Jump to content

[Resolved] spammer forged my email address


maza
 Share

Recommended Posts

A spammer seems to be using our email address to send out spam and we're getting alot of bounce notices. I'd like to send a complaint to the postmaster that's allowing this forgery but am not sure how to figure it out.

This is one of the bounce notices:

This is the mail system at host smtpauth02.mfg.siteprotect.com.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

The mail system

<elvin_007[at]yahoo.com>: host mta5.am0.yahoodns.net[98.136.216.25] said: 554

delivery error: dd This user doesn't have a yahoo.com account

(elvin_007[at]yahoo.com) [-5] - mta1172.mail.gq1.yahoo.com (in reply to end of

DATA command)

<admasterad[at]mail.ru>: host mxs.mail.ru[217.69.139.150] said: 550 Message was

not accepted -- invalid mailbox. Local mailbox admasterad[at]mail.ru is

unavailable: user not found (in reply to end of DATA command)

----------------------------------------------------

Just noticed that there is an attachment which is supposed to be the sent message. I haven't opened it since, I assume, it could be malware.

Help appreciated.

Edited by maza
Link to comment
Share on other sites

As I see it, there are at least two possible avenues of investigation.

The first is the headers of the bounce message should give you some clues as to the identity of the machine that issued the non-delivery report. This will help you alert the admin of that system that there might be a problem.

The other is to examine the headers of the message that was bounced. This assumes that the bounced message (or at least enough of it to be of some value) is is included in the non-delivery report, possibly as an attachment. Caution: Be aware of the possibility of malware; take care how you choose to examine any attachments that come with the bounce message.

When it comes to reporting the spam, I'd be inclined to report the bounce message rather than the message that was bounced. You choose what arrives in your inbox. spam that is directed to someone else is their problem.

Link to comment
Share on other sites

...

Help appreciated.

The outgoing mail server is generally not the problem, the clueless mail administrators misdirecting bounce messages (follow that link sometime) generally are the problem. Forged "from:" and/or "reply-to:" addresses are a wide-spread problem and those should never be relied upon to return undelivered mail. If bounced at all, message refusal should only occur when the outgoing and receiving servers are still connected, never after when the (possibly) forged address becomes the only delivery option.

But I'm not at all familiar with type of bounce message you quote - yahoo.com and mail.ru both complaining and siteprotect.com getting involved somehow? Is that a single bounce? We really need to see the complete message, including full headers and attachments. Yes, for now I am puzzled too. But wow, yahoo actually declaring an invalid address which is helpful - that must be relatively new (as an aside), they didn't always do that (which was unhelpful).

Anyway, misdirected bounces are accepted by SpamCop as abuse and they can be reported. Perhaps those ultimately responsible might be educated by receiving the SC complaints. So one approach is to get yourself a free SpamCop reporting account and start submitting reports - there is something of a learning curve associated with that (the full headers thing, etc.), though many thousands have managed.

Also you could try searching these forums with the search term "misdirected bounce" - also try "backscatter" - to read past discussions.

HTH

Is there a safe way to examine the attachments?

If you can "View as text" the message, that will not activate HTML or scripted malware ... generally part of the "Get full headers" knowledge base. You may not understand what you see, but at least it cannot "bite" you.

Link to comment
Share on other sites

I've just discovered that someone seems to have hacked into our account. Our password had been changed and I was unable to receive mail. Fortunately, I was still able to log in to the verizon site control site and rechange the password. So now it's starting to look like the email was actually sent from our account.

Link to comment
Share on other sites

I've just discovered that someone seems to have hacked into our account. ...

Ah, thanks for the update - usually the first thing someone suspects, almost always NOT the case which is probably why no-one suggested the possibility. Let's know how you go and if that was the answer we'll mark this one resolved. You need a strong password and somewhere secure/encrypted to keep a back-up of it, plenty of (free) options for both, just Google.
Link to comment
Share on other sites

I copied one of the messages using a text editor. At the end there's an http address -- maybe it's the hacker's? (I tried to delete all recipient email addresses as well as my own).

Return-Path: <>

Delivered-To: <>

Received: from mf28.mfg.siteprotect.com ([192.168.31.177])

by stor25r.mfg.siteprotect.com (Dovecot) with LMTP id qk+XFeYeElR7VgAAw8NFKg

for <>; Thu, 11 Sep 2014 17:16:49 -0500

Received: from mx.siteprotect.com (unknown [192.168.33.154])

by mf28.mfg.siteprotect.com (Postfix) with ESMTP id 92698A78002

for <>; Thu, 11 Sep 2014 17:16:48 -0500 (CDT)

Received: from smtpauth02.mfg.siteprotect.com (smtpauth02.mfg.siteprotect.com [64.26.60.136])

by mx.siteprotect.com (Postfix) with ESMTP id 907E5300075

for <>; Thu, 11 Sep 2014 17:16:48 -0500 (CDT)

Received: by smtpauth02.mfg.siteprotect.com (Postfix)

id 8DABA44DC7; Thu, 11 Sep 2014 17:16:48 -0500 (CDT)

Date: Thu, 11 Sep 2014 17:16:48 -0500 (CDT)

From: MAILER-DAEMON[at]smtpauth02.mfg.siteprotect.com (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To:

Auto-Submitted: auto-replied

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com"

Message-Id: <20140911221648.8DABA44DC7[at]smtpauth02.mfg.siteprotect.com>

X-CTCH-RefID: str=0001.0A020203.54121F51.0004:SCFSTAT24923302,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=256

X-Mail-Filter-Gateway-ID: 92698A78002.ADF53

Mail-Filter-Gateway: Scanned OK

X-Mail-Filter-Gateway-SpamDetectionEngine: NOT spam,

MailFilterGateway Engine (score=-1, required 3, autolearn=disabled,

CTASD_SPAM_UNKNOWN -1.00)

X-Mail-Filter-Gateway-From:

X-Mail-Filter-Gateway-To:

X-spam-Status: No

This is a MIME-encapsulated message.

--EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com

Content-Description: Notification

Content-Type: text/plain; charset=us-ascii

This is the mail system at host smtpauth02.mfg.siteprotect.com.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

The mail system

<>: host mx4.hotmail.com[65.54.188.72] said: 550

Requested action not taken: mailbox unavailable (in reply to RCPT TO

command)

<>: host mx2.hotmail.com[65.54.188.72] said: 550 Requested

action not taken: mailbox unavailable (in reply to RCPT TO command)

<>: host mta5.am0.yahoodns.net[66.196.118.33] said: 554

delivery error: dd This user doesn't have a yahoo.com account

() [-5] - mta1073.mail.bf1.yahoo.com (in reply to

end of DATA command)

<>: host iol-smtp-in.iol.pt[193.126.12.169] said: 554 5.7.1

<>: Recipient address rejected: Access denied (in reply to RCPT

TO command)

--EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com

Content-Description: Delivery report

Content-Type: message/delivery-status

Reporting-MTA: dns; smtpauth02.mfg.siteprotect.com

X-Postfix-Queue-ID: EAB0D3EE36

X-Postfix-Sender: rfc822;

Arrival-Date: Thu, 11 Sep 2014 17:16:32 -0500 (CDT)

Final-Recipient: rfc822;

Original-Recipient: rfc822;

Action: failed

Status: 5.0.0

Remote-MTA: dns; mx4.hotmail.com

Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable

Final-Recipient: rfc822;

Original-Recipient: rfc822;

Action: failed

Status: 5.0.0

Remote-MTA: dns; mx2.hotmail.com

Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable

Final-Recipient: rfc822;

Original-Recipient: rfc822;

Action: failed

Status: 5.0.0

Remote-MTA: dns; mta5.am0.yahoodns.net

Diagnostic-Code: smtp; 554 delivery error: dd This user doesn't have a

yahoo.com account () [-5] -

mta1073.mail.bf1.yahoo.com

Final-Recipient: rfc822;

Original-Recipient: rfc822;

Action: failed

Status: 5.7.1

Remote-MTA: dns; iol-smtp-in.iol.pt

Diagnostic-Code: smtp; 554 5.7.1 <>: Recipient address rejected:

Access denied

--EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com

Content-Description: Undelivered Message

Content-Type: message/rfc822

Return-Path: <>

Received: from h88-150-231-50 (unknown [2.246.134.149])

(Authenticated sender: )

by smtpauth02.mfg.siteprotect.com (Postfix) with ESMTPA id EAB0D3EE36;

Thu, 11 Sep 2014 17:16:32 -0500 (CDT)

X-Mailer:

Message-ID: F6A15CF04AD3F2ACA1360BB957FFDE11[at]

Subject: Fwd:

From: <>

To: <

X-CTCH-spam: Confirmed

X-CTCH-RefID: str=0001.0A020201.54121EEF.0142,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12

http://www.pimpen.co.th/your_avatar.gif?giguhol=9755630&ogylode=284818

--EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com--

Edited by Farelf
Link to comment
Share on other sites

I copied one of the messages using a text editor. At the end there's an http address -- maybe it's the hacker's? (I tried to delete all recipient email addresses as well as my own). ...

Yes, it looks like x2f68695.dyn.telefonica.de [2.246.134.149] is the insertion point (hacker) - you could send your evidence to abuse[at]telefonica.de requesting their action against the perpetrator.

The "payload" is a link to the malware/infection site via redirection from http://www.pimpen.co.th/your_avatar.gif?giguhol=9755630&ogylode=284818 (see https://www.virustotal.com/en/url/56e327214...1269b/analysis/) and I have removed the link in your post to that (just left it as plain text), we don't want to leave that as a clickable trap for the unwary or an imposition on the web reputation of this forum - or as a possible benefit of any kind to the spammer.

Thanks for taking the time ... marking as "Resolved" to help future searches for explanations of similar occurrences :)

Link to comment
Share on other sites

http://www.spamcop.net/sc?track=2.246.134.149 confirms the address. No guarantees but SC staff try hard to exclude bad colluders and outright spammers from the report routing. I would have risked it, certainly. Probably getting a little late now though, best done when it is fresh. But in any future case, just run the IP address through the paste-in box for spam submission to see the routing (and more details as well in that 'members' version of the tracking report.

P.S. Oh, I see that IP is still on the CBL, look at http://www.senderbase.org/lookup/domain/?s...g=telefonica.de and you will see that telefonica.de has a great many others listed in blacklists and is obviously unequal to the task of controlling them - complaining at this late stage is almost certainly a waste of time (but I still would have done it while it was fresher - abuse is one thing but hacking is getting to the top end of the scale and clearly criminal).

Link to comment
Share on other sites

Well, it looks like I'm going to get another chance to report them.

I'm not sure what happened. I had deleted all the bounces except 1 so I could report it. When I went to find it it was gone (it wasn't in windows live mail). I went online to the webhost site and found it in the spam folder. I moved it to the inbox. Now I'm getting bounces again, but they haven't changed the password so I don't know if they're forging my address or if they've somehow been able to hack in again. There were 2 email addresses on this account and the 2nd one still had the old password (which I now changed.)

This is the most recent bounce. It has a different website at the bottom. Not sure how to check where this came from originally.

Return-Path: <>

Delivered-To:

Received: from stor29.mfg.siteprotect.com ([192.168.31.175])

by stor25r.mfg.siteprotect.com (Dovecot) with LMTP id d8NoC4+6GFTULQAAw8NFKg

for Tue, 16 Sep 2014 17:37:09 -0500

Received: from mx.siteprotect.com (unknown [192.168.33.158])

by stor29.mfg.siteprotect.com (Postfix) with ESMTP id DFDAF47EED

for <>; Tue, 16 Sep 2014 17:37:08 -0500 (CDT)

Received: from fbr04.mfg.siteprotect.com (fbr04.mfg.siteprotect.com [64.26.60.139])

by mx.siteprotect.com (Postfix) with ESMTP id DD771478076

for <>; Tue, 16 Sep 2014 17:37:08 -0500 (CDT)

Received: by fbr04.mfg.siteprotect.com (Postfix)

id CE8B69C848; Tue, 16 Sep 2014 17:37:08 -0500 (CDT)

Date: Tue, 16 Sep 2014 17:37:08 -0500 (CDT)

From: MAILER-DAEMON[at]fbr04.mfg.siteprotect.com (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To:

Auto-Submitted: auto-replied

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="C55749F0C5.1410907028/fbr04.mfg.siteprotect.com"

Message-Id: <20140916223708.CE8B69C848[at]fbr04.mfg.siteprotect.com>

X-CTCH-RefID: str=0001.0A020202.5418BB95.0022,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=256

X-Mail-Filter-Gateway-ID: DFDAF47EED.AAB87

Mail-Filter-Gateway: Scanned OK

X-Mail-Filter-Gateway-SpamDetectionEngine: NOT spam,

MailFilterGateway Engine (score=-1, required 3, autolearn=disabled,

CTASD_SPAM_UNKNOWN -1.00)

X-Mail-Filter-Gateway-From:

X-Mail-Filter-Gateway-To:

X-spam-Status: No

This is a MIME-encapsulated message.

--C55749F0C5.1410907028/fbr04.mfg.siteprotect.com

Content-Description: Notification

Content-Type: text/plain; charset=us-ascii

This is the mail system at host fbr04.mfg.siteprotect.com.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

The mail system

<>: host smtp.cabrini.edu[144.118.66.100] said: 451 4.2.2

<>: Recipient address rejected: user

mailbox is full and cannot receive new mail (in reply to RCPT TO command)

--C55749F0C5.1410907028/fbr04.mfg.siteprotect.com

Content-Description: Delivery report

Content-Type: message/delivery-status

Reporting-MTA: dns; fbr04.mfg.siteprotect.com

X-Postfix-Queue-ID: C55749F0C5

X-Postfix-Sender: rfc822;

Arrival-Date: Thu, 11 Sep 2014 17:21:51 -0500 (CDT)

Final-Recipient: rfc822;

Original-Recipient: rfc822;

Action: failed

Status: 4.2.2

Remote-MTA: dns; smtp.cabrini.edu

Diagnostic-Code: smtp; 451 4.2.2 <>: Recipient address

rejected: user mailbox is full and cannot receive new

mail

--C55749F0C5.1410907028/fbr04.mfg.siteprotect.com

Content-Description: Undelivered Message

Content-Type: message/rfc822

Return-Path: <>

Received: from smtpauth03.mfg.siteprotect.com (smtpauth03-mf.mfg.chicago.hostway [192.168.33.73])

by fbr04.mfg.siteprotect.com (Postfix) with ESMTP id C55749F0C5

for <>; Thu, 11 Sep 2014 17:21:51 -0500 (CDT)

Received: from h88-150-231-50 (unknown [181.64.254.103])

(Authenticated sender: )

by smtpauth03.mfg.siteprotect.com (Postfix) with ESMTPA id 2B16C22639;

Thu, 11 Sep 2014 17:21:40 -0500 (CDT)

X-Mailer:

Message-ID: 8DEA8CE46A7D10392BFDC4C93CF95283[at]nacchem.com

Subject: Fwd:

From: <>

To: <>, <>, <>, <>, <>

X-CTCH-spam: Suspect

X-CTCH-RefID: str=0001.0A020208.5412207F.00EA,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=64

h t t p://iprimeplasticsurgery.com/your_avata...;kirises=755702

--C55749F0C5.1410907028/fbr04.mfg.siteprotect.com--

Edited by maza
Link to comment
Share on other sites

Well, it looks like I'm going to get another chance to report them....

I don't think I would bother, the supposed date of origin of the bonced spam is old, the supposed origin is in Telefonica del Peru netspace this time (famous for sending more spam than real messages) but the start of the transit path looks to be trivially forged (but how could that be?) and there is no assurance that any of it can be trusted on the evidence you are able to provide.

Just make sure your accounts are secured and see if it stops. If not, siteprotect.com (apparently your provider) have some explaining to do because if the hack is not in your account it is somewhere else in their network.

Link to comment
Share on other sites

Usually the bottom "received:" line, shows the initiator - in the last case, for the "bounced" message

Received: from h88-150-231-50 (unknown [181.64.254.103]) (Authenticated sender: ) by smtpauth03.mfg.siteprotect.com (Postfix) with ESMTPA id 2B16C22639;
that is from h88-150-231-50 (unknown [181.64.254.103]). But either 181.64.254.103 is misidentifying itself - it certainly isn't configured as h88-150-231-50 in DNS records - or it is a crude forgery.

181.64.254.103 is sort of believable since it is in a much-hacked/abused network and (surprise - not) it is currently in the CBL (use http://www.senderbase.org/lookup/?search_s...=181.64.254.103 and follow the link to the CBL) with the current notes (in part)

This IP is infected (or NATting for a computer that is infected) with the asprox spambot. In other words, it's participating in a botnet.
A neat explanation (a botnet is sending out messages with forged credentials) but another is that your mail account has been hacked and is sending out the message with that forgery - and another is that some other part of siteprotect.com is sending it out with that part AND your account credentials forged.

siteprotect.com is looking a little shaky whichever way it is carved, they shouldn't be leaking unless your mail account has been cunningly hacked and (simplest explanation) that is what is happening. That hypothesis is easily tested - if (current) bounce messages continue after you have secured your account(s) it cannot be supported with confidence.

The last bounce message you showed us is not "current" in the way I mean - yes, it was recently sent but supposedly relates to a message sent a week ago. That is not unusual, some networks will try to deliver for a week before giving up (and "full mailbox" is one of the circumstances in which they will persevere).

Link to comment
Share on other sites

A little paranoia is healthy, distrust coincidence. iprimeplasticsurgery.com (the "payload" for your last) is identified as some sort of malware site. Some malware infects computers then uses them to spread. Never click on those payload links. Make sure your malware and antivirus protection is up to date (more than one is okay - no single product detects everything all the time) and run the occasional full scan and frequent partial scans in addition to having some sort of real-time protection running in the background on one of them.

Opinions vary on what is "best" but anything is better than nothing. If it has stopped now you are probably in the clear. If you have real cause for concern (don't overdo the paranoia), maybe lurk around http://www.bleepingcomputer.com/ forums and look at some resolved cases to see what's real and what's not (and how to get help if it comes to that). They seem to be specialised and very good at helping people overcome infections, including multiple infections and "root kit" ones which can be difficult or nearly impossible to eradicate on your own. It's still not "easy" but that looks like a good place to seek help if you need it.

Just my opinion.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...