Jump to content

Another "my address was forged" situation


Linda431

Recommended Posts

My email addy was forged also. I started getting 3 or 400 bounced ones per day on 5/29. It slowed up over the weekend and now it's coming at about 100 or so every hour.

In desperation, I put the postmaster on my blocked email list. Now I can see that hundreds are still being downloaded but they're getting dumped before I can veiw them in my inbox. (I'm using Outlook Express).

This has solved the problem for me except for the slow downloads of legitimate mail, and the dozen or so I get from people asking me to stop sending them spam.

BUT...is this a good thing to block all mail from the Postmaster domain? My intent is to un-block it when this subsides, if it ever does.

Moderator Edit: wxtracted from http://forum.spamcop.net/forums/index.php?showtopic=8323 and moved to the Lounge area.

Link to comment
Share on other sites

My email addy was forged also.

In desperation, I put the postmaster on my blocked email list.

Have to assume that there's a bit of a terminology issue involved here. "your e-mail address" and "postmaster" would rarely be the same thing. "Postmaster[at] " is typically defined as a 'role' account, made available as a point of contact for e-mail delivery issues.

Now I can see that hundreds are still being downloaded but they're getting dumped before I can veiw them in my inbox. (I'm using Outlook Express).

This would suggest that you added a 'Rule' to 'filter' (and apparently delete) certain e-mail ... this is a long way from the normal definition of "blocking" .... but would explain the 'time' involved, as you are still downloading the entire e-mail just so it can then be deleted ....

BUT...is this a good thing to block all mail from the Postmaster domain? My intent is to un-block it when this subsides, if it ever does.

I'm still confused by the words used .... there is no "Postmaster Domain" .. but having to guess that what you are saying is that you have 'filtered by Rules' anything that comes from an address with Postmaster used as the account name ....

Back when the Internet was new and shiney, things were set up such that if you say mis-typed your friend's name in the outgoing e-mail address, the 'postmaster' account at the receiving end would generate a 'failure message' along the lines of "no such user here" .... In the years past, spammers have taken tis 'nice' thing and turned it against itself, using that exact function to spread their spew. The general practice these days is to turn that function off .. you are getting these "misdirected bounces" from ISPs that have not yet caught up with the times. The downside of course is that if you mis-type that friend's name these days, you probably won't receive notification that the e-mail never made it.

For future use, you may want to look into the oft suggested tool SpamPal .....

Link to comment
Share on other sites

Have to assume that there's a bit of a terminology issue involved here. "your e-mail address" and "postmaster" would rarely be the same thing. "Postmaster[at] " is typically defined as a 'role' account, made available as a point of contact for e-mail delivery issues.

This would suggest that you added a 'Rule' to 'filter' (and apparently delete) certain e-mail ... this is a long way from the normal definition of "blocking" .... but would explain the 'time' involved, as you are still downloading the entire e-mail just so it can then be deleted ....

I'm still confused by the words used .... there is no "Postmaster Domain" .. but having to guess that what you are saying is that you have 'filtered by Rules' anything that comes from an address with Postmaster used as the account name ....

Please excuse my inexperience with the proper terminology. Maybe you can decifer from the headers on the bounced email I'm getting: (I xed out my real email address)

Return-Path: <>

To: XXXXXXX[at]bellsouth.net

From: Mail Administrator <Postmaster[at]<PostmasterDomain>>

Reply-To: <Postmaster[at]mail.bellsouth.net>

Subject: Mail System Error - Returned Mail

Date: Mon, 4 Jun 2007 17:34:02 -0400

Message-ID: <20070604213402.SCHQ22925.imf09aec.mail.bellsouth.net[at]imf09aec>

MIME-Version: 1.0

Content-Type: multipart/report;

The body of the messages vary, some simply say the email addressee was invalid. Here's another:

.net 007: This e-mail message was undeliverable due to the

following reason:

.net 015: The destination mail system was not reachable withing the

allowed period.

Note: This error message is usually due to one of the following

network problems:

a. The recipient's mail system is turned off.

b. The destination mail system is not currently running.

Solution:

Attempt to resend, or contact the recipient by alternate means to

let them know about the issue.

Your message was not delivered within 3 days and 0 hours.

Host indiatimes.com is not responding.

The following recipients did not receive this message:

<cupidra[at]indiatimes.com>

They all have attachments with the supposed original message from me, mostly regarding winning a lottery.

What I did to block the returned messages was, I right clicked on one of the bounced message and chose "block sender" from the menu.

Hope this clarifies it a bit.

Back when the Internet was new and shiney, things were set up such that if you say mis-typed your friend's name in the outgoing e-mail address, the 'postmaster' account at the receiving end would generate a 'failure message' along the lines of "no such user here" ....

Sorry, meant to add that I'm aware of that happening on the receiving end, these however are coming from my end, from my mail server.

Link to comment
Share on other sites

Sorry, meant to add that I'm aware of that happening on the receiving end, these however are coming from my end, from my mail server.

Why do you say / think that? The data you chose not to provide in addition to the data you appear to have munged certainly do not "help us to help you" .... I find it hard to believe that you really received this with <Postmaster[at]<PostmasterDomain>> as the actual contents ....?????? But the total lack of any Received: line makes it hard to do any reseach ....

I'm going to say that I don't believe you are raising or asking about a "SpamCop.net Reporting" issue .. so I'm going to split out your queries and follow-on to a 'new' Topic and place that new Toic into the Lounge area. I base that on your unfamiliarity with some terminology and the lack of sufficient header data provided in your last query ... specifically, you left out all the important data that would have pointed out just where these things were "really" coming from ....

As was stated within the Topic you chose to originally post into, these "misdirected bounces" are in fact reportable via the SpamCop.net Parsing & Reporting system ... in hopes of educating these ISPs that are working a bit behind the times.

If you want to run with the possibility that these are actually voming from "your system" then one would have to ask just what tools you have in place to check for viral infection, trojan, malware, any other type of compromised computer situation.

PM sent to advise of these Moderator actions.

Link to comment
Share on other sites

Why do you say / think that?

Well. I'm confused. I say/think that because my mail server is Bellsouth.net. All the bounced email or failure to deliver notices are coming from Bellsouth.net. All the emails that are attached and are the ones I supposedly sent are addressed to others, i.e. hotmail.net, haimail, and scores of ones I've never heard of...obviously made up by the spammer's software. I only hear from them when one of the emails the spammer used in the to field hits on a mark but is bounced back by the recipient's spam filter.

The issue is, was it the right thing to do to block the bounced emails from my server.

This is the entire header, sorry if it isn't what you need:

Return-Path: <>

To:XXXX[at]bellsouth.net

From: Mail Administrator <Postmaster[at]<PostmasterDomain>>

Reply-To: <Postmaster[at]mail.bellsouth.net>

Subject: Mail System Error - Returned Mail

Date: Mon, 4 Jun 2007 15:05:36 -0400

Message-ID: <20070604190536.NKZL27141.imf04aec.mail.bellsouth.net[at]imf04aec>

MIME-Version: 1.0

Content-Type: multipart/report;

report-type=delivery-status;

Boundary="===========================_ _= 6034545(27141)1180983936"

--===========================_ _= 6034545(27141)1180983936

Content-Type: text/plain

Link to comment
Share on other sites

I realize that I have a problem in that I have difficulty explaining things, so I will beg you for your patience.

In short, I purposely ommited the entire email because the latter part was the the spammer's originial email and the headers he used/forged/cloned. I will copy that for you if you like but I am not concerned with that at this point. I know he/she/they forged my email address and I also know there is nothing I can do to stop them.

When I send messages, OE puts them out to Bellsouth, Bellsouth sends them on to their destination. If the email address is invalid, say I type Johndoe[at] hotmai.com instead of hotmail.com, Bellsouth bounces the message back to me because there is no hotmai.com. That's why I said the bounced mail is coming from Bellsouth.

That is the only thing I'm trying to stop....the bounced mail flooding my inbox. I know I can't stop the spammer using my address to send mail. I just came here to find out if I had erred in blocking the bounced messages. It is working, BTW but I just wanted to make sure I wasn't cutting off my nose to spite my face and causing some other problem.

You mentioned that you found it hard to believe that I received the message with the headers I posted. I would be happy to forward one or 2 to you if you like.

Link to comment
Share on other sites

... When I send messages, OE puts them out to Bellsouth, Bellsouth sends them on to their destination. If the email address is invalid, say I type Johndoe[at] hotmai.com instead of hotmail.com, Bellsouth bounces the message back to me because there is no hotmai.com. That's why I said the bounced mail is coming from Bellsouth. ...
I think you're doing a good job of describing what you're seeing. As you may appreciate though, these are the things which are easily forged (by spammers and their ilk - spammers lie, about everything). It is the full headers that contain what you are seeing plus the extra stuff that is not so easy to forge convincingly. Wazoo was trying to point you towards some guidance notes on how to reveal the full headers. We would rather see the full headers than not otherwise we might be giving erroneous advice. We're just other users like you, we need all the help we can get to understand what is happening.

A slice of the official FAQ about "Full Headers" for context:

...the recipient needs to reveal the full email headers to report it accurately to SpamCop. Without full headers, SpamCop will report an error. Getting full headers from an email software is often a hurdle to reporting spam. Most email software is not clear about how to get full headers. However, practically all email software provides a way to get full headers. Consult the email software's FAQ to learn how to get the headers from the software.
Wazoo composed notes to help with that - and was inviting you go there and to switch to "learning mode" for a moment, to help us help you.

... That is the only thing I'm trying to stop....the bounced mail flooding my inbox. I know I can't stop the spammer using my address to send mail. I just came here to find out if I had erred in blocking the bounced messages. It is working, BTW but I just wanted to make sure I wasn't cutting off my nose to spite my face and causing some other problem.
You are right to have reservations. It is generally not a good policy to block "postmaster", especially your own, if that's who it is. It may seem necessary but there should/may be better solutions longer term.
You mentioned that you found it hard to believe that I received the message with the headers I posted. I would be happy to forward one or 2 to you if you like.
The headers will suffice, if you can find the full headers (as above).

This might sort itself out before you get any further (forgeries in your name are often only short-term). If so, feel free to continue anyway. The beauty of these pages is that people can read and learn. Some like to help by adding to the body of knowledge through taking their queries through to resolution. Others think they're just being dumb and drop out in embarrasement. Wrong attitude! Passing up the opportunity to learn a bit and even to help others to do so is the closest thing to dumb in all of that. So stay with it, if you will.

Appearing to get bounces from your own postmaster is worth seeing through.

Link to comment
Share on other sites

Wazoo was trying to point you towards some guidance notes on how to reveal the full headers. We would rather see the full headers than not otherwise we might be giving erroneous advice

I know how to include the whole header but I'm assuming the bottom part is the header from the spammer's message that was bounced. Like when you reply to an email you get the original stuff at the bottom. But anyway, here is the whole enchilada copied & pasted from Properties/ Details/Message Source.

Again, where you see XXXXX[at]bellsouth.com, that's my real email address. I know, locking the barn after the horse took off.

eturn-Path: <>

To: XXXXX[at]bellsouth.net

From: Mail Administrator <Postmaster[at]<PostmasterDomain>>

Reply-To: <Postmaster[at]mail.bellsouth.net>

Subject: Mail System Error - Returned Mail

Date: Mon, 4 Jun 2007 14:10:24 -0400

Message-ID: <20070604181024.FSRP12320.imf20aec.mail.bellsouth.net[at]imf20aec>

MIME-Version: 1.0

Content-Type: multipart/report;

report-type=delivery-status;

Boundary="===========================_ _= 8074340(12320)1180980624"

--===========================_ _= 8074340(12320)1180980624

Content-Type: text/plain

.net 007: This e-mail message was undeliverable due to the

following reason:

.net 015: The destination mail system was not reachable withing the

allowed period.

Note: This error message is usually due to one of the following

network problems:

a. The recipient's mail system is turned off.

b. The destination mail system is not currently running.

Solution:

Attempt to resend, or contact the recipient by alternate means to

let them know about the issue.

Your message was not delivered within 3 days and 0 hours.

Host yahoo.fr is not responding.

The following recipients did not receive this message:

<mpgolpour[at]yahoo.fr>

--===========================_ _= 8074340(12320)1180980624

Content-Type: message/delivery-status

Reporting-MTA: dns; imf20aec.mail.bellsouth.net

Arrival-Date: Fri, 1 Jun 2007 13:28:45 -0400

Received-From-MTA: dns; ibm58aec.bellsouth.net (192.168.16.253)

Final-Recipient: RFC822; <mpgolpour[at]yahoo.fr>

Action: failed

Status: 4.4.7

Remote-MTA: dns; yahoo.fr

Diagnostic-Code: smtp; 250 recipient <mpgolpour[at]yahoo.fr> ok

--===========================_ _= 8074340(12320)1180980624

Content-Type: message/rfc822

Received: from ibm58aec.bellsouth.net ([192.168.16.253])

by imf16aec.mail.bellsouth.net with ESMTP

id <20070601172845.SFEU4923.imf16aec.mail.bellsouth.net[at]ibm58aec.bellsouth.net>

for <mpgolpour[at]yahoo.fr>; Fri, 1 Jun 2007 13:28:45 -0400

Received: from mail.bellsouth.net ([192.168.16.253])

by ibm58aec.bellsouth.net with SMTP

id <20070601172845.TLTE15590.ibm58aec.bellsouth.net[at]mail.bellsouth.net>;

Fri, 1 Jun 2007 13:28:45 -0400

X-Mailer: Openwave WebEngine, version 2.8.16.1 (webedge20-101-1106-101-20040924)

X-Originating-IP: [208.110.218.201]

From: Microsoft Corporation Team <XXXXXX[at]bellsouth.net>

Reply-To: microsoft_onlinedepts[at]yahoo.co.uk

Organization: Microsoft Corporation Team

To: <microsoft_onlinedepts[at]yaho.co.uk>

Subject: WINNING NOTIFICATION ****************** BATCH: 4583JL/WIN.

Date: Fri, 1 Jun 2007 12:28:45 -0500

MIME-Version: 1.0

Content-Type: text/plain; charset=ISO-8859-1

Content-Transfer-Encoding: 7bit

Message-Id: <20070601172845.TLTE15590.ibm58aec.bellsouth.net[at]mail.bellsouth.net>

MICROSOFT MEGA JACKPOT LOTTERY U.K.

REFNO:MSW/56B-672GH/L

BATCH: 4583JL/WIN

MICROSOFT EMAIL LOTTERY AWARD PROMOTION: UNITED KINGDOM

Finally today, we announce the winners of the MICROSOFT MEGA JACKPOT LOTTO WINNINGS PROGRAMS held on Monday, May 28th, 2007. Your company or your personal e-mail address, attached to winning number 23-76-06-54-42-100, With serial number 647489, consequently won in the Tenth lottery category.

You have been approved for lump sums pay out of $10,464,000.00 USD in cash Credited to file REF NO: MSW/56B-672GH/L and winning number 23-76-06-54-42-100. Selection process was carried out through random selection in our computerized email selection machine (TOPAZ) from a database of over 1,000,000 email addresses drawn from all the continents of the world.

The online draws was conducted by a random selection of email addresses from an exclusive list of 29,031 E-mail addresses of individuals and corporate bodies picked by an advanced automated random computer search from the internet. No ticket were sold but all email addresses were assigned to different ticket numbers for representation and privacy. This is to encourage our prominent Microsoft Internet Explorer users all over the world, and for the Continues use of E-mail.

Your fund (Certified Cashiers Cheque) has been insured with your REF NO: MSW/56B-672GH/L and winning number 23-76-06-54-42-100. To claim your winning prize, you must first contact the claims department by email for Processing and remittance of your prize to you.

The Claims Processor:

Name: Mr. Phillip George.

E-mail: microsoft_onlinedepts[at]yahoo.co.uk

Do email the above email address all at once. In order to avoid unnecessary delays and complications, please remember to quote your reference and winning numbers in all correspondences with your claims officer. You are to keep all lotto information away from the general public especially your ticket number and ballot number.

(This is important as a case of double claims will not be entertained)

PLEASE NOTE THAT YOU ARE TO SEND THE BELOW INFORMATION REQUIRED TO CLAIM YOUR WINNING PRIZE:

1.Full Name:.............................................................

2.Address:................................................................

3.Nationality:............................................................

4.Age:.........................Date of Birth:............................

5.Occupation:............................................................

6.Home/Office Tel:.........Cell Tel:.............Fax:................

7.State of Origin:......................Country:.......................

Sincerely,

Mrs. Maurrine H. Diane

Secretary

Prof. Jenny Walter Mrs. Maurrine H. Diane

Online Co-ordinator Secretary

LOTTERY SPONSOR

Microsoft Corporation U.K.

Note;

Do not reply this mail, you are to contact your claims officer immediately by email. Microsoft Electronic Mail Lottery is approved and Licensed by the The International Association.

--===========================_ _= 8074340(12320)1180980624--

Link to comment
Share on other sites

I know how to include the whole header but I'm assuming the bottom part is the header from the spammer's message that was bounced. Like when you reply to an email you get the original stuff at the bottom. But anyway, here is the whole enchilada copied & pasted from Properties/ Details/Message Source....
Thanks. Well, yes, perhaps the full context helps. The bounced message is a stock-standard advance fee and/or identity theft type scam and I do believe that "winning ticket" would be revealed as a fabulously lucky one over the past year or two. The headers appear to show that some internal Bellsouth handling sent the message to Bellsouth's server (imf16aec.mail.bellsouth.net [205.152.59.64]) but was not picked up from there by the intended yahoo.fr recipient.

205.152.59.64 has been used before for abuse according to

Address: 205.152.59.64

Record Created: Fri Jun 11 10:47:14 2004 GMT

Record Updated: Tue Jun 5 15:47:05 2007 GMT

Additional Information: Received: from imf16aec.mail.bellsouth.net (imf16aec.mail.bellsouth.net [205.152.59.64]) by desperado.sorbs.net (Postfix) with ESMTP id 1FAE211444 for <>; Tue, 29 May 2007 04:38:23 +1000 (EST)

Currently active and flagged to be published in DNS

So, the spam source would actually seem to be Bellsouth, unless I'm misreading something or that part is also fake. What is not apparent (to me) is why the Bellsouth postmaster thought you were the sender [the message ID presumably, meaningful to them only]. Your email address, yes, but so much of that spam message is fake. One trusts BS (meaning Bellsouth, not the other meaning) knows what happens within BS's own netspace. But that weird Postmaster[at]<PostmasterDomain> construction he she it or they use is generally held to be a sign of a broken responder (the variable not "filled in"). So, confidence wanes. And bouncing spam to the supposed sender is not the way to get out of the looming Sorbs problem and consequent rejections of legitimate messages. One would expect them to be saying more constructive things to you if you were the actual spamsource (like, "Fix it and you're suspended until you do!").

So, you really need to tackle BS support about this. I don't know that it (bouncing) is necessarily going to go away in the meantime and I suppose you could block or divert the Postmaster[at]<PostmasterDomain> "address" and trust/hope no proper rejections go there while the situation lasts. But, for all I know, your own computer could really be compromised and sending spam. But it's more fun to suppose the usual ISP incompetence is behind it all. Either way my advice is talk to them. I can't see anything particularly helpful [to support your case] in the headers. Others may and will hopefully speak up if so.

[Added]

Link to comment
Share on other sites

So, you really need to tackle BS support about this. I don't know that it (bouncing) is necessarily going to go away in the meantime and I suppose you could block or divert the Postmaster[at]<PostmasterDomain> "address" and trust/hope no proper rejections go there while the situation lasts.

As I stated in my first post, I have already done that and that is the reason I came here; to find out if I did the right thing. I'm assuming that you think nothing too bad will come of it.

But, for all I know, your own computer could really be compromised and sending spam.

I should have mentioned from the beginning that I know this is not the case. I was out of the country from May 15 to June 1st. My computer was turned off and unplugged, modem disconnected. The bounced emails started on May 29th.

You have made a good point about why BS did not recognize that the spam was not coming from me. I hadn't thought of that angle and will contact them right away.

Thank you so much for your help. I apologize if my ommissions hampered your efforts to help me figure this out. My computer expertise is not anywhere near the level of you experts.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...