Am I Spamming Someone Else?

[Ex_Brit]

I'll give the text of the message later but the story is yesterday and today I got a batch of the typical mailer-daemon 'your email to blah blah cannot be delivered' messages from Yahoo (I checked they were from them) - they provide my ISP's webmail. About 15 yesterday and about 8 today but all sent yesterday apparently. I have exhaustively checked my machine using numerous tools and there is absolutely no infection present. I called my ISP and they deny emphatically that their servers are infected....hmmmm I'm wondering about that statement. What makes me think it's their servers is that some of the addresses are no longer in my address book on my computer but are on my webmail. I never use webmail so hardly ever update it. I did check it and nothing showed as sent from there but an infection could hide that of course. I volunteer at McAfee forums so am aware of this kind of thing happening.

I may be good at removing infections but I'm not too good at analysing the content of emails - anyone here got any clues to give me on this as to where maybe the original spam email came from?

Headers (emails edited):

From: MAILER-DAEMON[at]yahoo.com

Date: 18/12/2011 12:13:03 PM

To: ex_brit[at]

Subject: Failure Notice

Sorry, we were unable to deliver your message to the following address.

<forum[at]incredibar.co.uk>:

Mail server for "incredibar.co.uk" unreachable for too long

--- Below this line is a copy of the message.

Received: from [66.94.237.197] by nm8.access.bullet.mail.mud.yahoo.com with NNFMP; 17 Dec 2011 17:12:10 -0000

Received: from [66.94.237.112] by tm8.access.bullet.mail.mud.yahoo.com with NNFMP; 17 Dec 2011 17:12:10 -0000

Received: from [127.0.0.1] by omp1017.access.mail.mud.yahoo.com with NNFMP; 17 Dec 2011 17:12:10 -0000

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 520178.1663.bm[at]omp1017.access.mail.mud.yahoo.com

Received: (qmail 71155 invoked by uid 60001); 17 Dec 2011 17:12:09 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com; s=s1024; t=1324141929; bh=7vb0i1TWf/rcotojBbS/MfRmu6zcSa1tLD4t2v3VqFE=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=5batFMFcMCQlS3zmghJCDK4frqBlKb6OjOBnwN9ETf2fukZRE9wFVBHUqZkgo4bUZQB0HWi45IttAzoQ9dUZI0TG1eqSvn7eI0fU2c3z8oxoFY4ohGnfxe6EA7T2Ma8FsQPOoxsiSR7Gu9+zzYzykSHH18UhyFSFD7WVl7xkKUk=

DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=rogers.com;

h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;

b=X0BlkoQCBSx9Y+qgkK+JKKnYgi64lhJfRlNo/Jstp5WwdGHMefu+kVHHRXumxeY8HY6qkLrWz4ucT64HD1DcvtsxbSCwtEpOEU/wxtqlC3H6y5djEHa7hNeFkqWKGbtVoHJSFfztdAu28OXHqyJbdSS7Ndi+9TelCOSD2EdohY8=;

X-YMail-OSG: ntjDh0cVM1nPUxqUexImgfDgJmR7yWbN6XxvWN42dq5KELg

pRb0K2wslBJlJD3EGw672AetYGYYM9zCCCqHV1yqZrYr8EJeNluC.5FrvmYF

P3g7rm.fpYorpxQZEkpyjCpJy975Wl7LEVKzyWUOXGW7Pax9SHoSgjg6.waz

nk_4AyaElak5smktD.biAaz.qzAhDDeH4iguxyseEj1F21O7EqEMAgxGqrbp

x1mOZcvLSA46sa2qFmKydCV8K_ZZUhb7HmGGY9yYJRctozbL9fS_l0npMylI

pAg5MdS6ZRYRAHNg8ez3foQZSf_2YlivdyglHGuTHwSgSLdlUxiguSJPczoE

Y3leyTr736EJT77DyViTevS_XDvTPWA6OFhkauQaRaqGrIHiJ_wlLQMXcypX

n0Ee8uOlZd872zWQZYZzASkfQgI0LyJaIWTCgjc_c3euo0gMBTUX.dulSfIu

WXExO5KbbYpYV7AuxiFGbMRRT__ccNqPIVVCVhTTG5wQDOjn6GmY7oD0fUxr

KTpUEUZ1gzLQjLjFJzheXwclDHcaunoU_bqn.e6sXIHdkIip.BJ_SyuBvj0N

1ogIvSfluuaIGnUfr0LwgDKlaeZvw.JMepwCnJJ_QNdLu9hBC

Received: from [156.17.86.186] by web88507.mail.bf1.yahoo.com via HTTP; Sat, 17 Dec 2011 09:12:09 PST

X-Mailer: YahooMailWebService/0.8.115.331698

Message-ID: <1324141929.39867.androidMobile[at]web88507.mail.bf1.yahoo.com>

Date: Sat, 17 Dec 2011 09:12:09 -0800 (PST)

From: Peter <ex_brit[at]rogers.com>

Subject: I AM FREE NOW.

To: "33 email addresses removed from this gap (always A - H)

>

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="-1494125812-177656308-1324141929=:39867"

---1494125812-177656308-1324141929=:39867

Content-Type: text/plain; charset=us-ascii

<p>Hello friend!<br>I made a life changing decision this was my last resort it proved that anything is possible this is perfect for you<br><a href="http://canalmunicipal.com.ar/profile/51JonathanJones/">http://canalmunicipal.com.ar/profile/51JonathanJones/</a><br>see you soon</p>

---1494125812-177656308-1324141929=:39867

Content-Type: text/html; charset=us-ascii

<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top" style="font: inherit;"><p>Hello friend!<br>I made a life changing decision this was my last resort it proved that anything is possible this is perfect for you<br><a href="http://canalmunicipal.com.ar/profile/51JonathanJones/">http://canalmunicipal.com.ar/profile/51JonathanJones/</a><br>see you soon</p>

</td></tr></table>

---1494125812-177656308-1324141929=:39867--

Actual text of email:

Sorry, we were unable to deliver your message to the following address.

<forum[at]incredibar.co.uk>:

Mail server for "incredibar.co.uk" unreachable for too long

--- Below this line is a copy of the message.

Received: from [66.94.237.197] by nm8.access.bullet.mail.mud.yahoo.com with NNFMP; 17 Dec 2011 17:12:10 -0000

Received: from [66.94.237.112] by tm8.access.bullet.mail.mud.yahoo.com with NNFMP; 17 Dec 2011 17:12:10 -0000

Received: from [127.0.0.1] by omp1017.access.mail.mud.yahoo.com with NNFMP; 17 Dec 2011 17:12:10 -0000

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 520178.1663.bm[at]omp1017.access.mail.mud.yahoo.com

Received: (qmail 71155 invoked by uid 60001); 17 Dec 2011 17:12:09 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com; s=s1024; t=1324141929; bh=7vb0i1TWf/rcotojBbS/MfRmu6zcSa1tLD4t2v3VqFE=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=5batFMFcMCQlS3zmghJCDK4frqBlKb6OjOBnwN9ETf2fukZRE9wFVBHUqZkgo4bUZQB0HWi45IttAzoQ9dUZI0TG1eqSvn7eI0fU2c3z8oxoFY4ohGnfxe6EA7T2Ma8FsQPOoxsiSR7Gu9+zzYzykSHH18UhyFSFD7WVl7xkKUk=

DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=rogers.com;

h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;

b=X0BlkoQCBSx9Y+qgkK+JKKnYgi64lhJfRlNo/Jstp5WwdGHMefu+kVHHRXumxeY8HY6qkLrWz4ucT64HD1DcvtsxbSCwtEpOEU/wxtqlC3H6y5djEHa7hNeFkqWKGbtVoHJSFfztdAu28OXHqyJbdSS7Ndi+9TelCOSD2EdohY8=;

X-YMail-OSG: ntjDh0cVM1nPUxqUexImgfDgJmR7yWbN6XxvWN42dq5KELg

pRb0K2wslBJlJD3EGw672AetYGYYM9zCCCqHV1yqZrYr8EJeNluC.5FrvmYF

P3g7rm.fpYorpxQZEkpyjCpJy975Wl7LEVKzyWUOXGW7Pax9SHoSgjg6.waz

nk_4AyaElak5smktD.biAaz.qzAhDDeH4iguxyseEj1F21O7EqEMAgxGqrbp

x1mOZcvLSA46sa2qFmKydCV8K_ZZUhb7HmGGY9yYJRctozbL9fS_l0npMylI

pAg5MdS6ZRYRAHNg8ez3foQZSf_2YlivdyglHGuTHwSgSLdlUxiguSJPczoE

Y3leyTr736EJT77DyViTevS_XDvTPWA6OFhkauQaRaqGrIHiJ_wlLQMXcypX

n0Ee8uOlZd872zWQZYZzASkfQgI0LyJaIWTCgjc_c3euo0gMBTUX.dulSfIu

WXExO5KbbYpYV7AuxiFGbMRRT__ccNqPIVVCVhTTG5wQDOjn6GmY7oD0fUxr

KTpUEUZ1gzLQjLjFJzheXwclDHcaunoU_bqn.e6sXIHdkIip.BJ_SyuBvj0N

1ogIvSfluuaIGnUfr0LwgDKlaeZvw.JMepwCnJJ_QNdLu9hBC

Received: from [156.17.86.186] by web88507.mail.bf1.yahoo.com via HTTP; Sat, 17 Dec 2011 09:12:09 PST

X-Mailer: YahooMailWebService/0.8.115.331698

Message-ID: <1324141929.39867.androidMobile[at]web88507.mail.bf1.yahoo.com>

Date: Sat, 17 Dec 2011 09:12:09 -0800 (PST)

From: Peter <ex_brit etc>

Subject: I AM FREE NOW.

To: (email addresses removed>

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="-1494125812-177656308-1324141929=:39867"

---1494125812-177656308-1324141929=:39867

Content-Type: text/plain; charset=us-ascii

<p>Hello friend!<br>I made a life changing decision this was my last resort it proved that anything is possible this is perfect for you<br><a href="http://canalmunicipal.com.ar/profile/51JonathanJones/">http://canalmunicipal.com.ar/profile/51JonathanJones/</a><br>see you soon</p>

---1494125812-177656308-1324141929=:39867

Content-Type: text/html; charset=us-ascii

<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top" style="font: inherit;"><p>Hello friend!<br>I made a life changing decision this was my last resort it proved that anything is possible this is perfect for you<br><a href="http://canalmunicipal.com.ar/profile/51JonathanJones/">http://canalmunicipal.com.ar/profile/51JonathanJones/</a><br>see you soon</p>

</td></tr></table>

---1494125812-177656308-1324141929=:39867--

[gnarlymarley]

Received: from [156.17.86.186] by web88507.mail.bf1.yahoo.com via HTTP; Sat, 17 Dec 2011 09:12:09 PST

If you look closely, you will see that your mail is coming from 156.17.86.186. You should be able to trace it back via the RIPE whois to Amsterdam.

As for reporting, technically you should only report the bounce you got from Yahoo's mail servers. The actual UCE messages was sent to them, so it is their spam.

[Farelf]

If you look closely, you will see that your mail is coming from 156.17.86.186. ...

Of course - I couldn't see that for the life of me, but it's plain when you point it out. Thanks! I should have run those headers through IPNetInfo.exe, in retrospect I see that would have picked it out right up front.

Then we see (no PTR record for that IP address)

inetnum: 156.17.0.0 - 156.17.255.255

netname: WASK

descr: the network covers whole Wroclaw area

descr: (a large academic centre in West-Southern

descr: Poland)

country: PL

On significant DNSBLs spam.dnsbl.sorbs.net and b.barracudacentral.org

The question for Yahoo is, why would they bounce back to Peter? Reporting their bounces might help them find an answer. They might also find out how his webmail address book plainly came into the equation - maybe they thought the "inspection" of a member's account was a "better" way to resolve NDRs?

Peter, of course if you used/directly accessed webmail not so long before this all started then the compromise of your own machine would be a definite possibility but I gather that was not the case.

Steve

[Ex_Brit]

Thank you both for your response. For the moment they've stopped, and strangely I still haven't heard from anyone complaining that I may be spamming them.

It just dawned on me where a vulnerability lay for a few hours in my machine and hence someone may have crept in and stolen my address book, but I am still more inclined to think that a webmail account has been hacked somewhere and some webmail site owner isn't owning up to that fact. My ISP for example said that 'it's impossible for our webmail servers to be hacked' which immediately I regard with extreme suspicion.

Anyway I am about to try something. I multi-boot (for software testing purposes) and my Windows 7 test OS for 2 days was without much in the way of virus protection because I couldn't get McAfee (the 2012 software I am beta testing) to install. I did install MSE in gthe meanwhile but that could have been too late. Anyway I just loaded a number of tools on a flash drive and I am about to reboot into that system in Safe Mode w/Networking in order to try a few things to see if it was compromised.

That could answer why these rejections coming in were sporadic, it could possibly coincide with my infrequent reboots into that OS.

It is now protected by the way, but I probably closed the barn door after the horse has bolted, as the saying goes.

Pity I don't have an actual copy of the email that is being sent to report.

Thanks again for your ideas.

I'm mystified as to why someone in Poland apparently using an Android mobile device would be interested in my address book, however, I've long since stopped wondering about such things.

Edit: Well I ran extensive scans using McAfee, various Fake-Alert detection tools, Malwarebytes tec....nothing untoward. I cranked the heuristic detection on Fake-Alert Stinger to ultra-high and it didn't detect anything either, however in Safe Mode it did (16), but they were all legitimate keys. I just assumed in Safe Mode they weren't functioning correctly.

If no 'mailer-daemon' type rejects arrive in the next while then I know that partition is not to blame and the problem lies elsewhere than on my machine.

I guess time will tell.

Thanks again.

[Ex_Brit]

If you look closely, you will see that your mail is coming from 156.17.86.186. You should be able to trace it back via the RIPE whois to Amsterdam.

As for reporting, technically you should only report the bounce you got from Yahoo's mail servers. The actual UCE messages was sent to them, so it is their spam.

I just don't want to run the risk of reporting myself as a spammer. When I pasted the entire reject mail into SC and queued for reporting to see what it made of it, it would have only sent to to Yahoo as it was their email to me after all, so I deleted it rather than do that.

[Farelf]

I just don't want to run the risk of reporting myself as a spammer. When I pasted the entire reject mail into SC and queued for reporting to see what it made of it, it would have only sent to to Yahoo as it was their email to me after all, so I deleted it rather than do that.

There are layers of complexity and puzzlement which may be obscuring the picture.

I think the main point is, the reportable spam in question is the Yahoo 'mailer-daemon' rejection notice which, it looks like, Yahoo should not be sending you.

The next point, yes, related to the previous but subsidiary, the notice relates to the (undeliverable) original spam, allegedly from you, but which Yahoo's own logs will be showing never came from anywhere near your account.

Finally, related to the last but in turn subsidiary to it, there is the matter of the apparently purloined addresses from your webmail account which may or may not be related to the original spam - that would require a level of forensics to resolve that apparently Yahoo are unable or unwilling to undertake.

If you search these forums you will find some mention of the vexed matter of Yahoo spam, including (last June) complaints that Yahoo mailservers are appearing on the SCbl, at almost the same time other members complaining that Yahoo is not being implicated in the transit of spam. Finally, with the forced migration of accounts to "the new Yahoo" (August and a little after) it all stopped. For a while. Evidently the spammers using Yahoo are not yet quite stymied. There's another query on the newsgroups at the moment which makes it seem Yahoo spam has continued at a high level all along. I'm guessing there are several different kinds of "Yahoo spam", depending on the injection point and on subsequent relaying/forwarding, and delivery., which is at least partially behind the different experiences of different reporters.

It's not relevant at the moment since you have no new instances to consider reporting but if it (misdirected bouncing) comes back you might like to ask SpamCop administration (Don) about reporting it. Seems to be no doubt to me that it should be reported and no risk in doing so - but then it's not my neck on the block

In the meantime it might be worth sounding out your contacts with valid addresses in the range that was spammed (the ones you haven't heard from) whether or not they received any of those spam messages. Possibly Yahoo filtered those out anyway as they are clearly spam and they (supposed filters) must have figured that out sooner or later. But you might also learn you are blocked from sending to some of those contacts now. Hopefully it won't get that messy but it would be as well to be sure, don't you think?

Steve

[Ex_Brit]

There are layers of complexity and puzzlement which may be obscuring the picture.

I think the main point is, the reportable spam in question is the Yahoo 'mailer-daemon' rejection notice which, it looks like, Yahoo should not be sending you.

The next point, yes, related to the previous but subsidiary, the notice relates to the (undeliverable) original spam, allegedly from you, but which Yahoo's own logs will be showing never came from anywhere near your account.

Finally, related to the last but in turn subsidiary to it, there is the matter of the apparently purloined addresses from your webmail account which may or may not be related to the original spam - that would require a level of forensics to resolve that apparently Yahoo are unable or unwilling to undertake.

If you search these forums you will find some mention of the vexed matter of Yahoo spam, including (last June) complaints that Yahoo mailservers are appearing on the SCbl, at almost the same time other members complaining that Yahoo is not being implicated in the transit of spam. Finally, with the forced migration of accounts to "the new Yahoo" (August and a little after) it all stopped. For a while. Evidently the spammers using Yahoo are not yet quite stymied. There's another query on the newsgroups at the moment which makes it seem Yahoo spam has continued at a high level all along. I'm guessing there are several different kinds of "Yahoo spam", depending on the injection point and on subsequent relaying/forwarding, and delivery., which is at least partially behind the different experiences of different reporters.

It's not relevant at the moment since you have no new instances to consider reporting but if it (misdirected bouncing) comes back you might like to ask SpamCop administration (Don) about reporting it. Seems to be no doubt to me that it should be reported and no risk in doing so - but then it's not my neck on the block

In the meantime it might be worth sounding out your contacts with valid addresses in the range that was spammed (the ones you haven't heard from) whether or not they received any of those spam messages. Possibly Yahoo filtered those out anyway as they are clearly spam and they (supposed filters) must have figured that out sooner or later. But you might also learn you are blocked from sending to some of those contacts now. Hopefully it won't get that messy but it would be as well to be sure, don't you think?

Steve

Steve,

Thanks for your very thorough answer and to all of course. Yes I should perhaps email the people that I know for a fact still have that email address. Many are invalid, hence the bounces. That address book, as I said earlier, is hopelessly out of date and in a way, not updating it was good, because it shows me that webmail isn't secure by any means, Yahoo's ongoing sieve-like security notwithstanding. I have long suspected them of being so as that would explain how SC immediately caught a load of spam, every time I created a new email address in the past and I just assumed my ISP was selling email addresses against their own privacy policy. Unless I switch ISP's which isn't likely in the near future with our monopolistic cable structure here this will go on ad infinitum I suppose. Why they partnered with Yahoo is beyond me as I never liked Yahoo in the first place, but I am sure money, or being unwilling to part with too much of it, had something to do with it. I'd love to switch to Bell Fibe but it isn't available in my high-rise yet.

Thanks

[turetzsr]

<snip>

Unless I switch ISP's which isn't likely in the near future with our monopolistic cable structure here this will go on ad infinitum I suppose. Why they partnered with Yahoo is beyond me as I never liked Yahoo in the first place, but I am sure money, or being unwilling to part with too much of it, had something to do with it. I'd love to switch to Bell Fibe but it isn't available in my high-rise yet.

<snip>

...In the meantime, you could sign up with another e-mail provider, say GMail or Hotmail (if you have reason to think one of them to be better than Yahoo) and simply stop using your Yahoo account.

[Ex_Brit]

...In the meantime, you could sign up with another e-mail provider, say GMail or Hotmail (if you have reason to think one of them to be better than Yahoo) and simply stop using your Yahoo account.

I already have, thanks.