PDA

View Full Version : Help! Receiving tons of returned emails I never sent


ShawnLin
7-9-04, 03:13 PM
I am receiving tons of returned emails from people I have not sent emails to.

I have run Norton AV and it found nothing.

I have disabled Outlook, just in case it was sending them. I can't figure out what going on.

Thanks for any help.

Shawn

B&T
7-9-04, 03:22 PM
Some spammer is using your return email address. It will pass. They usually move on quickly.

IanS
7-9-04, 03:27 PM
I am receiving tons of returned emails from people I have not sent emails to.

I have run Norton AV and it found nothing.

I have disabled Outlook, just in case it was sending them. I can't figure out what going on.

Thanks for any help.

Shawn
Go to OPS and try turning on the greylisting feature - this may help slow down the flow. If they are bounced back then maybe the greylisting will reject them - don't know if this would work. Anyone know?

B&T
7-9-04, 06:09 PM
Probably would not help, since the emails are bouncing from peoples mail servers. I assume they would resend the bounce.

Mighty
7-9-04, 11:39 PM
I had a deluge a coupla months ago. I've seen a trickle, recently, though it stopped a coupla days ago.

The most recent batch only came at certain times of the day. That evidence leads me to guess a single person (someone I might know) still has the virus on their machine and it's being used as a zombie. If I spent some time at it, I could probably figure out what times they turn their machine on and log onto the net :-)

James95
7-10-04, 12:10 AM
I get about 5 of those a week. I can't turn on greylisting with my business though so I just have to deal with it.
James
www.carlsoncarpet.com
www.carpet-cleaners.info

Mighty
7-10-04, 12:30 AM
As B&T said, the bounces leak through the greylisting, since it's legitimate email servers producing the bounce message. So greylisting doesn't help.

B&T
7-10-04, 01:21 AM
SPF records would help - in theory. The server receiving the spam would see that the sending server was not authorized to send mail from your domain and just not respond. But since no one is using the SPF records in the real world, setting them up on your PowWeb DNS would be a waste of time, IMHO.

ShawnLin
7-11-04, 06:05 PM
Thanks for all of the replies.

I really have to find something. I just received 600 'bounced' emails in the last 12 hours. The email that I am apparently sending seems to be selling Norton AV.

Is it possible that someone is sending emails from another computer or account, and making it look like I did?

Thanks again.
Shawn
PS. I am a high school student. Is it possible one of my students....

Mighty
7-11-04, 06:28 PM
Yes, they're faking your email address from another computer.

There are two main ways that this happens:

1) A spammer pulls a random address from his list of email addresses and puts it in the reply-to field. Sometimes, that's yours.

2) A virus gets onto someone's computer and scans the address books and files in the computer for email addresses. The virus sends itself or its spam (if it's a spammer's virus) out to those addresses, and again, pulls a random address from those it found on that computer and puts it in the reply-to field. Therefore, if the virus is on the computer of someone who has your email address (friend, family member, friend of a friend who was included on a forwarded joke email that also included your address, etc) then sometimes your address will get stuck in the reply-to.

There are other variations, but you get the idea.

My experience is that the second is by far the more common. And after awhile, someone complains about the machine sending the email and their ISP will tell them to install virus protection or they'll cut them off. So it usually dies down in a few days.

In the meantime, you might try sending an email to people you think might not have virus protection and get them to install something. http://www.avast.com is a free one that's rated highly.

And because it's so easy to fake the from address of email, there is a rule you should live by: Never open an attachement that you didn't expect, even if it's from someone you know runs virus protection. Even though it looks like it's from that person, it may not be.

stevel
7-11-04, 07:27 PM
I don't recommend trying to contact people you think may not have virus protection, if for no other reason that there is little or no clue in the virus e-mails as to whose system it came from. I find the "you have a virus" e-mails to be more annoying than the viruses themselves (which never make it to my inbox...)

Mighty
7-11-04, 07:43 PM
I know what you mean, stevel. But, I'm not talking about following from addresses, which is where most of those well-meaning warnings come from. I'm thinking maybe ShawnLin has a pretty good idea who among his/her/its friends might be especially careless. OTOH, those same people prolly can't be bothered to do anything about it. YMMV.

NMS
7-12-04, 08:10 AM
Why you might do is direct the catch-all email to the bit-bucket and you will not receive most of these emails. Go to OPS under SMTP email.

Most of these emails would not really exist and therefore they will be part of the catch-all.

stevel
7-12-04, 03:03 PM
Or delete the catch-all and messages sent to undefined addresses will bounce.

neuman
8-9-04, 03:42 PM
SPF records would help - in theory. The server receiving the spam would see that the sending server was not authorized to send mail from your domain and just not respond. But since no one is using the SPF records in the real world, setting them up on your PowWeb DNS would be a waste of time, IMHO.
We have to do something about it. Every mail server should be made responsible for the damage and inconvinience caused by mail received from an unauthorized source, as well as the people who send mails using your domain should be punished according to the same laws that apply when somebody else uses your signature to sign any document; a bank note for example. Somehow, we ourselves are responsible for accepting cheap mailing services that don't verify the validity of the messages they deliver to their costumers (I mean to us). And let's not fool owerselves; trying to filter the bounced mails and complaints derived from messages (with or without viruses) that we never sent, doesn't fix our damaged reputation. In the other hand, I don't find the rules to make an SPF text clear enough and, even if I did (or was willing to take a chance with any trial and error text), I haven't been able to enter the "register at the SPF registry" link found in some other forum of this site. So I repeat: we have to do something about it! Does somebody else has an idea? Juan Neuman.

neuman
8-9-04, 03:54 PM
Some spammer is using your return email address. It will pass. They usually move on quickly.
By the way, they don't always pass or move on quickly. Somebody has been using my return email address for more than a year. Juan Neuman.

tbonekkt
8-9-04, 03:59 PM
By the way, they don't always pass or move on quickly. Somebody has been using my return email address for more than a year. Juan Neuman.That's why B&T said "usually".

neuman
8-9-04, 11:45 PM
Is it possible that I'm the only one affected in such a manner? Please enlighten me Tom or, for that matter, anybody who has the answer. Juan Neuman.

B&T
8-10-04, 12:47 AM
There is only one answer - get over it - move on.

Internet mail was not designed for the use it gets today. It was not designed with security in mind. It is what it is.

SPF records can help, when they get implemented by the big players. Grey listing can help. Servers should not be allowed to send mail for other servers, but they can.

IMHO - mail should be redesigned by a new standards group and reintroduced, phasing out this mess. But that is wishful thinking I am afraid.

Mighty
8-10-04, 01:32 AM
Is it possible that I'm the only one affected in such a manner? Please enlighten me Tom or, for that matter, anybody who has the answer. Juan Neuman.

It could be that you've been Joe Jobbed for some reason. Either that, or someone has a virus that's been running for a year and their ISP hasn't shut them down for some reason. The longest I've seen a wave of bounced spam is prolly two weeks. Most are gone in two or three days.

Your best bet may be to try to track down where the spam is originating. How many bounces are you getting? If it's dozens or hundreds then it's probably a zombie. If it's thousands then it's probably a Joe Job. If it really is a single zombie that's been running all this time then there's probably a good chance that you can track down the origin and have their ISP cut them off until they get it fixed.

Just a suggestion.

neuman
8-10-04, 11:01 AM
There is only one answer - get over it - move on.

Internet mail was not designed for the use it gets today. It was not designed with security in mind. It is what it is.

SPF records can help, when they get implemented by the big players. Grey listing can help. Servers should not be allowed to send mail for other servers, but they can.

IMHO - mail should be redesigned by a new standards group and reintroduced, phasing out this mess. But that is wishful thinking I am afraid.
A new standard, including security features, for mail would be great (I'm available if I don't have to pay the check) but, considering human passivity, I agree it would be wishful thinking except if you exploit human greed. Finantial competition is the best way to push people to do things right (unfortunately, wrong too). Anyway, considering 1) SPF records are already defined and would help a lot (please, somebody tell me the flaws), 2) it's easyer to stop the spam or spoof at it's origin (like an origin certificate is better than having to trust your tongue) than filtering it, 3) even if it's not mandatory for the big players (as you say) they will loose money if people swap to another (more responsible) mail service that checks the origin of the message before delivering to the recipient (Actually, they act like parcel services that delivered packages of unknown content from unknown senders. On the other hand, they promote plagiarism.): Considering that, I'm starting a campaign pro safe e-mail. Believe me, if I had the bucks, I'd start to offer the safe service myself.

lovevirus
8-10-04, 11:12 AM
may be virus!
mydoom.m?

neuman
8-10-04, 11:44 AM
It could be that you've been Joe Jobbed for some reason. Either that, or someone has a virus that's been running for a year and their ISP hasn't shut them down for some reason. The longest I've seen a wave of bounced spam is prolly two weeks. Most are gone in two or three days.

Your best bet may be to try to track down where the spam is originating. How many bounces are you getting? If it's dozens or hundreds then it's probably a zombie. If it's thousands then it's probably a Joe Job. If it really is a single zombie that's been running all this time then there's probably a good chance that you can track down the origin and have their ISP cut them off until they get it fixed.

Just a suggestion.
Its just a couple of dozens a day. I think, maybe the domain name (www.compumonster.com Please, don't laugh.) appealed to some hacker for fun. Normally the bounces are plagued with viruses. The site, by itself, is not worth the pain. I use the domain to receive mail from other sites (I never send mails with that return address) and I use the site to experiment web programming and SEO. I'll try to track him (maybe you can give me advice, how to) but that's not the point. How would you like that somebody built an Internet fraud, or discredited somebody, or some institution, just once, using your name (or domain...)?

neuman
8-10-04, 11:51 AM
may be virus!
mydoom.m?
Do you think that McAfee VirusScan would't find it by now?

Mighty
8-10-04, 10:30 PM
...maybe you can give me advice, how to...
If you post the header of one or two of the offending messages here we might be able to track it down. Make sure it's the header of the original message that caused the bounce, not the header of the bounce notification sent by the receiving mail server.

Do you think that McAfee VirusScan would't find it by now?
Yes, it does. But apparently the offending machine isn't using any virus protection, or it's not up to date.

stevel
8-11-04, 08:15 AM
Or it's using McAfee, which is about the same as not using virus protection in my opinion....

B&T
8-11-04, 11:29 AM
Or it's using McAfee, which is about the same as not using virus protection in my opinion....
So what do you really think about that product?

neuman
8-12-04, 01:35 AM
Thanks, Mighty. I'll collect the information and get back later.

neuman
8-12-04, 01:49 AM
Ok Mighty, I'll just paste a warning fired by a message I never sent (I don't think you want the attachment). Thanks again.
--------------------------------------------------------------------------------


Received: from [200.36.129.109] (HELO ipn.mx)
by ipn.mx (CommuniGate Pro SMTP 4.1.5)
with ESMTP id 13258156 for anserrat@ipn.mx; Tue, 10 Aug 2004 22:33:27 -0500
From: compumonster@compumonster.com
To: anserrat@ipn.mx
Subject: Re: Re: excel document
Date: Tue, 10 Aug 2004 22:34:01 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: <auto-000013258156@ipn.mx>

Mighty
8-12-04, 02:51 AM
That looks to me to be the notification from ipn.mx telling you that the message bounced. The original message is in the attachment. We need to see the headers of the original message to figure out where it came from.

Some email servers forward the bouncing message to you so that their headers are added to the original headers. Some servers pack up the bouncing message into an attachment and the notification is an entirely new email. This looks like the latter.

Depending on your email program, you might be able to look at the raw source of the message such that you don't need to open the attachment. Your email client might provide a direct method. Or you may need to save the email to a file and then open it with a text editor. By looking at the raw source it should be obvious how to spot the headers for the original message.

Drake

kelvyn
8-12-04, 05:17 AM
It's been about a month now...at it's height, it was about 800 a day, last night was the first time that it has been <100 in 12 hours.
There's a thing in Ops blacklisting about "text", but no matter how many different ways I try it, I can't get it to actually filter on text. Do we have server side IMAP filtering on Powweb? All I'm trying to do is keep my webmail tidy.

NMS
8-12-04, 05:33 AM
Your best solution would be to forward the catch all to the bit-bucket! From the OPS delete email next the catch all account, then recreate it (leave field empty as indicated in the sinstructions) and point it to the Auto-delete bit-bucket

kelvyn
8-12-04, 05:41 AM
Your best solution would be to forward the catch all to the bit-bucket! From the OPS delete email next the catch all account, then recreate it (leave field empty as indicated in the sinstructions) and point it to the Auto-delete bit-bucket

Well, I COULD, but then, as mentioned before, I'd have to setup aliases for all of the 60+ email addresses that I have registered with various companies.
For example, if I register at company_a.com, then my email for them will be company_a.com@mydomain.com. Very good way of finding out where the spam is coming from! I'd rather just get the blacklist text thing working, and bounce everything with "undeliverable" or something like that. Has ANYONE got the text blacklisting in OPS working yet?!?

Mighty
8-12-04, 05:53 AM
The "text" is the text sent back to the sender when a message is bounced due to blacklisting.

The way greylisting works, it only has four pieces of information to work with.


The To address
The From address
The IP address of the sending machine
The time of day


It never sees the subject, the body, nor even the headers of the message. All of its filtering is done prior to the bulk of the message being sent. All that's sent is the bare minimum for the sending machine to say, "Hey! I have a message for X from Y. Let me know if you're ready to receive it."

Our server replies back with, "Come back later, I'm busy."

Or, in the case of a blacklisted To/From/IP triplet, "Fatal error: I'm refusing this message." And if you've filled in the "text" field for that blacklisted item, it'll include that text in the error message that it sends.

kelvyn
8-12-04, 08:02 AM
So there's really no way of filtering out this onslaught?
It does seem to be dying down a bit now anyway....

Mighty
8-12-04, 08:57 AM
Well, I use Popfile (http://popfile.sourceforge.net/), and it's gotten pretty good at recognizing those spam bounces. Of course, it only gets to do its job after those emails are in your mailbox and are downloaded to your computer. I also use Spamcop (http://www.spamcop.net), but I don't think it stops bounces.

And, wow, 800 is an awful lot. I think when it got to more than a few dozen a day I would have started trying to track down the offending machine(s) and seeing what I could do about getting them shut down. But I wonder if that's from a real spammer, which would make them pretty much immune to you or me :(

neuman
8-13-04, 12:20 AM
Thanks, Drake. I couldn't get a lot of information on that. I'll bother you with only one more attached next. Juan
-------------------------------------------------------------------------
X-McAfeeVS-TimeoutProtection: 0
Return-Path: <>
X-Original-To: compumonster@compumonster.com
Delivered-To: compumonster@mail03.powweb.com
Received: from vegas.servershost.net (vegas.servershost.net [69.61.12.100])
by mail03.powweb.com (Postfix) with ESMTP id 9DA8E15C7A
for <compumonster@compumonster.com>; Wed, 11 Aug 2004 23:22:49 -0700 (PDT)
Received: from mailnull by vegas.servershost.net with local (Exim 4.34)
id 1Btly6-0003MH-SQ
for compumonster@compumonster.com; Sun, 08 Aug 2004 07:36:02 -0400
X-Failed-Recipients: info@rdnoticias.com
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon@vegas.servershost.net>
To: compumonster@compumonster.com
Subject: !ClamAV:VIRUS found:Worm.SomeFool.Q! Mail delivery failed: returning message to sender
Message-Id: <E1Btly6-0003MH-SQ@vegas.servershost.net>
Date: Sun, 08 Aug 2004 07:36:02 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vegas.servershost.net
X-AntiAbuse: Original Domain - compumonster.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
X-Antivirus: Worm.SomeFool.Q
Status:
Content-Type: Multipart/Mixed;
boundary="----=_NextPart_000_00ED_01C2F57F.F3E09A70"
Content-Transfer-Encoding:


------=_NextPart_000_00ED_01C2F57F.F3E09A70
Content-Type:
Content-Transfer-Encoding:



------=_NextPart_000_00ED_01C2F57F.F3E09A70
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: attachment;filename=McAfee_EmailScanReport.txt
Content-Transfer-Encoding: quoted-printable


****************** McAfee VirusScan ************************
******* Alert generated at: Thu, 12 Aug 2004 23:08:13 -0600 *********
************************************************** *******************

McAfee VirusScan has detected a potential threat in this e-mail=20
sent by Mail Delivery System <Mailer-Daemon@vegas.servershost.net>.
The following actions were attempted on each suspicious part.=20
We strongly recommend that you report this virus-related activity=20
to Mail Delivery System <Mailer-Daemon@vegas.servershost.net>.


The attachment "Unnamed attachment" is infected with the W32/Netsky.q@MM=
Virus(es).=20
This attachment has been quarantined.


------=_NextPart_000_00ED_01C2F57F.F3E09A70--

Mighty
8-13-04, 01:02 AM
That one is definately a notification message generated by the server.

Received: from mailnull by vegas.servershost.net with local (Exim 4.34)
id 1Btly6-0003MH-SQ
for compumonster@compumonster.com; Sun, 08 Aug 2004 07:36:02 -0400
The ultimate source of it is "mailnull", sent to the server, and intended for you. I guess mailnull is the anti-virus program running on the same machine as the server software. Otherwise there'd be an IP address or a server name. Or maybe "mailnull" is the name of the machine running the AV software.

I went back and looked at your earlier header and realized I may have been mistaken. This line
Received: from [200.36.129.109] (HELO ipn.mx)
by ipn.mx (CommuniGate Pro SMTP 4.1.5)
says that ipn.mx got the message from 200.36.129.109. Looking at www.arin.net I see that address belongs to "Latin American and Caribbean IP address Regional Registry." I recognize them because my greylist is full of IP addresses associated with them.

The second message is obviously due to a virus sent out with your return address. The first mentions an Excel document in the subject line, so it might be a virus, also. A different one, though. I googled for it and it looks like it might be the Netsky.P variant.

I don't know if telling that ISP about it will do any good. One assumes even a spammer doesn't want a virus on his machine sending out non-spam. But my impression is that the ISP we're talking about is a blackhat operation. Which implies that they really don't care much about cleaning up any problems on the net.

So now you know about as much as I do about reading email headers. Let me know if you pursue this some more and what your results are. I'd be interested to know. Sorry I couldn't give you more encouraging news.

neuman
8-13-04, 09:48 AM
Thanks, Drake. I'll really appreciate your answer. Sooner or later, I'll find a pattern to nail the joker. The truth is I haven't been in the mood to spend my time in this guy (almost anyone can change servers and IP addresses every day without, of course, getting self infected). I'd better spend it trying to make a better web for everybody by cutting weed from the root (with better standards). Of course, I can't do that all by myself and I'm trying to join efforts to grow stronger (That was the main goal for my first message). I'll let you know any progress and I hope to hear of you again in the web. Thanks again, Juan Neuman. (By the way, the virus in the last message was JS/Zerolin.)