Unusual email Happennings- Need Tech Opinion

04-21-2005, 04:39 PM

A bunch of mailer Daemons have started showing up @ one of my email addresses.

Quote:

Message from yahoo.com.
Unable to deliver message to the following address(es).

<cosmogirl_082002@yahoo.com>:
Sorry your message to cosmogirl_082002@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].

<deniseruder@yahoo.com>:
This user doesn't have a yahoo.com account (deniseruder@yahoo.com) [-6]

<drew777yx@yahoo.com>:
Sorry your message to drew777yx@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].

<godown247@yahoo.com>:
Sorry your message to godown247@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].

<madavis15@yahoo.com>:
Sorry your message to madavis15@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].

<starkiss86314@yahoo.com>:
Sorry your message to starkiss86314@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102].

--- Original message follows.

Authentication-Results: mta305.mail.scd.yahoo.com
from=charter.net; domainkeys=neutral (no sig)
X-Originating-IP: [62.235.13.169]<-not my IP
Return-Path: <[example]@charter.net><- my email-not my name
Received: from 62.235.13.169 (EHLO spoolo3.tiscali.be) (62.235.13.169)
by mta305.mail.scd.yahoo.com with SMTP; Thu, 21 Apr 2005 15:49:14 -0700
Received: from [83.134.35.55] (helo=dyn-83-156-190-59.ppp.tiscali.fr)
by spoolo3.tiscali.be with smtp (Tiscali.be http://www.tiscali.be)
id 1DOkQt-0001hm-Vp; Fri, 22 Apr 2005 00:46:04 +0200
Received: from out020.topica-silver-w.com (out020.topica-silver-w.com [65.77.106.40]) by rly-yd04.mx.aol.com (v104.17) with ESMTP id MAILRELAYINYD46-20e41e61d6f14d; Mon, 17 Jan 2005 02:04:16 -0500
Message-ID: <546878434-1463792126-1105599854@topica1.b.tep1.com>
From: "James Radebaugh" <[example]@charter.net><- my email
????: NamePros.com http://www.namepros.com/the-break-room/84275-unusual-email-happennings-need-tech-opinion.html
Reply-To: "James Radebaugh" <[example]@charter.net><- my email
To: godown247@yahoo.com, hedi_forster@yahoo.com, deniseruder@yahoo.com, cosmogirl_082002@yahoo.com, drew777yx@yahoo.com, brandycetolbert225@yahoo.com, starkiss86314@yahoo.com, madavis15@yahoo.com
Subject: homeowners get cash fast
Date: Mon, 17 Jan 2005 12:45:26 -0800
X-Mailer: X-Topica-Id: <1106012725.web001.6456.1000002>
X-Priority: 3
X-MSMail-Priority: Normal

Dear H0meowner,

Would you like to cut your monthly m0rtgage payment in
half? Imagine how much extra cash you would have
every month to take a vacation, buy a new car, or
make home improvements. We can reduce your house payments
by fifty percent no matter what your crediit.
????: NamePros.com http://www.namepros.com/showthread.php?t=84275
As a homeowner you are already pre-approoved!

Click below:

[url]http: //BankingSpecialty.com

Sincerely,

Vito Henson

immigrate deer vietnamese avertive blast
pinpoint stable apathy missionary scorch
weston stonecrop comma emphasis encephalitis
monk deacon visor bingham anti

*** MESSAGE TRUNCATED ***

Is someone hijacking this email account to send out SPAM?

This came to me approx the same time, (may be related-not sure) which looks like a subtle form of phishing:

Quote:

From: cfgg@earthlink.net
Subject: Re: you're PreApprooved
Date: April 21, 2005 8:17:34 AM PDT
To: [My email]@charter.net
Reply-To: nobody@earthlink.net
apologize for this automatic reply to your email.

To control spam, I now allow incoming messages only from senders I have approved beforehand.

If you would like to be added to my list of approved senders, please fill out the short request form (see link below). Once I approve you, I will receive your original message in my inbox. You do not need to resend your message. I apologize for this one-time inconvenience.

Click the link below to fill out the request:

https: //webmail.pas.earthlink.net/wam/addme?a=cfgg@earthlink.net&id=1doDqSBP3NZFpF0

Whats odd about this, is that I have been relatively Mailer-Daemon free, and have recieved 4-5 such notices all today. Anyone have an idea about what might be going on ie is my email acting as a proxie to deliver SPAM? I don't use this address for anythin public, ie registering w/ sites, so am a bit at a loss. TXIA for looking.

True_Snake · 04-21-2005, 04:43 PM

Do you have an auto-responder? i.e. a message going back to the sender automatically to notify that their email has been received?

That happened to one of my accounts. It turned out to be the auto-responder.

Hope that helps

!

Thanks.

True_Snake

04-21-2005, 04:48 PM

I have the availability, I believe, but have never set it up to do so.
But you helped me remember something strange that happenned yesterday. I was bouncing a SPAM email, and twice it froze and crashed my email client, which has never happenned before. I ended up deleting it w/o bounce- but it seemed a little odd that this one email wasn't allowing for a bounce and, in fact, was crashing my email.

LeeRyder · 04-21-2005, 04:56 PM

a spammer is using your email addy (spoofing you). nothing to get worried about. you may want to contact your host though to let them know to keep an eye open for complaints and explain it isnt you.. he will be able to tell if you let him know.

RJ · 04-21-2005, 05:10 PM

Yep, looks like mail spoofing to me. They didn't send it through your account, but used your return address. Is your email name relatively common?

I had a bad problem with this last year on one of accounts (rj@<commonemailprovider>.net) The spammers just randomly chose the addresses to use as the from and reply-to address. My provider said all two letter email addresses were having the same problem.

True_Snake · 04-21-2005, 05:17 PM

Originally Posted by -RJ-

but used your return address.

That's probably it!

Is there a way to stop that though?

Thanks!

True_Snake

***armstrong*** · 04-21-2005, 05:21 PM

One thing that might help is SPF (sender policy framework?), which basically defines which servers are allowed to send email from your domain. I understand that not all mail servers respect this protocol, specially the old ones, but enough mail servers use SPF so if your domain is configured for it, then spammers will be better off picking on a none-SPF domain.

enom has this option for free. Anyone know other registrars that support this in their DNS options?

RJ · 04-21-2005, 05:23 PM

Originally Posted by True_Snake

Originally Posted by -RJ-

but used your return address.

That's probably it!

Is there a way to stop that though?

There's not anything you can do about it. Unforunately there's still a large percentage of webhosts that don't understand how easy it is to spoof a return email address and will threaten to shut down the sites of innocent domain name owners.
????: NamePros.com http://www.namepros.com/showthread.php?t=84275

You can find a lot of info on Google searching for "email spoofing". Here's one,
http://www.windowsecurity.com/articl...-Spoofing.html

04-21-2005, 05:50 PM

TX. I can't recall being "spoofed" before, so wasn't exactly sure what was up.

I suppose the freeze and crash when attempting to bounce the 2nd email I show was just coincidental. Now that I think about it, I had this prob bouncing email from my PC before- it just didn't tak effect as quickly as it does w/ this OS. (ie tried to bounce fo 1-2 minutes and finally froze)

.X. · 04-21-2005, 06:09 PM

I had that same thing going on a few months back,I thought it was a virus.Now that i've read all the posts i know it was'nt.

ZuraX · 04-21-2005, 09:53 PM

Someone is using your email in a spam run. Report every bounce you know you didnt send to www.spamcop.net
????: NamePros.com http://www.namepros.com/showthread.php?t=84275

They are bouncing the spam after its been delivered to their servers. Thats not correct as it should drop it on the From line being for an account that doesnt exist.

Also you said you bounce spam back to the from address when you get it. STOP!!! The from address is always fake and you are sending your spam back to a person who didnt send it. If you get one that says its from em and I get it youll be reported to your host/ISP for spam. I know a few other server admins that do the same thing but they also block your ISP/hosts IP blocks into their firewalls/iptables until the ISP/Host deletes your account.

dabb · 04-21-2005, 10:04 PM

Last year I had a porn spammer hijack my 4 letter yahoo email address for his "reply-to" field. What a major headache! Many months and hundreds of daily bounced emails, unsubscribe requests, and of course hate mail.

adam_uk · 04-21-2005, 11:31 PM

Code:

62.235.13.169

	
Blacklist Status: 	Clear
Record Type: 	IP Address
IP Location: 	Belgium Belgium - Brussels - Brussels - Tiscali Server Pool
Reverse IP: 	No websites hosted using this IP address
Reverse DNS: 	spoolo3.tiscali.be
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum:      62.235.13.0 - 62.235.14.255
netname:      BE-TISCALI-SERVERS
descr:                 Tiscali Server Pool
country:      BE
admin-c:      TBS8-RIPE
tech-c:       TBS8-RIPE
notify:       Whois Privacy and Spam Prevention by Whois Source
status:       ASSIGNED PA
mnt-by:       BE-TISCALI-MNT
mnt-lower:    BE-TISCALI-MNT
mnt-routes:   BE-TISCALI-MNT
changed:      Whois Privacy and Spam Prevention by Whois Source 20030325
source:       RIPE

route:        62.235.0.0/16
descr:        Tiscali Belgium
origin:       AS8266
mnt-by:       BE-TISCALI-MNT
changed:      Whois Privacy and Spam Prevention by Whois Source 20020507
source:       RIPE

role:         Tiscali Belgium
address:      Tiscali Belgium
address:      Rue de Stassaert n.43
address:      B-1050 Bruxelles
address:      Belgium
phone:        +32 2 400 36 66
fax-no:       +32 2 700 44 03
e-mail:       Whois Privacy and Spam Prevention by Whois Source
admin-c:      KH9300-RIPE
tech-c:       KH9300-RIPE
tech-c:       JVV10-RIPE
tech-c:       MS12497-RIPE
nic-hdl:      TBS8-RIPE
remarks:      Abuse reports should go to Whois Privacy and Spam Prevention by Whois Source
remarks:      Network problems should be reported to Whois Privacy and Spam Prevention by Whois Source
remarks:      Peering requests should go to Whois Privacy and Spam Prevention by Whois Source
remarks:      DNS Problems should be reported to Whois Privacy and Spam Prevention by Whois Source
notify:       Whois Privacy and Spam Prevention by Whois Source
notify:       Whois Privacy and Spam Prevention by Whois Source
notify:       Whois Privacy and Spam Prevention by Whois Source
mnt-by:       BE-TISCALI-MNT
changed:      Whois Privacy and Spam Prevention by Whois Source 20030703
changed:      Whois Privacy and Spam Prevention by Whois Source 20031218
source:       RIPE

Mark · 04-21-2005, 11:45 PM

It happens to me all the time now - Especially on Gmail .... I was worried at first as well - But after sending a few of them to "support" - They told me not to worry very much about it. I have had to send proof to at least a few upset folks who didn't know how to check further details. ~ Most regular folks out there really have no idea that these things aren't coming from the shown "Sender".

dabb · 04-21-2005, 11:47 PM

tiscali.* is notorious for spam.

04-22-2005, 01:13 AM

Quote:

Someone is using your email in a spam run. Report every bounce you know you didnt send to www.spamcop.net

I did it. One thing I will say using Mac on the net is that you seem to get far less funk, in general, but pop is pop, whether using a Mac or a PC, methinks.

04-21-2005, 04:43 PM	#2 (permalink)
True_Snake In-House Graphic Designer Join Date: Aug 2004 Location: Toronto, Canada Posts: 4,288	Do you have an auto-responder? i.e. a message going back to the sender automatically to notify that their email has been received? That happened to one of my accounts. It turned out to be the auto-responder. Hope that helps! Thanks. True_Snake __________________ Logos:PM ME! OVECHKIN.INFO! Rising Star!

04-21-2005, 05:10 PM	#5 (permalink)
RJ NamePros Admin Join Date: Feb 2003 Posts: 12,919 Follow @DomainBuyer	Yep, looks like mail spoofing to me. They didn't send it through your account, but used your return address. Is your email name relatively common? I had a bad problem with this last year on one of accounts (rj@<commonemailprovider>.net) The spammers just randomly chose the addresses to use as the from and reply-to address. My provider said all two letter email addresses were having the same problem. __________________ Reach me at rj at namepros dot com

04-21-2005, 05:21 PM	#7 (permalink)
*armstrong* Man from Manila Join Date: Jul 2003 Location: The Net Posts: 6,022	One thing that might help is SPF (sender policy framework?), which basically defines which servers are allowed to send email from your domain. I understand that not all mail servers respect this protocol, specially the old ones, but enough mail servers use SPF so if your domain is configured for it, then spammers will be better off picking on a none-SPF domain. enom has this option for free. Anyone know other registrars that support this in their DNS options? __________________ Apollo's excellent 3-letter .BIZ auction; $1 starting bid!

04-21-2005, 09:53 PM	#11 (permalink)
ZuraX Senior Member Join Date: Apr 2003 Location: Pennsylvania USA Posts: 2,684	Someone is using your email in a spam run. Report every bounce you know you didnt send to www.spamcop.net ????: NamePros.com http://www.namepros.com/showthread.php?t=84275 They are bouncing the spam after its been delivered to their servers. Thats not correct as it should drop it on the From line being for an account that doesnt exist. Also you said you bounce spam back to the from address when you get it. STOP!!! The from address is always fake and you are sending your spam back to a person who didnt send it. If you get one that says its from em and I get it youll be reported to your host/ISP for spam. I know a few other server admins that do the same thing but they also block your ISP/hosts IP blocks into their firewalls/iptables until the ISP/Host deletes your account. __________________ Been a NP member for 5 or more years? PM me to join the Social Group!

04-21-2005, 11:45 PM	#14 (permalink)
Mark Hi :) Join Date: Mar 2004 Location: NC Posts: 9,537	It happens to me all the time now - Especially on Gmail .... I was worried at first as well - But after sending a few of them to "support" - They told me not to worry very much about it. I have had to send proof to at least a few upset folks who didn't know how to check further details. ~ Most regular folks out there really have no idea that these things aren't coming from the shown "Sender". __________________ When the man at the door yelled "Alcohol , Tobacco , and Firearms" .... I just assumed it was a delivery !

	NamePros Account Upgrade	Forum Sponsorship
	Take advantage of our upgraded membership levels (2 levels to choose from) so you can have MORE active sales threads, Custom Titles, A Directory Listing, Invisible Mode, Message Tracking, And MORE!

04-21-2005, 04:48 PM	THREAD STARTER #3 (permalink)
Grrilla Guest Posts: n/a	I have the availability, I believe, but have never set it up to do so. But you helped me remember something strange that happenned yesterday. I was bouncing a SPAM email, and twice it froze and crashed my email client, which has never happenned before. I ended up deleting it w/o bounce- but it seemed a little odd that this one email wasn't allowing for a bounce and, in fact, was crashing my email.

04-21-2005, 04:56 PM	#4 (permalink)
LeeRyder Account Suspended Join Date: Jan 2004 Location: Left Coast Posts: 3,503	a spammer is using your email addy (spoofing you). nothing to get worried about. you may want to contact your host though to let them know to keep an eye open for complaints and explain it isnt you.. he will be able to tell if you let him know.

04-21-2005, 05:50 PM	THREAD STARTER #9 (permalink)
Grrilla Guest Posts: n/a	TX. I can't recall being "spoofed" before, so wasn't exactly sure what was up. I suppose the freeze and crash when attempting to bounce the 2nd email I show was just coincidental. Now that I think about it, I had this prob bouncing email from my PC before- it just didn't tak effect as quickly as it does w/ this OS. (ie tried to bounce fo 1-2 minutes and finally froze)

04-21-2005, 06:09 PM	#10 (permalink)
.X. Revolution Calling! Join Date: Mar 2005 Location: NamePros Avenue Posts: 5,920	I had that same thing going on a few months back,I thought it was a virus.Now that i've read all the posts i know it was'nt.

04-21-2005, 10:04 PM	#12 (permalink)
dabb NamePros Regular Join Date: Feb 2005 Posts: 345	Last year I had a porn spammer hijack my 4 letter yahoo email address for his "reply-to" field. What a major headache! Many months and hundreds of daily bounced emails, unsubscribe requests, and of course hate mail.

04-21-2005, 11:47 PM	#15 (permalink)
dabb NamePros Regular Join Date: Feb 2005 Posts: 345	tiscali.* is notorious for spam.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Chapter 20 Communications	WebForging	Webmaster Tutorials	0	03-20-2005 03:16 PM
HOWTO: Protect Your Email	DarkDevil	Webmaster Tutorials	12	08-17-2004 08:49 PM
Top DN Related Prefixes	DomainOgre	Domain Name Discussion	43	04-17-2004 06:18 AM
Domain Registration for only $7.43!!	FruitFish	For Sale / Advertising Board	3	09-10-2003 07:40 AM