Jump to content

Is this my email spoofer?


Recommended Posts

Hi,

 

I have had my email account spoofed for around a year now.  It happens in bursts lasting 2 weeks or so then is quiet for a month or so before re-starting.  I have checked all the bounce-back messages I receive but there is no information I can see that is any use...until today when I started receiving the following bounce-back:

 

"This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

  policyexpert.co.uk@mail57.wdc03.rsgsv.net
  
Domain eoneltd.com has exceeded the max emails per hour (1103/1000 (110%)) allowed.  Message will be reattempted later

------- This is a copy of the message, including all the headers. ------
Received: from [186.235.239.112] (port=51287 helo=tenxr.com) by host.althuq.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)"

 

A quick whois check points to this entry:

Registrant Org ahmed almutairi is associated with ~16 other domains
Registrar GODADDY.COM, LLC
Registrar Status clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited
Dates Created on 2007-09-11 - Expires on 2018-09-11 - Updated on 2014-08-27
Name Server(s) NS1.ALTHUQ.COM (has 6 domains)
NS2.ALTHUQ.COM (has 6 domains)
IP Address 74.200.74.196 - 4 other sites hosted on this server
IP Location United States - Virginia - Sterling - Virtacore Systems Inc
ASN United States AS14383 VCS-AS - Virtacore Systems Inc, US (registered May 12, 2005)

Among the other site hosted on the same server is the althuq.com listed in the bounce-back. Is there a good chance that this is the person spoofing my email?  I am aware that they may not even realise they are doing it if their computer/server has been compromised.

If this is a good indication that they are responsible, who is the best person to inform?

Thanks,

 

Mike

Link to comment
Share on other sites

Generally doing anything about bounce messages just clutters the airways and gets directed at the domain of receiving the spam, not the sender.  As you know, you are getting the bounce messages because the sender of the bounce is taking the easy/incorrect approach of sending bounces to the REPLY TO: or FROM: lines in the header not the real source reflected in the Received: lines.

In this case the error message came from the sender's email host.  I would replay directly to the sender. Either 1) their email system has been compromised or 2) they have a client that is using their email system (and IP addresses) to send spam.  In either case the ISP should want to know.

The bad news is that now that a spammer has your email address/domain in their list of addresses to use, the flurry will no dough continue. The breaks you see in blocks of bounces, may be cause as they are kicked off of one ISP and get set up on another, or they are just cycling through a list in an attempt to avoid being blocked.  You are lucky, they made a mistake and exceeded their quota and you received some insight as a result.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...