How to Send Us Virus Info From Email Attachments

Sending Suspicious Email To U-M Virus Busters For Us To Examine

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 08 November 2006

This information can be freely reproduced in any medium, as long as the information is unmodified.

In order to decide whether or not you should even consider sending us suspicious or infected email attachments, see our What To Do With Suspicious Email page.

In order to help, we need several things:

The body of the email:
This is pretty obvious -- most emailers will include this automatically
Any and all attachments:
This is pretty obvious, too, but may depend on your emailer. Without the attachments, we cannot determine with certainty what virus it is -- or even if it is a virus or other nasty.
FULL EMAIL HEADERS:
This is the tricky part; see below. We need the full RFC2822 headers to be certain that we contact the real victim, if there is one: some viruses forge the From: field, and only with full email headers can we find the true source of the problem.
RFC 2822 (leaving our site) is the document that formally specifies Internet Message Format.

How one displays full email headers varies from one emailer to another.

=== How to send email headers ===

If you use one of the standard email packages recommended by the University (pine, Mulberry, or mail.umich.edu), it's particularly easy to give us everything we need (headers, body, and attachments):

If you use pine, just press the "b" key to "bounce" me a copy. [You may need to enable the bounce command: See under Setup/Configure; in Advanced Command Preferences, select "enable-bounce-cmd".]
If you use Mulberry, choose Bounce from the Messages menu.
If you use mail.umich.edu, view the message and then click on the "Redirect" button at the bottom of the window.
25 December 2002 -- NOTE: The Redirect feature may be disabled at this time, pending resolution of other issues. If it's not available, then obviously you'll have to find another way to send us the information.
For Apple's Mail program users: If you need them to send headers to virus-busters, just go to View>Show all headers; then simply forward the message and the original headers will come along automatically

Otherwise, ....

If you don't use one of the above email applications, and you don't know how to display the full email headers, please check SpamCop's Email Header FAQ, (leaving our site) or WHOA's How to Get Full Headers in Your Software page (leaving our site), both of which have (different, somewhat non-overlapping) instructions for many different email programs.

If you can't find instructions at these sites for your emailer, then:

Check your emailer's manual

Search for the information on the web

Contact your email administrator.

We are not in a position to assist you with how to use your email program further than to point you to the information above.

For links on how to interpret email headers, see e.g., the U-M Virus Busters Anti-SPAM FAQ.

ALSO:

Without full email headers, AND the email body, AND the attachments (if any), it's a waste of time for you and for us. So send them all, please, (unless we ask you otherwise, of course), or just delete it.

================================

Note that you should never send potentially hostile code to ANYONE you don't know and trust -- so think twice think twice before you forward hostile or suspicious code to us ... or to anyone else.

-BPB

University of Michigan AntiVirus Team Leader
University of Michigan Data Recovery Team Leader
PGP 2.6.2 key fingerprint: 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED

Last updated: Wednesday, 08-Nov-2006 15:12:29 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 10 April 2002 17:35 EDT