Here is the info on this one from another list. Maybe everyone that gets this should report them. Yes. I find it easiest to work the headers from bottom up as this indicates the path the e-mail message traveled. Some people prefer top-down method. The general format of a Received: line is ["from" host] "by" host ["via"network] ["with" protocol] "unique id" string ["for recipient" address] ";" date. Optionally you can think of it as Received from Named Server[ receiving server IP address] by Receiving server (receiving server software) So the sender was ps99bnwq.willinet.net which has an IP address of 65.114.216.84 You should always verify the IP address and name by using nslookup. nslookup results for: 65.114.216.84 Server: ns1.superb.net Address: 207.228.225.5 Name: ps99bnwq.willinet.net Address: 65.114.216.84 Next I use nslookup and an MX request to find the mail exchanger records. nslookup results for: -q=mx willinet.net Server: ns1.superb.net Address: 207.228.225.5 Non-authoritative answer: willinet.net preference = 10, mail exchanger = intrigue.willinet.net Authoritative answers can be found from: willinet.net nameserver = land.willinet.net willinet.net nameserver = ns2.cw.net intrigue.willinet.net internet address = 198.49.30.38 land.willinet.net internet address = 198.49.30.33 So the user and mail server are both at willinet.net and the user identified himself to the mailer as kennyb (from the standard SMTP [Simple Mail Transfer Protocol] HELO command which also shows the userid). Well, lets' see what we can find out about willinet.net. To do so we use a whois server. Registrant: Williams & Company Consulting, Inc (WILLINET-DOM) 814 Pierce St Sioux City, IA 51101 UNITED STATES Domain Name: WILLINET.NET Administrative Contact: Hostmaster (HO11224-OR) hostmaster@xxxxxxxxxxxxxxx Williams & Company 814 Pierce St Sioux City , IA 51101 UNITED STATES 712-252-4041 Fax- 712-252-5974 Technical Contact: Hostmaster, Willinet Internet (PD84) hostmaster@xxxxxxxxxxxx Williams & Company Consulting Inc 814 Pierce St Sioux City, IA 51101 712-252-4041 Billing Contact: Accounts Payable (AP18793-OR) ap@xxxxxxxxxxxxxxx Williams & Company 814 Pierce St Sioux City , IA 51101 UNITED STATES 712-252-4041 Fax- 712-252-5974 Record last updated on 12-Apr-2001. Record expires on 20-Dec-2002. Record created on 19-Dec-1995. Database last updated on 21-Nov-2001 05:30:00 EST. Domain servers in listed order: LAND.WILLINET.NET 198.49.30.33 NS2.CW.NET 204.70.57.242 >If I read this correctly, this certain one was sent to two addresses at the >same time? Not really as the "for" is horribly mangled. Look where the double quotation marks start and end. This is the main reason for you seeing them in the header. Your POP3 client correctly specifies to whom the message was sent -- jeff@.... Looking at the whois information (no real names, just bogus user names), I'd bet that "spam" actually was sent by this site and the spammer and domain owner are one and the same. If you have to complain about the spam, here are a couple of things to do: 1) Try the actual domain first (give them the benefit of doubt), that is, address a complaint to "hostmaster@xxxxxxxxxxxx" 2) If satisfied by results from 1) you are done, if not, turn them into to Spamcop (http://spamcop.net/) and at the same time send a complaint to the upstream provider. The upstream provider is determined by looking at the results of the whois search and the domain name servers, in this case, NS2.CW.NET. A whois search on CW.NET will give you the administrative contact address. You can also look for an abuse or spam reporting address at http://www.cw.net/ Jeff mailto:Jeff@xxxxxxxxxxxxxxxxxx www.9-11-2001tragedy.com FAX 1-413-280-0677 Intrepid Video & Electronics Harrisburg, PA 17111 717-909-8844 www.intrepid-video.com www.tech-repair.net www.thetoolcaddy.com ----- Original Message ----- From: "DOCVIDEO" <DOCVIDEO@xxxxxxxxxx> To: <techassist@xxxxxxxxxxxxx> Sent: Thursday, November 22, 2001 12:59 AM Subject: [TechAssist] VIRUS WARNING " LHJDHKLH.EXE " > > Just received a virus " Troj_HYBRAIS.B" which virus program states is non-cleanable > and quarantined. > > There was no sender name just a blank email with an attachment..... > On checking sender source only return address was ... > intrigue.willnet.net > 65.114.216.108 > 198.49.30.38 > > > > MONTE MONCRIEF > BAKERSFIELD, CA. > DOCVIDEO@xxxxxxxxxx > > ================================= > Help make your TechAssist database better! > Submit your fixes here: http://circuitwork.com/techassist/tip/#tips > ================================= > To UNSUBSCRIBE your email address, click here: > mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe > > ================================= Help make your TechAssist database better! Submit your fixes here: http://circuitwork.com/techassist/tip/#tips ================================= To UNSUBSCRIBE your email address, click here: mailto:techassist-request@xxxxxxxxxxxxx?subject=unsubscribe