On Fri, 29 Aug 2003, David Frascone wrote: > With the current virii usually forging the from field with random > addresses from its victim's address book, I turned off my virus > scanner's warning to the senders . . I only send a polite note to the > intended recipient. Don't do that. That is quite likely what the Virus writer wants you to do: Stop notifying people about infections. The worst that happens is that people get notifications, and update their anti-virus, which finds nothing. The best that happens is that the headers included in such a notification reveal the IP address of an infected zombie. Also, in the current cases, I don't think the addresses aren't taken from address books. I'm getting responses to addresses that haven't been used for email and addresses that haven't been used in years. Certainly, these aren't in anyone's address book. In one case, the address is on a little used web site (but even spammers rarely spam it, and in another, its in a reasonably public area, but not used) The Virus writer obviously went to some trouble to pick valid addresses. It stands to reason that they expect that someone is getting mail to these addresses. It also stands to reason that the abuser expects those persons to get Virus notifications. Most probably, virus notifications tend to frustrate the purposes of the Virus operator, since the infected will not stay infected. It seems possible that the virus operators are trying to manipulate people to stop sending or responding to virus notifications. In past cases, the forged from address was the target of the abuse: the abuser hoped to have people block mail with the common from address, thus getting some measure of revenge on that person. Most people have filtering on From: addresses for this reason. The best thing to do in response to such an attack is to do things that frustrate purposes the abuser, catch the abuser, or nothing at all. Never succumb to what might be a desired manipulation--That only encourages more abuse. --Dean