Jump to content


Photo

Bogus MAILER-DAEMON return messages???


  • Please log in to reply
9 replies to this topic

#1 dhumble

dhumble

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 29 September 2006 - 01:26 PM

I'm getting a few messages as of late that appear to have been sent from my email account (actually my domain name) but the user name before the [at] symbol is nothing I have ever used before. Most of these are coming from overseas accounts and I was wondering if this was some kind of a new method to spam folks and try and get them to reply or something. I have included the source of one of the messages here and removed my domain name and replaced it with 1234.com. I obviously didn't send this out and no one in my business did because it is just myself. Anyone have a clue as to what this is all about? Could someone have gained access to my server on estarr.com and is sending out bogus spam emails to others? I'm confused.... Doug Return-path: <> Envelope-to: trac[at]1234.com Delivery-date: Fri, 29 Sep 2006 13:04:18 -0400 Received: from [80.239.9.55] (helo=mx2.itl.no) by tyme.estarr-9.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1GTLmZ-0002Rs-LR for trac[at]1234.com; Fri, 29 Sep 2006 13:04:16 -0400 Received: (qmail 19105 invoked for bounce); 29 Sep 2006 18:43:23 +0200 Date: 29 Sep 2006 18:43:23 +0200 From: MAILER-DAEMON[at]mx2.itl.no To: trac[at]1234.com Subject: failure notice X-ESTARR-MailScanner-Information: Please contact the ISP for more information X-ESTARR-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-ESTARR-MailScanner-SpamCheck: X-ESTARR-MailScanner-From: X-spam-Status: No X-Antivirus: avast! (VPS 0639-4, 09/29/2006), Inbound message X-Antivirus-Status: Clean Hi. This is the qmail-send program at mx2.itl.no. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <cope[at]stien.com>: Sorry, no mailbox here by that name. vpopmail (#5.1.1) --- Below this line is a copy of the message. Return-Path: <trac[at]1234.com> Received: (qmail 18962 invoked by uid 509); 29 Sep 2006 18:43:10 +0200 Received: from 80.135.32.194 by localhost.localdomain (envelope-from <trac[at]1234.com>, uid 508) with qmail-scanner-1.24-st-qms (clamdscan: 0.80/855. spamassassin: 3.0.1. perlscan: 1.24-st-qms. Clear:RC:0(80.135.32.194):SA:0(0.3/4.0):. Processed in 2.075336 secs); 29 Sep 2006 16:43:10 -0000 X-spam-Status: No, hits=0.3 required=4.0 X-Antivirus-MYDOMAIN-Mail-From: trac[at]1234.com via localhost.localdomain X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(80.135.32.194):SA:0(0.3/4.0):. Processed in 2.075336 secs Process 18927) Received: from p508720c2.dip0.t-ipconnect.de (HELO ciwvnq) (80.135.32.194) by mx2.itl.no with SMTP; 29 Sep 2006 18:43:08 +0200 Received: (qmail 5099 invoked from network); Fri, 29 Sep 2006 19:03:55 +0200 Received: from unknown (HELO tsxy) (80.135.140.205) by ciwvnq with SMTP; Fri, 29 Sep 2006 19:03:55 +0200 Message-ID: <000501c6e3e9$3efeaa96$cd8c8750[at]tsxy> From: "Dan Mitchell" <trac[at]1234.com> To: <cope[at]stien.com> Subject: freeload Date: Fri, 29 Sep 2006 18:55:19 +0200 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0001_01C6E3FA.02877A1E" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 This is a multi-part message in MIME format. Moderator Edit: Actual spam deleted .....

Edited by Wazoo, 29 September 2006 - 09:43 PM.


#2 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,674 posts

Posted 29 September 2006 - 02:58 PM

I'm getting a few messages as of late that appear to have been sent from my email account (actually my domain name) but the user name before the [at] symbol is nothing I have ever used before. Most of these are coming from overseas accounts and I was wondering if this was some kind of a new method to spam folks and try and get them to reply or something. ...

Hi dhumble,

Nothing new, spammers are simply forging your domain as the sender, some of the addresses being spammed are non-existent and the (real - http://www.dnsstuff....?ip=80.239.9.55, Answer 80.239.9.55 PTR record: mx2.itl.no.) mailer daemons are clulessly trying to inform you the "message" was not delivered. They have not bothered to check the real source so you suffer the double indignity of having spam you never sent "returned" for your attention.

Search these forums for spoof address as just one combination and you will find many such cases. Here is one - http://forum.spamcop...?...ost&p=40286 - and that contains advice (the later posts in that topic) on how you might get back to these clueless people and invite them to wrench themselves into the current century and do the job right.

Does that help?
Plus ca change, plus c'est la meme chose

#3 turetzsr

turetzsr

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 5,212 posts

Posted 29 September 2006 - 07:01 PM

...This post was made to the "SpamCop Reporting Help" forum, which is described as

A forum to help users with reporting spam using the SpamCop Parsing and Reporting Service. <snip>

...Since the content does not seem to match this description, I am taking the liberty of moving it to the SpamCop Lounge forum. If I have somehow misunderstood, please leave counterarguments here and I or a Moderator colleague will move it back to "SpamCop Reporting Help" or whichever is the most appropriate forum.
..Regards,
...Steve T

...A Happy SpamCop.net reporting user (not an employee)
...Please avoid replying via e-mail, as it is not secure

#4 dhumble

dhumble

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 30 September 2006 - 09:18 AM

Does that help?

Farelf,
I believe this helps. At least it lets me know that I'm not the only one that this happens to and obviously there isn't much I can do about it. I'm just curious though - if I report this email to spamcop, am I reporting the spammer or the folks that sent me the bounce message? I really don't want to report someone innocent.

...This post was made to the "SpamCop Reporting Help" forum, which is described as...Since the content does not seem to match this description, I am taking the liberty of moving it to the SpamCop Lounge forum. If I have somehow misunderstood, please leave counterarguments here and I or a Moderator colleague will move it back to "SpamCop Reporting Help" or whichever is the most appropriate forum.

turetzsr,

Sorry for the posting of this message to the improper place. I'm kind of new to forums and find most of them extremely confusing - especially this one as it is highly technical IMHO. Feel free to move this wherever you see fit - or delete it entirely. It did accomplish the end result and inform me of the fact that spammers could just use my identity without actually hacking into my computer or the server on which my mail is stored.

dhumble

#5 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,674 posts

Posted 30 September 2006 - 10:57 AM

... if I report this email to spamcop, am I reporting the spammer or the folks that sent me the bounce message? I really don't want to report someone innocent.

A SpamCop reporter would be reporting 80.239.9.55 (mx2.itl.no) with the example given, the mailer daemon origin. Try the next one and see. Assuming you don't have VER/Quick Reporting you would have to review before any reports are sent and would then have the opportunity to cancel if you don't agree with the reporting nominated. However 80.239.9.55 is *not* innocent. It didn't initiate the spam but the responsible people there are merrily spreading that spam around through their disregard for proper configuration and process. They are doing the spammers work for him. If they do that to enough SC reporters or if they hit a SC spam trap they *shall* get themselves listed on the SCBL (whether you are one of those reporters or not). And they will deserve it. The SC parser will not find the original spammer* unless you are directly spammed IIUC (ie his IP needs to be in the actual message headers as opposed to being in the copied headers in the body of the undeliverable message).

[*"original spammer" is misleading - most often just a trojaned installation whose owner is unaware (but doubtless most grateful if a SC report to his ISP's abuse desk finally leads to him being clued). As for the criminals behind the scenes ...]

Since you are now asking reporting questions I rather feel your first choice of forum was very likely appropriate. :D
Plus ca change, plus c'est la meme chose

#6 epinniger

epinniger

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 01 October 2006 - 04:25 AM

I was actually just about to make a post on the same subject (my first post on the SpamCop forums) until I saw this thread. Since about 2 days ago I've been receiving 5-6 e-mails a day of this type (previously I rarely received them - maybe one every two weeks or so) All the e-mails have a title such as "message undeliverable" or similar, all from addresses I've never sent e-mails to (or received them from). Where the content of the undeliverable e-mail is shown, it's usually obviously spam. I'm wondering if this is a coincidence, or have many other SpamCop users recently noticed an increase in the number of misdirected bounces they've received? If so, is this a result of spammers managing to obtain the addresses of SpamCop users, or is it just due to an overall increase in the use of spoofed/forged return addresses by spammers? Originally I was worried that my e-mail address might end up blacklisted or reported for spamming, as it appears to the recipients that my address is the source of the spam, but after reading some of the threads on this subject here, it looks like this isn't the case.

#7 coalescefl

coalescefl

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 01 October 2006 - 04:40 AM

I just noticed these messages, however, I just signed up for Spamcop.net because I was going to make a post about it until I saw this post. I'm sure the bounce backs are completely random.

#8 Miss Betsy

Miss Betsy

    T-shirt wearing out

  • Membersph
  • PipPipPipPipPip
  • 3,336 posts

Posted 01 October 2006 - 06:02 AM

The way I understand it is that spammers use email addresses from their mailing lists in a random manner. Occasionally, a spammer will use the same address for the whole spam run resulting in thousands of misdirected bounces to one person. At one time, spammers tried to intimidate spamcop users, but there are too many reporters now to make that effective, IMHO. The worst that happens is that they add addresses from reports to their mailing lists so some people get three and four of the same kind of spam. Miss Betsy
an almost new internet user
if you don't think your post has been answered sufficiently, please email service[at]admin.spamcop.net

#9 Wazoo

Wazoo

    What Life?

  • Forum Admin
  • 13,195 posts

Posted 01 October 2006 - 02:05 PM

Search these forums for spoof address as just one combination and you will find many such cases.

This is one of those things that is 'hard to find' in here, even though there are tons of posts. One item, the word "spoof" is an issue. Although the general definition is to "make a parody of" ... this doesn't really 'work' here .. so we jump to the jargon type of definition of "Internet Protocol spoofing (IP spoofing) is the creation of IP packets with a forged (spoofed) source IP address" which then got expanded to "a situation in which one person or program is able to masquerade successfully as another" .. the catch is that in general, someone receiving only a few hundred of these really isn't suffering from an "attack" .... from an ISP's point of view, an attack would be in the realm of 'thousands a second' scenario ...

That's just a bit on the word "spoof" .. other users never get around to trying to "define" the situation, just explaining that they never sent the e-mails, so their account must have been hijacked. Others suggest that it was their ISP that got hijacked. Others simply don't have a clue. Every now and then, some will even use the phrase that 'we' typically use ... their e-mail address was 'forged' into the From: and / or Reply-To: hader lines ....

It is this 'problem' of geekt/technical terminology not being used by all in describing their issues, resulting in he problem of finding those 'similar' situations from a search query. Try to correct some folks, and get accused of 'having an attitude' .. others simply get angry ... some can't see a clue at all ....

I'm wondering if this is a coincidence, or have many other SpamCop users recently noticed an increase in the number of misdirected bounces they've received? If so, is this a result of spammers managing to obtain the addresses of SpamCop users, or is it just due to an overall increase in the use of spoofed/forged return addresses by spammers?

I just noticed these messages, however, I just signed up for Spamcop.net because I was going to make a post about it until I saw this post. I'm sure the bounce backs are completely random.

Much of this has been addressed in a SpamCop FAQ entry 'here'
Why am I getting all these bounces?

Also noting: FAQ = Frequently Asked Question ..

#10 turetzsr

turetzsr

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 5,212 posts

Posted 02 October 2006 - 12:23 PM

<snip>

...This post was made to the "SpamCop Reporting Help" forum, which is described as...Since the content does not seem to match this description, I am taking the liberty of moving it to the SpamCop Lounge forum. <snip>

turetzsr,

Sorry for the posting of this message to the improper place. I'm kind of new to forums and find most of them extremely confusing - especially this one as it is highly technical IMHO. Feel free to move this wherever you see fit - or delete it entirely.
<snip>

Hi, dhumble,
...No big problem - that's why we have Moderators! If you could help us by cluing us in as to how we could have helped you understand that the SpamCop Reporting Help" forum did not match the content of your original post (the wording of the description of the forum, for example), we would be most appreciative.
...Another relatively minor point: I prefer to be addressed as "Steve T" (see my sig); "turetzsr" is just my SpamCop Forum login id.

It did accomplish the end result and inform me of the fact that spammers could just use my identity without actually hacking into my computer or the server on which my mail is stored.

...Great, that's why these forums are here! :) <g>
..Regards,
...Steve T

...A Happy SpamCop.net reporting user (not an employee)
...Please avoid replying via e-mail, as it is not secure




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users