Look at the header, there will be a "Received:" line. The first IP address you see in that line (in brackets "[]") is the important part. Ignore any host name associated with that address as it could be forged (and so can the "From:" address obviously). Now do an "nslookup <ip address>" and get the mail server name that it came from. The domain associated with that address should give a clue as to who sent the email with a virus.
Usually when you get an email from someone with a virus attached it will be from someone you know (your name is in their address book). Now who do you know with an email address from that domain? Of course an email server can serve many domains so it's not 100% accurate. And if you know several people with email addresses from that domain it could be any one of them. The only way you can pin it to one specific person is to contact the owner of the email server and have them trace their logs. Good luck.
Of course I have my email servers set up to block any message with attachments that have an extention of "*.exe, *.pif, *.bat, *.com, *.lnk, *.scr, etc, etc, etc, etc, etc". So I (or any other people that use my servers can't get messages with viruses). The message is just bounced back to the sender with a custom message explaining why I do not accept messages containing such attachments.
[ August 11, 2002: Message edited by: VoidMain ]
