"® °°°æfAff<fg"® °°°æfAff<fg"® °°°æ,µ,©,Ë
fAff<fgfrfffIfAff<fgfrfffIfAff<fgfrfffI,ð`I,Ô
fAff<fgfAff<fgfAff<fg,Å,à
fAff<fgfrfffIfAff<fgfrfffIfAff<fgfrfffI,ðOe©,é
fAff<fg"® °°°æfAff<fg"® °°°æfAff<fg"® °°°æ,ðï,Ô
<h2>-³C³<h2>
-³C³-³C³"® °°°æ-³C³,ðOe©,½,¢
-³C³-³C³-³C³,«,Â,Ë
-³C³-³C³-³C³"® °°°æ,ð,Ý,½,¢
-³C³"® °°°æ-³C³,Å,Ë
<h2>lÈ</h2>
lÈlÈlÈ,Æ--V,Ô
lÈlÈlÈ,Å,·,ª

n--n--n--,ª,·,«
ffŠfRf"ffŠfRf"ffŠfRf",Í,¾,ß
SM SM SM,ÍD,«,Å,·,©
,¨,Ü,ñ,±,¨,Ü,ñ,±,¨,Ü,ñ,±,µ,½,¢
fIfifj[fIfifj[fIfifj[,ð,·,é
,¨,ß,±,¨,ß,±,¨,ß,±,ÍŠÄŽ<

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#78)
by maderikapapa on Sat Jun 28, 2008 at 02:05:28 AM PDT

出会い系出会い系サイト出会い喫茶出会い掲示板ナンパ出会いカフェ人妻出会い無 009;系サイト優良出会い系攻略完全無料。アダルトビデオアダルト動画アダルトアニメアダルト画像アダル 488;サイト無料DVDアダルト風俗サンプル無料風俗優良アダルトサイト比較海 806;。人妻画像人妻パラダイス知合い人妻援護会人妻コレクション風 439;告白。熟女画像東京熟女掲示板動画熟女ビデオおまんこオナニー。エロ画像エロフラッシュアニメ 456;ロ動画エロゲームエロ漫画無料エロサイト。エッチ画像エッチ動画エッチ小説写真エッチ 450;ニメエッチ0930。セックスアナルセックス画像セックス動画セックスフレンドスワッピング SEX写真セックスボランティセ 483;クス体位東京セックス仕方 SEX。おっぱい画像おっぱい村長おっぱい楽園掲示板お 387;ぱい命おっぱいゲーム。巨乳動画巨乳画像アイドル巨乳 522;示板風俗。セフレ募集セフレ掲示板セフレ画像掲示板セフレの作り方出会い無料素人セフレ。童貞狩りエロ漫画童貞狩り童貞喪失童貞オークション素人童貞逆援。不倫パートナー不倫出会い人妻不倫不倫を楽しみたい方にはお薦め 154;妻画像など満載出会いサイトを楽しむならココ無料出会いで一緒に遊ぼう出会いはLOVEｱｹﾞｲﾝで決まり

[ Parent | Reply to This ]

HRZ[ Parent | Reply to This ] (none / 0) (#62)
by Anonymous User on Sat May 17, 2008 at 09:57:43 PM PDT

��װ�޹�˾ ��װ�ι�˾ ��װ�� װ�� ڳ��װ�� д��¥װ�� ڱ��װ�� ڼ�ͥװ�� ڳ��װ�� д��¥װ�� ڱ��װ�� ڰ�ҹ�˾ ��ҹ�˾ ��ڰ�ҹ�˾ �յ�ά�� ڵ��˾ ��ڰ�ҹ�˾ ��ڰ�� װ�ι�˾ ��ڿյ��ѩ�� װ�ޣ��װ�޹�˾��ڼ�ͥװ�ޣ��ڳ��װ�ޣ��д��¥װ�� ڵ�װ��˾ ��ڰ᳧��˾ ��޺��ҹ�˾ ��ڸ��ҹ�˾ ��ɽ��ҹ�˾ ��ҹ�˾ ��ڱ��ҹ�˾ ��ҹ�˾ ��ڰ�ҹ�˾ ��ڲ��ҹ�˾ ��β�峵�� ڿյ��װ��˾ ��ڻ�� ktwxgs.blog.tianya.cn

[ Parent | Reply to This ]

Recommendation[ Reply to This ] (none / 0) (#2)
by Anonymous User on Fri Jan 27, 2006 at 05:19:12 AM PDT

Many people recommend that you not reply to the email because sometimes the reply address will be monitored and if you send a reply you are validating that the spam did reach a legit email address, whereas if you don't reply and the email system does not send a bounce notice, the spammers do not know whether or not the email address is valid.

[ Reply to This ]

You missed...[ Parent | Reply to This ] (none / 0) (#7)
by Anonymous User on Fri Jan 27, 2006 at 11:24:50 PM PDT

...the point.

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#75)
by maderikapapa on Sat Jun 28, 2008 at 12:33:04 AM PDT

They serve one valid purpose[ Reply to This ] (none / 0) (#4)
by LasVegan on Fri Jan 27, 2006 at 11:47:19 AM PDT

If you're being rejected over a false positive you at least know why. If the anti-virus-makers were perfect this would be a non-issue but the number of false positives is growing. They're so obsessed with virus kill counts that they hunt things that aren't viruses at all. I was used to 20+ false virus reports from every weekly scan from Norton. I replaced it with ZoneAlarm's version and all the false reports went away--and I find there was a legit (albeit harmless) report buried in there that I hadn't noticed in two months. On other system, McAfee is obsessed with having found an example of the malformed archive virus, which of course is nothing but a damaged zip file and not malware at all. Unfortunately it keeps being replaced by a synchronizing system and I haven't taken the time to kill it in all locations at once so it keeps coming back.

[ Reply to This ]

It's been going on for years, ut not so bad now[ Reply to This ] (none / 0) (#5)
by foxyshadis1 on Fri Jan 27, 2006 at 08:24:48 PM PDT

Actually, a number of anti-virus firms quietly either dropped this or disabled it by default over the years when actual viruses & spam almost immediately picked up their taglines ("Scanned by Trend Micro, protect your business!" "Symantec Antivirus has detected that you have been infected by a virus, please run this cleanup tool to disinfect your system", etc). I have no idea what Symantec and McAffee do, though.

Nowadays a number of email servers and hardware reduce "backscatter" by filtering bounces, automated replies, and so on, and refusing to send them, which is somewhat unfortunate because of their convenience but outweighed by the sheer brokenness of the mail protocols to validate them. =\

[ Reply to This ]

Nifty.[ Reply to This ] (none / 0) (#6)
by foxyshadis1 on Fri Jan 27, 2006 at 08:34:18 PM PDT

This works if the mailserver connects directly to both the client and server, which is how Exchange and Lotus act. It works the same way as NDRs like "message has been delayed" and "connection refused", but it won't work if the mail is relayed; the relay has to generate and send back a bounce which might then get filtered.

[ Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#77)
by maderikapapa on Sat Jun 28, 2008 at 12:33:33 AM PDT

It's not an HTTP 550 error...[ Reply to This ] (none / 0) (#8)
by Anonymous User on Fri Jan 27, 2006 at 11:38:22 PM PDT

...it's SMTP

[ Reply to This ]

550 error[ Parent | Reply to This ] (none / 0) (#36)
by Anonymous User on Sun Mar 09, 2008 at 08:40:47 AM PDT

buy cialis ** acomplia ** generic viagra

[ Parent | Reply to This ]

Use BATV[ Reply to This ] (none / 0) (#9)
by jasonnet on Sat Jan 28, 2006 at 04:49:41 AM PDT

Look at the BATV standard. It should help you to eliminate bogus bounce messages. http://gotroot.com/tiki-view_cache.php?url=http%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-levin e-mass-batv-00.txt

[ Reply to This ]

It's called outscatter, aka backscatter[ Reply to This ] (none / 0) (#10)
by Anonymous User on Sat Jan 28, 2006 at 09:26:53 AM PDT

Outscatter is a better name for it, since the resulting abusive traffic isn't going "back" from whence it came, but is instead directed toward uninvolved third parties. However, "backscatter" has been around a bit longer as a slang term for it, and so both are used. The causes? Broken mail/anti-virus/anti-spam software, misconfigured mail/anti-virus/anti-spam software. Some things (e.g. Exchange, qmail) are broken-by-design; other things (often anti-spam products) are broken-by-implemetation. The sad part is that although it's quite easy to reduce outscatter to very low levels (and in most casees, to eliminate it entirely) a large nunber of sites haven't bothered to do so. Apparently they feel it's appropriate for them to "dispose" of trash mail traffic by selecting a random network neighbor and throwing it at them. The sadder part is that many vendors encourage this behavior: the default behavior of a Barracuda spam "firewall", as shipped, and as recommended by the vendor, generates outscatter. (The vendor has been informed. They refuse to correct this massive mistake on the flimsy grounds that it's "what their customers want".) They're not alone, however: a great many AV companies have deliberately set up their products to abuse third parties by sending outscatter -- and they also refuse to fix their broken products. The saddest part is that some people simply Do Not Get It when it comes to outscatter. There was recently a lengthy discussion on NANOG about a snake-oil bit of technology called "BATV"; the clueless idiots have turned out to be too dense to grasp that the solution for outscatter is NOT to try to deliver it more accurately; the solution is not to deliver it anywhere, ever. The ignorance displayed was truly amazing; I've no doubt that if these clowns actually convince some of the ignorant and naive to implement it that it will be necessary to blacklist their networks in order to put a cork in the torrent of abuse they'll unleash.

[ Reply to This ]

Blocklisting Bait[ Parent | Reply to This ] (none / 0) (#12)
by Anonymous User on Sat Jan 28, 2006 at 04:28:33 PM PDT

You mentioned NANOG, and I've been lurking around NANAE (news.admin.net-abuse.email) where the activists have resolved pretty much to begin adding hosts guilty of backscattering to the blocklists. I won't speculate who will win this war between purists and innovators, but I find I agree with the former.

Ed Hurst (je hurst at gmail dot com)

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#74)
by maderikapapa on Sat Jun 28, 2008 at 12:32:41 AM PDT

How about back-back-scatter..[ Parent | Reply to This ] (none / 0) (#15)
by Anonymous User on Mon Jan 30, 2006 at 11:51:45 AM PDT

So it sounds like we need a filter set up to send back another response to the idiots that have their AV software setup to do this. It should let them know how ignorant they are about how the mail system works... Lets just see how far this weapons race goes ;-)

[ Parent | Reply to This ]

Punish the stupid vendors...[ Parent | Reply to This ] (none / 0) (#17)
by Reziac on Mon Jan 30, 2006 at 12:33:35 PM PDT

... by setting your own AV/anti-spam software to send THEM all the back-and-outscatter ;)
~REZ~
[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#71)
by maderikapapa on Fri Jun 27, 2008 at 10:59:16 PM PDT

Not entirely useless[ Reply to This ] (none / 0) (#11)
by Anonymous User on Sat Jan 28, 2006 at 09:44:46 AM PDT

I while back I started getting a moderate number of these bounce messages for a customer whose website I manage. I got enough to see that they were originating from a couple different DSL accounts. I sent sample headers to the abuse addresses of the DSL providers (SBC and Alltel) letting them know of apparent zombies. Believe it or not, a couple of weeks later the messages stopped. Of course, it's possible that SBC and Alltel ignored my messages and the bounces stopped purely as a coincidence. But I like to think otherwise.

[ Reply to This ]

Far too optimistic[ Parent | Reply to This ] (none / 0) (#13)
by Anonymous User on Sun Jan 29, 2006 at 09:08:02 AM PDT

It's a fine sentiment to believe that perhaps SBC and/or Alltel took action on the reports that you provided to them; but experience (a mountain of experience) (a VERY BIG mountain of experience built up over many years) strongly suggests that your observation is nothing more than coincidence. I've long since given up reporting zombies to both of these (among many others) because my observation is that the unceasing flow of abuse will continue without interruption for years at a time. There is thus no point in wasting my valuable time providing them with free consulting advice about issues on their network(s); my time is better spent doing what I can to stop it, which means (in nearly all cases) permanent blacklisting. It also means sharing that blacklist information with others who also seek to defend themselves from abuse. I *wish* it were otherwise. But it's not. SBC, Alltel, and the rest are perfectly capable of detecting spam-spewing zombies on their networks merely by counting the outbound SMTP connection initiation rate, something well within the grasp of even a newbie network engineer. THe fact that they have refused to take such elementary steps as these speaks volumes about their incompetence and irresponsibilty.

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#72)
by maderikapapa on Fri Jun 27, 2008 at 11:46:12 PM PDT

Yep an old problem[ Reply to This ] (none / 0) (#14)
by Anonymous User on Mon Jan 30, 2006 at 11:05:44 AM PDT

I mentioned this 2-1/2 years ago to Fred Langa and was discussed in the article here: http://www.informationweek.com/story/showArticle.jhtml?articleID=14700320

[ Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#73)
by maderikapapa on Sat Jun 28, 2008 at 12:32:25 AM PDT

Antiquated technology[ Reply to This ] (none / 0) (#16)
by kamnet on Mon Jan 30, 2006 at 12:21:51 PM PDT

This is a good example of how rapidly technology can beome outdated.

This feature was useful in the days before forged headers in spams and trojans were even thought of. In those times those items were only sent out with headers from legitimate accounts that were legitimately infected or being abused.

Of coruse that hasn't been the case for about 3-4 years now. Most systems that continue to send out these warnings are older systems which are only updating their AV and scanning packages, but not updating the entire program.

[ Reply to This ]

Reviewing Headers can lead to SENDER[ Parent | Reply to This ] (none / 0) (#18)
by Anonymous User on Tue Jan 31, 2006 at 12:37:16 PM PDT

I have looked at the headers on some of the virus laden spam...because I saw the computer nam