Yes... BUT [ don't you love the "BUT"s, :o) ] if the virus sends itself using just the FROM address, then hitting reply will go, like you said, to the sender. On our list, as most other lists, while the FROM address will show who actually wrote the email (forged by the virus), the REPLY-TO address is PCTECHTALK. That is why if you're reading email to the list, and it says from SIRTROTH, hitting REPLY doesn't reply to SIRTROTH, but rather PCTECHTALK, because the REPLY-TO address is PCTECHTALK. These viruses usually don't touch the REPLY-TO address, so if you hit REPLY to this spoofed virus email, it will go to that spoofed address. If the mail really did come through the list, hitting REPLY will reply back to PCTECHTALK. Is it always like this? Of course not. If the virus also adds a REPLY-TO address, then THAT's the address that you will reply to. :o) .::] Sir Troth [::.. _________________________________ AOL: SirTrothX Please, no email at this address! _________________________________ ::: Original Message by Christy ::: Tue, 28 Oct 2003 02:55:11 -0500 | Good morning | | | Actually troth in this case no you cant hit reply to | see where the email is coming from. Klez is a smart | worm in the fact it can make the email appear its | coming from any number of places. For example if an | infected person had both the list address and Your | address either in the address book or in any | read/unread emails or in a file of sorts saved on the | hard drive Klez can use both addresses one as the TO | and one as the apparent from address. | | Glen has the right idea, the only way to really tell | is via the ip information in the headers if you can | find them (some programs don't show everything). | | Hopefully that helps some | | Christy | | *********** REPLY SEPARATOR *********** | | On 10/27/03 at 4:17 PM ~OoO~ wrote: | | >Here's how you can tell if its coming from the list | or not... hit the | >REPLY button to the email, and see if the return | message your composing | >gets addressed to PCTechTalk. | >::: Troth ::: | >______________________ | >ICQ: 1717439 | >MSN: SirTroth@xxxxxxxxxxx | >Yahoo IM: SirTroth | >AIM/AOL: SirTrothX | >______________________ | > | > | >::: Original Message | >::: Sent Mon, 27 Oct 2003 11:37:05 -0800 (PST) by | Glen | >| My thought on the virus.... | >| Since it is the Klez virus, then the headers are | >| forged. The only way to tell who it is from is by | the | >| originator's IP. | >| | >| Second... | >| I don't think this virus came through the list. | >| I suspect one of our members is infected and they | >| probably use outlook or outlook express. | >| | >| Since this is a list everytime some replies or | post to | >| the list, their emails will sit in someones inbox. | >| Lets say outlook. Klez scans all folders in | outlook | >| for email address, then starts mailing itself out. | >| | >| Now that Klez is sending out the virus to everyone | >| that posted to PCTechTalk. Since PCTechTalk is put | in | >| the subject line by FreeList and nearly everyone | has | >| filters set up on incoming email to drop | PCTechTalk | >| emails to a specific folder, then this looks like | it | >| is coming from PCTechTalk. | >| | >| Just my thoughts. | >| | >| Glen | >| | | To unsub or change your email settings: | //www.freelists.org/webpage/pctechtalk | | To access our Archives: | http://groups.yahoo.com/group/PCTechTalk/messages/ | //www.freelists.org/archives/pctechtalk/ | | For more info: | //www.freelists.org/cgi-bin/list?list_id=pctechtalk To unsub or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ For more info: //www.freelists.org/cgi-bin/list?list_id=pctechtalk