Jump to content
slyworme

Is this my email spoofer?

Recommended Posts

Hi,

 

I have had my email account spoofed for around a year now.  It happens in bursts lasting 2 weeks or so then is quiet for a month or so before re-starting.  I have checked all the bounce-back messages I receive but there is no information I can see that is any use...until today when I started receiving the following bounce-back:

 

"This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

  policyexpert.co.uk@mail57.wdc03.rsgsv.net
  
Domain eoneltd.com has exceeded the max emails per hour (1103/1000 (110%)) allowed.  Message will be reattempted later

------- This is a copy of the message, including all the headers. ------
Received: from [186.235.239.112] (port=51287 helo=tenxr.com) by host.althuq.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)"

 

A quick whois check points to this entry:

Registrant Org ahmed almutairi is associated with ~16 other domains
Registrar GODADDY.COM, LLC
Registrar Status clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited
Dates Created on 2007-09-11 - Expires on 2018-09-11 - Updated on 2014-08-27
Name Server(s) NS1.ALTHUQ.COM (has 6 domains)
NS2.ALTHUQ.COM (has 6 domains)
IP Address 74.200.74.196 - 4 other sites hosted on this server
IP Location United States - Virginia - Sterling - Virtacore Systems Inc
ASN United States AS14383 VCS-AS - Virtacore Systems Inc, US (registered May 12, 2005)

Among the other site hosted on the same server is the althuq.com listed in the bounce-back. Is there a good chance that this is the person spoofing my email?  I am aware that they may not even realise they are doing it if their computer/server has been compromised.

If this is a good indication that they are responsible, who is the best person to inform?

Thanks,

 

Mike

Share this post


Link to post
Share on other sites

Generally doing anything about bounce messages just clutters the airways and gets directed at the domain of receiving the spam, not the sender.  As you know, you are getting the bounce messages because the sender of the bounce is taking the easy/incorrect approach of sending bounces to the REPLY TO: or FROM: lines in the header not the real source reflected in the Received: lines.

In this case the error message came from the sender's email host.  I would replay directly to the sender. Either 1) their email system has been compromised or 2) they have a client that is using their email system (and IP addresses) to send spam.  In either case the ISP should want to know.

The bad news is that now that a spammer has your email address/domain in their list of addresses to use, the flurry will no dough continue. The breaks you see in blocks of bounces, may be cause as they are kicked off of one ISP and get set up on another, or they are just cycling through a list in an attempt to avoid being blocked.  You are lucky, they made a mistake and exceeded their quota and you received some insight as a result.

Share this post


Link to post
Share on other sites

Thanks for the reply.

Just to clarify - the best person to contact in this case would be the Registrant (Mr Almutairi) or the IP host (Virtacore Systems Inc)?

Share this post


Link to post
Share on other sites

That is your call. Anyone here has only the limited information you have posted (PLEASE do not post the email here!).  As I suggested, I would replay to the ISP that sent you the message.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×