I still cannot figure this out...

Can anyone make heads or tails on the Header that the email claims to have said my original email came from? The header is in the body and put into a quote.

X-Message-Info: 6sSXyD95QpX1U6JAw42dFsq8wiHNpyMg
Received: from popcorn.brookdalecc.edu ([130.156.20.253]) by mc2-f14 with Microsoft SMTPSVC(5.0.2195.5600); Fri, 5 Sep 2003 18:22:25 -0700
Received: (from root@localhost) by popcorn.brookdalecc.edu (8.11.1/8.11.1) id h861HTV52283; Fri, 5 Sep 2003 21:17:29 -0400 (EDT) (envelope-from root)
Date: Fri, 5 Sep 2003 21:17:29 -0400 (EDT)
Message-Id: <200309060117.h861HTV52283@popcorn.brookdalecc.edu>
From: postmaster@popcorn.brookdalecc.edu
To: WhiteMateriaXV@hotmail.com
Subject: VIRUS IN YOUR MAIL TO <egualtieri@brookdalecc.edu>
Return-Path: root@popcorn.brookdalecc.edu
X-OriginalArrivalTime: 06 Sep 2003 01:22:26.0027 (UTC) FILETIME=[54AD13B0:01C37415]
V I R U S A L E R T
=====================================================================
We found a virus in your mail to <egualtieri@brookdalecc.edu>.
To prevent the virus from spreading any further, we stopped delivery of this email. <egualtieri@brookdalecc.edu> did NOT receive your message!
Our viruschecker found the following virus:
W32.Sobig.f
Check your system for viruses and resend your mail.
By clicking the link below, you can search the McAfee Antivirussite with Google for more information on this virus.
http://www.google.com/search?q=inurl:vil.nai.com%20W32.Sobig.f
For your reference, here are the headers from your email:
=====================================================================
------------------------- BEGIN HEADERS -----------------------------
-{ Quote: "Return-Path: <WhiteMateriaXV@hotmail.com>
Received: from NIRAV-96PSAV9DH (bgp616145bgs.midltn01.nj.comcast.net [68.39.91.184])
-{ Quote: "The IP address above does not match my own" }-
by popcorn.brookdalecc.edu (8.11.1/8.11.1) with SMTP id h861HHp51864
for <egualtieri@brookdalecc.edu>; Fri, 5 Sep 2003 21:17:17 -0400 (EDT)
(envelope-from WhiteMateriaXV@hotmail.com)
-{ Quote: "I don't get the by and for part above also" }-
Message-Id: <200309060117.h861HHp51864@popcorn.brookdalecc.edu>
From: <WhiteMateriaXV@hotmail.com>
To: <egualtieri@brookdalecc.edu>
Subject: Thank you!
Date: Fri, 5 Sep 2003 21:22:05 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_074AC9BA"
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)-------------------------- " }- END HEADERS ------------------------------
We use AMaViS, http://amavis.org/
AMaViS - A Mail Virus Scanner, licenced GPL

-{ Quote: " quoting: MakoFusion link=board=22;threadid=13362;start=0#msg85323 date=1062726320]
Does anyone have any useful tools to determine how spam actually works?

I am looking for specifically...

How to read email headers correctly.
How to determine forged header elements.

Hmm, I would like to know this one too

I have been getting emails claiming that my email is sending them the Sobig virus and that it blocked my sent mail but I never sent anything.... Is that a hoax on their part to just make me think I have this virus?
" }-

Highlight your email in question [unopened] and then click on FILE on your toolbar, then click on PROPERTIES, then click DETAILS - then click on MESSAGE SOURCE You do not want to do this if you suspect your mail may contain a virus

If you did not send any emails, then you may well be a host for a virus. On the other hand, is the mail you are getting from a known source or unknown? Are your known contacts advising you that you have a virus? Give us a bit more detail. ThanksI recommend you do an online independent scan of your computer with either Panda or TrendMicro [scans are free] - if you have a virus, it will be removed, if not then go to Symantec for the removal tool for Sobig. Do you have an anti-virus software installed and if you do, did it warn you of any infection?

Click on the following URL and see if any of the Worms described there relate to your situation.

http://search.symantec.com/custom/us/query.html

More Spam help at these pages (http://www.hazeleger.net/despam/index.htm)

only the returnpath is showing your address
does the next line give you any clues:

From: <WhiteMateriaXV@hotmail.com>

Dolf

Hi Mak - I subscribe to TechTV newsletters and this is what they wrote about the Sobig virus and thus may explain what is happening to you.

"Sobig pulls a random name from the hard drive of an infected PC and uses it as the return address when it mails itself out to new victims. Since you're running an updated antivirus program and you don't open attachments, the virus probably isn't on your system. Some of your friends think you sent the virus because Sobig used your email address as the return address. "

The way I understand the above is that one your your real email contacts has an infected computer and Sobig is using you as a host from the infected addy list. It may well be that the spam mail contains the virus which is why McAfee keeps telling you the mail was infected that was sent out. Try asking all your email contacts to remove your email addy from their address book and see what happens. If the spam continues, then you may have to look elsewhere, if it stops then you know more or less where the problem lies thus all your email contacts will have to scan their computers, etc. to see who is compromised.

Get the tool for Sobig removal from Symantec by downloading it to a diskette and then scan your computer and if you are infected, this tool will identify it and remove any trace of the virus. Also, download on a separate disk the removal tool for the other virus you mentioned If you come up clean then it would appear that an infected computer which has your email addy is using you to send the spam which I assume is also infected mail. In which case, I would not go to view the message source with the instructions I gave because as soon as you do this, bingo you are infected. Been there, done that so fair warning. I have had to deal with Sobig on two occasions and it was no picnic - it was sent using my neighbor's infected computer each time. If you are using Win XP, & if you are infected, the virus is most likely in your Restore System and a scan will not pick it up there .. but Wormguard will & will stop it from executing. Download the 30- day free trial of Wormguard and it will stop System Restore from running and a warning will be given when you try to access SR. In order to get the virus out of SR, you need to disable SR and then use the removal tools. Doing this you will lose all restore points but when you are positive you are clean, then set a new restore point from the date you are setting it. If your SR is clean, then Wormguard takes no action so you know you are okay in that area.

Give my suggestions a shot, you have everything to gain and nothing to lose. Let us know how you make out.