Jump to content

Bogus MAILER-DAEMON return messages???


dhumble

Recommended Posts

I'm getting a few messages as of late that appear to have been sent from my email account (actually my domain name) but the user name before the [at] symbol is nothing I have ever used before. Most of these are coming from overseas accounts and I was wondering if this was some kind of a new method to spam folks and try and get them to reply or something. I have included the source of one of the messages here and removed my domain name and replaced it with 1234.com. I obviously didn't send this out and no one in my business did because it is just myself. Anyone have a clue as to what this is all about? Could someone have gained access to my server on estarr.com and is sending out bogus spam emails to others? I'm confused....

Doug

Return-path: <>

Envelope-to: trac[at]1234.com

Delivery-date: Fri, 29 Sep 2006 13:04:18 -0400

Received: from [80.239.9.55] (helo=mx2.itl.no)

by tyme.estarr-9.com with esmtps (TLSv1:AES256-SHA:256)

(Exim 4.52)

id 1GTLmZ-0002Rs-LR

for trac[at]1234.com; Fri, 29 Sep 2006 13:04:16 -0400

Received: (qmail 19105 invoked for bounce); 29 Sep 2006 18:43:23 +0200

Date: 29 Sep 2006 18:43:23 +0200

From: MAILER-DAEMON[at]mx2.itl.no

To: trac[at]1234.com

Subject: failure notice

X-ESTARR-MailScanner-Information: Please contact the ISP for more information

X-ESTARR-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details

X-ESTARR-MailScanner-SpamCheck:

X-ESTARR-MailScanner-From:

X-spam-Status: No

X-Antivirus: avast! (VPS 0639-4, 09/29/2006), Inbound message

X-Antivirus-Status: Clean

Hi. This is the qmail-send program at mx2.itl.no.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

<cope[at]stien.com>:

Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <trac[at]1234.com>

Received: (qmail 18962 invoked by uid 509); 29 Sep 2006 18:43:10 +0200

Received: from 80.135.32.194 by localhost.localdomain (envelope-from <trac[at]1234.com>, uid 508) with qmail-scanner-1.24-st-qms

(clamdscan: 0.80/855. spamassassin: 3.0.1. perlscan: 1.24-st-qms.

Clear:RC:0(80.135.32.194):SA:0(0.3/4.0):.

Processed in 2.075336 secs); 29 Sep 2006 16:43:10 -0000

X-spam-Status: No, hits=0.3 required=4.0

X-Antivirus-MYDOMAIN-Mail-From: trac[at]1234.com via localhost.localdomain

X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(80.135.32.194):SA:0(0.3/4.0):. Processed in 2.075336 secs Process 18927)

Received: from p508720c2.dip0.t-ipconnect.de (HELO ciwvnq) (80.135.32.194)

by mx2.itl.no with SMTP; 29 Sep 2006 18:43:08 +0200

Received: (qmail 5099 invoked from network); Fri, 29 Sep 2006 19:03:55 +0200

Received: from unknown (HELO tsxy) (80.135.140.205)

by ciwvnq with SMTP; Fri, 29 Sep 2006 19:03:55 +0200

Message-ID: <000501c6e3e9$3efeaa96$cd8c8750[at]tsxy>

From: "Dan Mitchell" <trac[at]1234.com>

To: <cope[at]stien.com>

Subject: freeload

Date: Fri, 29 Sep 2006 18:55:19 +0200

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0001_01C6E3FA.02877A1E"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

Moderator Edit: Actual spam deleted .....

Link to comment
Share on other sites

I'm getting a few messages as of late that appear to have been sent from my email account (actually my domain name) but the user name before the [at] symbol is nothing I have ever used before. Most of these are coming from overseas accounts and I was wondering if this was some kind of a new method to spam folks and try and get them to reply or something. ...
Hi dhumble,

Nothing new, spammers are simply forging your domain as the sender, some of the addresses being spammed are non-existent and the (real - http://www.dnsstuff.com/tools/ptr.ch?ip=80.239.9.55, Answer 80.239.9.55 PTR record: mx2.itl.no.) mailer daemons are clulessly trying to inform you the "message" was not delivered. They have not bothered to check the real source so you suffer the double indignity of having spam you never sent "returned" for your attention.

Search these forums for spoof address as just one combination and you will find many such cases. Here is one - http://forum.spamcop.net/forums/index.php?...ost&p=40286 - and that contains advice (the later posts in that topic) on how you might get back to these clueless people and invite them to wrench themselves into the current century and do the job right.

Does that help?

Link to comment
Share on other sites

...This post was made to the "SpamCop Reporting Help" forum, which is described as

A forum to help users with reporting spam using the SpamCop Parsing and Reporting Service. <snip>
...Since the content does not seem to match this description, I am taking the liberty of moving it to the SpamCop Lounge forum. If I have somehow misunderstood, please leave counterarguments here and I or a Moderator colleague will move it back to "SpamCop Reporting Help" or whichever is the most appropriate forum.
Link to comment
Share on other sites

Does that help?

Farelf,

I believe this helps. At least it lets me know that I'm not the only one that this happens to and obviously there isn't much I can do about it. I'm just curious though - if I report this email to spamcop, am I reporting the spammer or the folks that sent me the bounce message? I really don't want to report someone innocent.

...This post was made to the "SpamCop Reporting Help" forum, which is described as...Since the content does not seem to match this description, I am taking the liberty of moving it to the SpamCop Lounge forum. If I have somehow misunderstood, please leave counterarguments here and I or a Moderator colleague will move it back to "SpamCop Reporting Help" or whichever is the most appropriate forum.

turetzsr,

Sorry for the posting of this message to the improper place. I'm kind of new to forums and find most of them extremely confusing - especially this one as it is highly technical IMHO. Feel free to move this wherever you see fit - or delete it entirely. It did accomplish the end result and inform me of the fact that spammers could just use my identity without actually hacking into my computer or the server on which my mail is stored.

dhumble

Link to comment
Share on other sites

... if I report this email to spamcop, am I reporting the spammer or the folks that sent me the bounce message? I really don't want to report someone innocent.
A SpamCop reporter would be reporting 80.239.9.55 (mx2.itl.no) with the example given, the mailer daemon origin. Try the next one and see. Assuming you don't have VER/Quick Reporting you would have to review before any reports are sent and would then have the opportunity to cancel if you don't agree with the reporting nominated. However 80.239.9.55 is *not* innocent. It didn't initiate the spam but the responsible people there are merrily spreading that spam around through their disregard for proper configuration and process. They are doing the spammers work for him. If they do that to enough SC reporters or if they hit a SC spam trap they *shall* get themselves listed on the SCBL (whether you are one of those reporters or not). And they will deserve it. The SC parser will not find the original spammer* unless you are directly spammed IIUC (ie his IP needs to be in the actual message headers as opposed to being in the copied headers in the body of the undeliverable message).

[*"original spammer" is misleading - most often just a trojaned installation whose owner is unaware (but doubtless most grateful if a SC report to his ISP's abuse desk finally leads to him being clued). As for the criminals behind the scenes ...]

Since you are now asking reporting questions I rather feel your first choice of forum was very likely appropriate. :D

Link to comment
Share on other sites

I was actually just about to make a post on the same subject (my first post on the SpamCop forums) until I saw this thread.

Since about 2 days ago I've been receiving 5-6 e-mails a day of this type (previously I rarely received them - maybe one every two weeks or so) All the e-mails have a title such as "message undeliverable" or similar, all from addresses I've never sent e-mails to (or received them from). Where the content of the undeliverable e-mail is shown, it's usually obviously spam.

I'm wondering if this is a coincidence, or have many other SpamCop users recently noticed an increase in the number of misdirected bounces they've received? If so, is this a result of spammers managing to obtain the addresses of SpamCop users, or is it just due to an overall increase in the use of spoofed/forged return addresses by spammers?

Originally I was worried that my e-mail address might end up blacklisted or reported for spamming, as it appears to the recipients that my address is the source of the spam, but after reading some of the threads on this subject here, it looks like this isn't the case.

Link to comment
Share on other sites

The way I understand it is that spammers use email addresses from their mailing lists in a random manner. Occasionally, a spammer will use the same address for the whole spam run resulting in thousands of misdirected bounces to one person.

At one time, spammers tried to intimidate spamcop users, but there are too many reporters now to make that effective, IMHO. The worst that happens is that they add addresses from reports to their mailing lists so some people get three and four of the same kind of spam.

Miss Betsy

Link to comment
Share on other sites

Search these forums for spoof address as just one combination and you will find many such cases.

This is one of those things that is 'hard to find' in here, even though there are tons of posts. One item, the word "spoof" is an issue. Although the general definition is to "make a parody of" ... this doesn't really 'work' here .. so we jump to the jargon type of definition of "Internet Protocol spoofing (IP spoofing) is the creation of IP packets with a forged (spoofed) source IP address" which then got expanded to "a situation in which one person or program is able to masquerade successfully as another" .. the catch is that in general, someone receiving only a few hundred of these really isn't suffering from an "attack" .... from an ISP's point of view, an attack would be in the realm of 'thousands a second' scenario ...

That's just a bit on the word "spoof" .. other users never get around to trying to "define" the situation, just explaining that they never sent the e-mails, so their account must have been hijacked. Others suggest that it was their ISP that got hijacked. Others simply don't have a clue. Every now and then, some will even use the phrase that 'we' typically use ... their e-mail address was 'forged' into the From: and / or Reply-To: hader lines ....

It is this 'problem' of geekt/technical terminology not being used by all in describing their issues, resulting in he problem of finding those 'similar' situations from a search query. Try to correct some folks, and get accused of 'having an attitude' .. others simply get angry ... some can't see a clue at all ....

I'm wondering if this is a coincidence, or have many other SpamCop users recently noticed an increase in the number of misdirected bounces they've received? If so, is this a result of spammers managing to obtain the addresses of SpamCop users, or is it just due to an overall increase in the use of spoofed/forged return addresses by spammers?

I just noticed these messages, however, I just signed up for Spamcop.net because I was going to make a post about it until I saw this post. I'm sure the bounce backs are completely random.

Much of this has been addressed in a SpamCop FAQ entry 'here'

Why am I getting all these bounces?

Also noting: FAQ = Frequently Asked Question ..

Link to comment
Share on other sites

<snip>

...This post was made to the "SpamCop Reporting Help" forum, which is described as...Since the content does not seem to match this description, I am taking the liberty of moving it to the SpamCop Lounge forum. <snip>
turetzsr,

Sorry for the posting of this message to the improper place. I'm kind of new to forums and find most of them extremely confusing - especially this one as it is highly technical IMHO. Feel free to move this wherever you see fit - or delete it entirely.

<snip>

Hi, dhumble,

...No big problem - that's why we have Moderators! If you could help us by cluing us in as to how we could have helped you understand that the SpamCop Reporting Help" forum did not match the content of your original post (the wording of the description of the forum, for example), we would be most appreciative.

...Another relatively minor point: I prefer to be addressed as "Steve T" (see my sig); "turetzsr" is just my SpamCop Forum login id.

It did accomplish the end result and inform me of the fact that spammers could just use my identity without actually hacking into my computer or the server on which my mail is stored.
...Great, that's why these forums are here! :) <g>
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...