slyworme Posted July 28, 2016 Share Posted July 28, 2016 Hi, I have had my email account spoofed for around a year now. It happens in bursts lasting 2 weeks or so then is quiet for a month or so before re-starting. I have checked all the bounce-back messages I receive but there is no information I can see that is any use...until today when I started receiving the following bounce-back: "This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred: policyexpert.co.uk@mail57.wdc03.rsgsv.net Domain eoneltd.com has exceeded the max emails per hour (1103/1000 (110%)) allowed. Message will be reattempted later ------- This is a copy of the message, including all the headers. ------ Received: from [186.235.239.112] (port=51287 helo=tenxr.com) by host.althuq.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)" A quick whois check points to this entry: Registrant Org ahmed almutairi is associated with ~16 other domains Registrar GODADDY.COM, LLC Registrar Status clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited Dates Created on 2007-09-11 - Expires on 2018-09-11 - Updated on 2014-08-27 Name Server(s) NS1.ALTHUQ.COM (has 6 domains) NS2.ALTHUQ.COM (has 6 domains) IP Address 74.200.74.196 - 4 other sites hosted on this server IP Location - Virginia - Sterling - Virtacore Systems Inc ASN AS14383 VCS-AS - Virtacore Systems Inc, US (registered May 12, 2005) Among the other site hosted on the same server is the althuq.com listed in the bounce-back. Is there a good chance that this is the person spoofing my email? I am aware that they may not even realise they are doing it if their computer/server has been compromised. If this is a good indication that they are responsible, who is the best person to inform? Thanks, Mike Link to comment Share on other sites More sharing options...
Lking Posted July 28, 2016 Share Posted July 28, 2016 Generally doing anything about bounce messages just clutters the airways and gets directed at the domain of receiving the spam, not the sender. As you know, you are getting the bounce messages because the sender of the bounce is taking the easy/incorrect approach of sending bounces to the REPLY TO: or FROM: lines in the header not the real source reflected in the Received: lines. In this case the error message came from the sender's email host. I would replay directly to the sender. Either 1) their email system has been compromised or 2) they have a client that is using their email system (and IP addresses) to send spam. In either case the ISP should want to know. The bad news is that now that a spammer has your email address/domain in their list of addresses to use, the flurry will no dough continue. The breaks you see in blocks of bounces, may be cause as they are kicked off of one ISP and get set up on another, or they are just cycling through a list in an attempt to avoid being blocked. You are lucky, they made a mistake and exceeded their quota and you received some insight as a result. Link to comment Share on other sites More sharing options...
slyworme Posted July 29, 2016 Author Share Posted July 29, 2016 Thanks for the reply. Just to clarify - the best person to contact in this case would be the Registrant (Mr Almutairi) or the IP host (Virtacore Systems Inc)? Link to comment Share on other sites More sharing options...
Lking Posted July 29, 2016 Share Posted July 29, 2016 That is your call. Anyone here has only the limited information you have posted (PLEASE do not post the email here!). As I suggested, I would replay to the ISP that sent you the message. Link to comment Share on other sites More sharing options...
slyworme Posted July 29, 2016 Author Share Posted July 29, 2016 Thanks again Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.