Unusual email Happenings - Need Tech Opinion

Grrilla · Apr 21, 2005

A bunch of mailer Daemons have started showing up @ one of my email addresses.

Message from yahoo.com.
Unable to deliver message to the following address(es).

<[email protected]>:
Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102].

<[email protected]>:
This user doesn't have a yahoo.com account ([email protected]) [-6]

<[email protected]>:
Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102].

<[email protected]>:
Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102].

<[email protected]>:
Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102].

<[email protected]>:
Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102].

--- Original message follows.

Authentication-Results: mta305.mail.scd.yahoo.com
from=charter.net; domainkeys=neutral (no sig)
X-Originating-IP: [62.235.13.169]<-not my IP
Return-Path: <[example]@charter.net><- my email-not my name
Received: from 62.235.13.169 (EHLO spoolo3.tiscali.be) (62.235.13.169)
by mta305.mail.scd.yahoo.com with SMTP; Thu, 21 Apr 2005 15:49:14 -0700
Received: from [83.134.35.55] (helo=dyn-83-156-190-59.ppp.tiscali.fr)
by spoolo3.tiscali.be with smtp (Tiscali.be http://www.tiscali.be)
id 1DOkQt-0001hm-Vp; Fri, 22 Apr 2005 00:46:04 +0200
Received: from out020.topica-silver-w.com (out020.topica-silver-w.com [65.77.106.40]) by rly-yd04.mx.aol.com (v104.17) with ESMTP id MAILRELAYINYD46-20e41e61d6f14d; Mon, 17 Jan 2005 02:04:16 -0500
Message-ID: <[email protected]>
From: "James Radebaugh" <[example]@charter.net><- my email
Reply-To: "James Radebaugh" <[example]@charter.net><- my email
To: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: homeowners get cash fast
Date: Mon, 17 Jan 2005 12:45:26 -0800
X-Mailer: X-Topica-Id: <1106012725.web001.6456.1000002>
X-Priority: 3
X-MSMail-Priority: Normal

Dear H0meowner,

Would you like to cut your monthly m0rtgage payment in
half? Imagine how much extra cash you would have
every month to take a vacation, buy a new car, or
make home improvements. We can reduce your house payments
by fifty percent no matter what your crediit.
As a homeowner you are already pre-approoved!

Click below:

http: //BankingSpecialty.com Si...tes, so am a bit at a loss. TXIA for looking.

True_Snake · Apr 21, 2005

Do you have an auto-responder? i.e. a message going back to the sender automatically to notify that their email has been received?

That happened to one of my accounts. It turned out to be the auto-responder.

Hope that helps:tu:!

Thanks.

True_Snake

Grrilla · Apr 21, 2005

I have the availability, I believe, but have never set it up to do so.
But you helped me remember something strange that happenned yesterday. I was bouncing a SPAM email, and twice it froze and crashed my email client, which has never happenned before. I ended up deleting it w/o bounce- but it seemed a little odd that this one email wasn't allowing for a bounce and, in fact, was crashing my email.

LeeRyder · Apr 21, 2005

a spammer is using your email addy (spoofing you). nothing to get worried about. you may want to contact your host though to let them know to keep an eye open for complaints and explain it isnt you.. he will be able to tell if you let him know.

RJ · Apr 22, 2005

Yep, looks like mail spoofing to me. They didn't send it through your account, but used your return address. Is your email name relatively common?

I had a bad problem with this last year on one of accounts (rj@<commonemailprovider>.net) The spammers just randomly chose the addresses to use as the from and reply-to address. My provider said all two letter email addresses were having the same problem.

True_Snake · Apr 22, 2005

-RJ- said:
but used your return address.

That's probably it!

Is there a way to stop that though?

Thanks!

True_Snake

armstrong · Apr 22, 2005

One thing that might help is SPF (sender policy framework?), which basically defines which servers are allowed to send email from your domain. I understand that not all mail servers respect this protocol, specially the old ones, but enough mail servers use SPF so if your domain is configured for it, then spammers will be better off picking on a none-SPF domain.

enom has this option for free. Anyone know other registrars that support this in their DNS options?

RJ · Apr 22, 2005

True_Snake said:
-RJ- said:

but used your return address.

Click to expand...

That's probably it!

Is there a way to stop that though?

There's not anything you can do about it. Unforunately there's still a large percentage of webhosts that don't understand how easy it is to spoof a return email address and will threaten to shut down the sites of innocent domain name owners.

You can find a lot of info on Google searching for "email spoofing". Here's one,
http://www.windowsecurity.com/articles/Email-Spoofing.html

Grrilla · Apr 22, 2005

TX. I can't recall being "spoofed" before, so wasn't exactly sure what was up.

I suppose the freeze and crash when attempting to bounce the 2nd email I show was just coincidental. Now that I think about it, I had this prob bouncing email from my PC before- it just didn't tak effect as quickly as it does w/ this OS. (ie tried to bounce fo 1-2 minutes and finally froze)

.X. · Apr 22, 2005

I had that same thing going on a few months back,I thought it was a virus.Now that i've read all the posts i know it was'nt.

ZuraX · Apr 22, 2005

Someone is using your email in a spam run. Report every bounce you know you didnt send to www.spamcop.net

They are bouncing the spam after its been delivered to their servers. Thats not correct as it should drop it on the From line being for an account that doesnt exist.

Also you said you bounce spam back to the from address when you get it. STOP!!! The from address is always fake and you are sending your spam back to a person who didnt send it. If you get one that says its from em and I get it youll be reported to your host/ISP for spam. I know a few other server admins that do the same thing but they also block your ISP/hosts IP blocks into their firewalls/iptables until the ISP/Host deletes your account.

dabb · Apr 22, 2005

Last year I had a porn spammer hijack my 4 letter yahoo email address for his "reply-to" field. What a major headache! Many months and hundreds of daily bounced emails, unsubscribe requests, and of course hate mail.

adam_uk · Apr 22, 2005

Code:

62.235.13.169

	
Blacklist Status: 	Clear
Record Type: 	IP Address
IP Location: 	Belgium Belgium - Brussels - Brussels - Tiscali Server Pool
Reverse IP: 	No websites hosted using this IP address
Reverse DNS: 	spoolo3.tiscali.be
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See [url]http://www.ripe.net/db/copyright.html[/url]

inetnum:      62.235.13.0 - 62.235.14.255
netname:      BE-TISCALI-SERVERS
descr:                 Tiscali Server Pool
country:      BE
admin-c:      TBS8-RIPE
tech-c:       TBS8-RIPE
notify:       Whois Privacy and Spam Prevention by Whois Source
status:       ASSIGNED PA
mnt-by:       BE-TISCALI-MNT
mnt-lower:    BE-TISCALI-MNT
mnt-routes:   BE-TISCALI-MNT
changed:      Whois Privacy and Spam Prevention by Whois Source 20030325
source:       RIPE

route:        62.235.0.0/16
descr:        Tiscali Belgium
origin:       AS8266
mnt-by:       BE-TISCALI-MNT
changed:      Whois Privacy and Spam Prevention by Whois Source 20020507
source:       RIPE

role:         Tiscali Belgium
address:      Tiscali Belgium
address:      Rue de Stassaert n.43
address:      B-1050 Bruxelles
address:      Belgium
phone:        +32 2 400 36 66
fax-no:       +32 2 700 44 03
e-mail:       Whois Privacy and Spam Prevention by Whois Source
admin-c:      KH9300-RIPE
tech-c:       KH9300-RIPE
tech-c:       JVV10-RIPE
tech-c:       MS12497-RIPE
nic-hdl:      TBS8-RIPE
remarks:      Abuse reports should go to Whois Privacy and Spam Prevention by Whois Source
remarks:      Network problems should be reported to Whois Privacy and Spam Prevention by Whois Source
remarks:      Peering requests should go to Whois Privacy and Spam Prevention by Whois Source
remarks:      DNS Problems should be reported to Whois Privacy and Spam Prevention by Whois Source
notify:       Whois Privacy and Spam Prevention by Whois Source
notify:       Whois Privacy and Spam Prevention by Whois Source
notify:       Whois Privacy and Spam Prevention by Whois Source
mnt-by:       BE-TISCALI-MNT
changed:      Whois Privacy and Spam Prevention by Whois Source 20030703
changed:      Whois Privacy and Spam Prevention by Whois Source 20031218
source:       RIPE

Mark · Apr 22, 2005

It happens to me all the time now - Especially on Gmail .... I was worried at first as well - But after sending a few of them to "support" - They told me not to worry very much about it. I have had to send proof to at least a few upset folks who didn't know how to check further details. ~ Most regular folks out there really have no idea that these things aren't coming from the shown "Sender".

dabb · Apr 22, 2005

tiscali.* is notorious for spam.

Grrilla · Apr 22, 2005

Someone is using your email in a spam run. Report every bounce you know you didnt send to www.spamcop.net

I did it. One thing I will say using Mac on the net is that you seem to get far less funk, in general, but pop is pop, whether using a Mac or a PC, methinks.

Unusual email Happenings - Need Tech Opinion

VIP Member

In-House Graphic DesignerVIP Member

VIP Member

Established Member

Domain BuyerTop Member

In-House Graphic DesignerVIP Member

Man from ManilaVIP Member

Domain BuyerTop Member

VIP Member

In God I TrustTop Member

Established Member

Established Member

Established Member

Hi :)VIP Member

Established Member

VIP Member

We're social

Pinned

Appreciation

Agreement