maza Posted September 12, 2014 Posted September 12, 2014 A spammer seems to be using our email address to send out spam and we're getting alot of bounce notices. I'd like to send a complaint to the postmaster that's allowing this forgery but am not sure how to figure it out. This is one of the bounce notices: This is the mail system at host smtpauth02.mfg.siteprotect.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <elvin_007[at]yahoo.com>: host mta5.am0.yahoodns.net[98.136.216.25] said: 554 delivery error: dd This user doesn't have a yahoo.com account (elvin_007[at]yahoo.com) [-5] - mta1172.mail.gq1.yahoo.com (in reply to end of DATA command) <admasterad[at]mail.ru>: host mxs.mail.ru[217.69.139.150] said: 550 Message was not accepted -- invalid mailbox. Local mailbox admasterad[at]mail.ru is unavailable: user not found (in reply to end of DATA command) ---------------------------------------------------- Just noticed that there is an attachment which is supposed to be the sent message. I haven't opened it since, I assume, it could be malware. Help appreciated.
lisati Posted September 12, 2014 Posted September 12, 2014 As I see it, there are at least two possible avenues of investigation. The first is the headers of the bounce message should give you some clues as to the identity of the machine that issued the non-delivery report. This will help you alert the admin of that system that there might be a problem. The other is to examine the headers of the message that was bounced. This assumes that the bounced message (or at least enough of it to be of some value) is is included in the non-delivery report, possibly as an attachment. Caution: Be aware of the possibility of malware; take care how you choose to examine any attachments that come with the bounce message. When it comes to reporting the spam, I'd be inclined to report the bounce message rather than the message that was bounced. You choose what arrives in your inbox. spam that is directed to someone else is their problem.
maza Posted September 12, 2014 Author Posted September 12, 2014 Caution: Be aware of the possibility of malware; take care how you choose to examine any attachments that come with the bounce message. Is there a safe way to examine the attachments? Thanks.
Farelf Posted September 12, 2014 Posted September 12, 2014 ... Help appreciated. The outgoing mail server is generally not the problem, the clueless mail administrators misdirecting bounce messages (follow that link sometime) generally are the problem. Forged "from:" and/or "reply-to:" addresses are a wide-spread problem and those should never be relied upon to return undelivered mail. If bounced at all, message refusal should only occur when the outgoing and receiving servers are still connected, never after when the (possibly) forged address becomes the only delivery option. But I'm not at all familiar with type of bounce message you quote - yahoo.com and mail.ru both complaining and siteprotect.com getting involved somehow? Is that a single bounce? We really need to see the complete message, including full headers and attachments. Yes, for now I am puzzled too. But wow, yahoo actually declaring an invalid address which is helpful - that must be relatively new (as an aside), they didn't always do that (which was unhelpful). Anyway, misdirected bounces are accepted by SpamCop as abuse and they can be reported. Perhaps those ultimately responsible might be educated by receiving the SC complaints. So one approach is to get yourself a free SpamCop reporting account and start submitting reports - there is something of a learning curve associated with that (the full headers thing, etc.), though many thousands have managed. Also you could try searching these forums with the search term "misdirected bounce" - also try "backscatter" - to read past discussions. HTH Is there a safe way to examine the attachments? If you can "View as text" the message, that will not activate HTML or scripted malware ... generally part of the "Get full headers" knowledge base. You may not understand what you see, but at least it cannot "bite" you.
maza Posted September 12, 2014 Author Posted September 12, 2014 I've just discovered that someone seems to have hacked into our account. Our password had been changed and I was unable to receive mail. Fortunately, I was still able to log in to the verizon site control site and rechange the password. So now it's starting to look like the email was actually sent from our account.
Farelf Posted September 12, 2014 Posted September 12, 2014 I've just discovered that someone seems to have hacked into our account. ...Ah, thanks for the update - usually the first thing someone suspects, almost always NOT the case which is probably why no-one suggested the possibility. Let's know how you go and if that was the answer we'll mark this one resolved. You need a strong password and somewhere secure/encrypted to keep a back-up of it, plenty of (free) options for both, just Google.
maza Posted September 12, 2014 Author Posted September 12, 2014 I copied one of the messages using a text editor. At the end there's an http address -- maybe it's the hacker's? (I tried to delete all recipient email addresses as well as my own). Return-Path: <> Delivered-To: <> Received: from mf28.mfg.siteprotect.com ([192.168.31.177]) by stor25r.mfg.siteprotect.com (Dovecot) with LMTP id qk+XFeYeElR7VgAAw8NFKg for <>; Thu, 11 Sep 2014 17:16:49 -0500 Received: from mx.siteprotect.com (unknown [192.168.33.154]) by mf28.mfg.siteprotect.com (Postfix) with ESMTP id 92698A78002 for <>; Thu, 11 Sep 2014 17:16:48 -0500 (CDT) Received: from smtpauth02.mfg.siteprotect.com (smtpauth02.mfg.siteprotect.com [64.26.60.136]) by mx.siteprotect.com (Postfix) with ESMTP id 907E5300075 for <>; Thu, 11 Sep 2014 17:16:48 -0500 (CDT) Received: by smtpauth02.mfg.siteprotect.com (Postfix) id 8DABA44DC7; Thu, 11 Sep 2014 17:16:48 -0500 (CDT) Date: Thu, 11 Sep 2014 17:16:48 -0500 (CDT) From: MAILER-DAEMON[at]smtpauth02.mfg.siteprotect.com (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com" Message-Id: <20140911221648.8DABA44DC7[at]smtpauth02.mfg.siteprotect.com> X-CTCH-RefID: str=0001.0A020203.54121F51.0004:SCFSTAT24923302,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=256 X-Mail-Filter-Gateway-ID: 92698A78002.ADF53 Mail-Filter-Gateway: Scanned OK X-Mail-Filter-Gateway-SpamDetectionEngine: NOT spam, MailFilterGateway Engine (score=-1, required 3, autolearn=disabled, CTASD_SPAM_UNKNOWN -1.00) X-Mail-Filter-Gateway-From: X-Mail-Filter-Gateway-To: X-spam-Status: No This is a MIME-encapsulated message. --EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com Content-Description: Notification Content-Type: text/plain; charset=us-ascii This is the mail system at host smtpauth02.mfg.siteprotect.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <>: host mx4.hotmail.com[65.54.188.72] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command) <>: host mx2.hotmail.com[65.54.188.72] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command) <>: host mta5.am0.yahoodns.net[66.196.118.33] said: 554 delivery error: dd This user doesn't have a yahoo.com account () [-5] - mta1073.mail.bf1.yahoo.com (in reply to end of DATA command) <>: host iol-smtp-in.iol.pt[193.126.12.169] said: 554 5.7.1 <>: Recipient address rejected: Access denied (in reply to RCPT TO command) --EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; smtpauth02.mfg.siteprotect.com X-Postfix-Queue-ID: EAB0D3EE36 X-Postfix-Sender: rfc822; Arrival-Date: Thu, 11 Sep 2014 17:16:32 -0500 (CDT) Final-Recipient: rfc822; Original-Recipient: rfc822; Action: failed Status: 5.0.0 Remote-MTA: dns; mx4.hotmail.com Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable Final-Recipient: rfc822; Original-Recipient: rfc822; Action: failed Status: 5.0.0 Remote-MTA: dns; mx2.hotmail.com Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable Final-Recipient: rfc822; Original-Recipient: rfc822; Action: failed Status: 5.0.0 Remote-MTA: dns; mta5.am0.yahoodns.net Diagnostic-Code: smtp; 554 delivery error: dd This user doesn't have a yahoo.com account () [-5] - mta1073.mail.bf1.yahoo.com Final-Recipient: rfc822; Original-Recipient: rfc822; Action: failed Status: 5.7.1 Remote-MTA: dns; iol-smtp-in.iol.pt Diagnostic-Code: smtp; 554 5.7.1 <>: Recipient address rejected: Access denied --EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com Content-Description: Undelivered Message Content-Type: message/rfc822 Return-Path: <> Received: from h88-150-231-50 (unknown [2.246.134.149]) (Authenticated sender: ) by smtpauth02.mfg.siteprotect.com (Postfix) with ESMTPA id EAB0D3EE36; Thu, 11 Sep 2014 17:16:32 -0500 (CDT) X-Mailer: Message-ID: F6A15CF04AD3F2ACA1360BB957FFDE11[at] Subject: Fwd: From: <> To: < X-CTCH-spam: Confirmed X-CTCH-RefID: str=0001.0A020201.54121EEF.0142,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12 http://www.pimpen.co.th/your_avatar.gif?giguhol=9755630&ogylode=284818 --EAB0D3EE36.1410473808/smtpauth02.mfg.siteprotect.com--
Farelf Posted September 12, 2014 Posted September 12, 2014 I copied one of the messages using a text editor. At the end there's an http address -- maybe it's the hacker's? (I tried to delete all recipient email addresses as well as my own). ... Yes, it looks like x2f68695.dyn.telefonica.de [2.246.134.149] is the insertion point (hacker) - you could send your evidence to abuse[at]telefonica.de requesting their action against the perpetrator. The "payload" is a link to the malware/infection site via redirection from http://www.pimpen.co.th/your_avatar.gif?giguhol=9755630&ogylode=284818 (see https://www.virustotal.com/en/url/56e327214...1269b/analysis/) and I have removed the link in your post to that (just left it as plain text), we don't want to leave that as a clickable trap for the unwary or an imposition on the web reputation of this forum - or as a possible benefit of any kind to the spammer. Thanks for taking the time ... marking as "Resolved" to help future searches for explanations of similar occurrences
maza Posted September 16, 2014 Author Posted September 16, 2014 I was about to report this but started wondering how legitimate telefonica.de is. I don't want to try to report the hackers to them if they're colluding with them.
Farelf Posted September 17, 2014 Posted September 17, 2014 http://www.spamcop.net/sc?track=2.246.134.149 confirms the address. No guarantees but SC staff try hard to exclude bad colluders and outright spammers from the report routing. I would have risked it, certainly. Probably getting a little late now though, best done when it is fresh. But in any future case, just run the IP address through the paste-in box for spam submission to see the routing (and more details as well in that 'members' version of the tracking report. P.S. Oh, I see that IP is still on the CBL, look at http://www.senderbase.org/lookup/domain/?s...g=telefonica.de and you will see that telefonica.de has a great many others listed in blacklists and is obviously unequal to the task of controlling them - complaining at this late stage is almost certainly a waste of time (but I still would have done it while it was fresher - abuse is one thing but hacking is getting to the top end of the scale and clearly criminal).
maza Posted September 17, 2014 Author Posted September 17, 2014 Well, it looks like I'm going to get another chance to report them. I'm not sure what happened. I had deleted all the bounces except 1 so I could report it. When I went to find it it was gone (it wasn't in windows live mail). I went online to the webhost site and found it in the spam folder. I moved it to the inbox. Now I'm getting bounces again, but they haven't changed the password so I don't know if they're forging my address or if they've somehow been able to hack in again. There were 2 email addresses on this account and the 2nd one still had the old password (which I now changed.) This is the most recent bounce. It has a different website at the bottom. Not sure how to check where this came from originally. Return-Path: <> Delivered-To: Received: from stor29.mfg.siteprotect.com ([192.168.31.175]) by stor25r.mfg.siteprotect.com (Dovecot) with LMTP id d8NoC4+6GFTULQAAw8NFKg for Tue, 16 Sep 2014 17:37:09 -0500 Received: from mx.siteprotect.com (unknown [192.168.33.158]) by stor29.mfg.siteprotect.com (Postfix) with ESMTP id DFDAF47EED for <>; Tue, 16 Sep 2014 17:37:08 -0500 (CDT) Received: from fbr04.mfg.siteprotect.com (fbr04.mfg.siteprotect.com [64.26.60.139]) by mx.siteprotect.com (Postfix) with ESMTP id DD771478076 for <>; Tue, 16 Sep 2014 17:37:08 -0500 (CDT) Received: by fbr04.mfg.siteprotect.com (Postfix) id CE8B69C848; Tue, 16 Sep 2014 17:37:08 -0500 (CDT) Date: Tue, 16 Sep 2014 17:37:08 -0500 (CDT) From: MAILER-DAEMON[at]fbr04.mfg.siteprotect.com (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="C55749F0C5.1410907028/fbr04.mfg.siteprotect.com" Message-Id: <20140916223708.CE8B69C848[at]fbr04.mfg.siteprotect.com> X-CTCH-RefID: str=0001.0A020202.5418BB95.0022,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=256 X-Mail-Filter-Gateway-ID: DFDAF47EED.AAB87 Mail-Filter-Gateway: Scanned OK X-Mail-Filter-Gateway-SpamDetectionEngine: NOT spam, MailFilterGateway Engine (score=-1, required 3, autolearn=disabled, CTASD_SPAM_UNKNOWN -1.00) X-Mail-Filter-Gateway-From: X-Mail-Filter-Gateway-To: X-spam-Status: No This is a MIME-encapsulated message. --C55749F0C5.1410907028/fbr04.mfg.siteprotect.com Content-Description: Notification Content-Type: text/plain; charset=us-ascii This is the mail system at host fbr04.mfg.siteprotect.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <>: host smtp.cabrini.edu[144.118.66.100] said: 451 4.2.2 <>: Recipient address rejected: user mailbox is full and cannot receive new mail (in reply to RCPT TO command) --C55749F0C5.1410907028/fbr04.mfg.siteprotect.com Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; fbr04.mfg.siteprotect.com X-Postfix-Queue-ID: C55749F0C5 X-Postfix-Sender: rfc822; Arrival-Date: Thu, 11 Sep 2014 17:21:51 -0500 (CDT) Final-Recipient: rfc822; Original-Recipient: rfc822; Action: failed Status: 4.2.2 Remote-MTA: dns; smtp.cabrini.edu Diagnostic-Code: smtp; 451 4.2.2 <>: Recipient address rejected: user mailbox is full and cannot receive new mail --C55749F0C5.1410907028/fbr04.mfg.siteprotect.com Content-Description: Undelivered Message Content-Type: message/rfc822 Return-Path: <> Received: from smtpauth03.mfg.siteprotect.com (smtpauth03-mf.mfg.chicago.hostway [192.168.33.73]) by fbr04.mfg.siteprotect.com (Postfix) with ESMTP id C55749F0C5 for <>; Thu, 11 Sep 2014 17:21:51 -0500 (CDT) Received: from h88-150-231-50 (unknown [181.64.254.103]) (Authenticated sender: ) by smtpauth03.mfg.siteprotect.com (Postfix) with ESMTPA id 2B16C22639; Thu, 11 Sep 2014 17:21:40 -0500 (CDT) X-Mailer: Message-ID: 8DEA8CE46A7D10392BFDC4C93CF95283[at]nacchem.com Subject: Fwd: From: <> To: <>, <>, <>, <>, <> X-CTCH-spam: Suspect X-CTCH-RefID: str=0001.0A020208.5412207F.00EA,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=64 h t t p://iprimeplasticsurgery.com/your_avata...;kirises=755702 --C55749F0C5.1410907028/fbr04.mfg.siteprotect.com--
Farelf Posted September 17, 2014 Posted September 17, 2014 Well, it looks like I'm going to get another chance to report them....I don't think I would bother, the supposed date of origin of the bonced spam is old, the supposed origin is in Telefonica del Peru netspace this time (famous for sending more spam than real messages) but the start of the transit path looks to be trivially forged (but how could that be?) and there is no assurance that any of it can be trusted on the evidence you are able to provide. Just make sure your accounts are secured and see if it stops. If not, siteprotect.com (apparently your provider) have some explaining to do because if the hack is not in your account it is somewhere else in their network.
maza Posted September 17, 2014 Author Posted September 17, 2014 I was wondering how you were able to trace where it originated?
Farelf Posted September 18, 2014 Posted September 18, 2014 Usually the bottom "received:" line, shows the initiator - in the last case, for the "bounced" message Received: from h88-150-231-50 (unknown [181.64.254.103]) (Authenticated sender: ) by smtpauth03.mfg.siteprotect.com (Postfix) with ESMTPA id 2B16C22639;that is from h88-150-231-50 (unknown [181.64.254.103]). But either 181.64.254.103 is misidentifying itself - it certainly isn't configured as h88-150-231-50 in DNS records - or it is a crude forgery. 181.64.254.103 is sort of believable since it is in a much-hacked/abused network and (surprise - not) it is currently in the CBL (use http://www.senderbase.org/lookup/?search_s...=181.64.254.103 and follow the link to the CBL) with the current notes (in part) This IP is infected (or NATting for a computer that is infected) with the asprox spambot. In other words, it's participating in a botnet. A neat explanation (a botnet is sending out messages with forged credentials) but another is that your mail account has been hacked and is sending out the message with that forgery - and another is that some other part of siteprotect.com is sending it out with that part AND your account credentials forged. siteprotect.com is looking a little shaky whichever way it is carved, they shouldn't be leaking unless your mail account has been cunningly hacked and (simplest explanation) that is what is happening. That hypothesis is easily tested - if (current) bounce messages continue after you have secured your account(s) it cannot be supported with confidence. The last bounce message you showed us is not "current" in the way I mean - yes, it was recently sent but supposedly relates to a message sent a week ago. That is not unusual, some networks will try to deliver for a week before giving up (and "full mailbox" is one of the circumstances in which they will persevere).
maza Posted September 18, 2014 Author Posted September 18, 2014 Thanks. I'm wondering -- was it just a coincidence that the spam started up again after I moved the message from the spam folder to the inbox? There's been no more spam so far, since I changed the password on the 2nd email account.
Farelf Posted September 18, 2014 Posted September 18, 2014 A little paranoia is healthy, distrust coincidence. iprimeplasticsurgery.com (the "payload" for your last) is identified as some sort of malware site. Some malware infects computers then uses them to spread. Never click on those payload links. Make sure your malware and antivirus protection is up to date (more than one is okay - no single product detects everything all the time) and run the occasional full scan and frequent partial scans in addition to having some sort of real-time protection running in the background on one of them. Opinions vary on what is "best" but anything is better than nothing. If it has stopped now you are probably in the clear. If you have real cause for concern (don't overdo the paranoia), maybe lurk around http://www.bleepingcomputer.com/ forums and look at some resolved cases to see what's real and what's not (and how to get help if it comes to that). They seem to be specialised and very good at helping people overcome infections, including multiple infections and "root kit" ones which can be difficult or nearly impossible to eradicate on your own. It's still not "easy" but that looks like a good place to seek help if you need it. Just my opinion.
maza Posted September 18, 2014 Author Posted September 18, 2014 Yes - I agree. Bleeping computer helped me recently and found a bunch of things regular scanning had missed.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.