Returned Emails

[tegk68]

Am getting a bit worried about an email scam that I'm being hit with.... I am getting a load of Returned Emails, when I look at the address they are all varieties of my own email addy, for example:

 

 

 

[email protected]

 

[email protected]

 

[email protected]

 

 

 

They are all varieties of my own email addy: [email protected]

 

 

 

I haven't sent them. I only use the helen@..... variety. Does this therefore me I have some sort of virus which is some how sending emails out using a different extension of my own email addy to all and sundry?

 

How do I stop this?

 

Thanks

 

Yours worriedly

 

Helen

 

 

 

The actual returned emails read like this:

 

 

 

This message was created automatically by mail delivery software.

 

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

 

[email protected]

(generated from [email protected])

retry timeout exceeded

 

------ This is a copy of the message, including all the headers. ------

 

Return-path: <[email protected]>

Received: from [196.204.25.67] (helo=hauqdi)

by chicago.bigwebspace.com with smtp (Exim 4.63 (FreeBSD))

(envelope-from <[email protected]>)

id 1GglB1-0001Za-He

 

etc etc etc

[Karen]

Chances are someone is using your various varieties of email address to send out spam and it's not coming from your PC. I think it's called spoofing or something similar.

 

I had the same in the summer, it definitely wasn't coming from my PC as it carried on while I was on holiday and the computer was switched off for a week. It took about 2 months to fizzle out and the really awful thing is that I now receive spam sent to the made-up addresses.

[tegk68]

Oh sh*t, thought it might be something like that

 

How did you sort it karen, or didn't you?

[snow]

A spammer has got hold of the base email addy (the ip the emails are originating from is African - Egypt in fact) I'm afraid this is a very common problem.

 

First thing you need to do is contact your own ISP or email supplier and advise them what's happened and that it is not you originating the spam, make sure you include details of the full headers you have so they can confirm you are not the originating sender.

 

If you can track where the emails are originating then contact the abuse dept of the relevent ISP from the IP posted here I haven't been able to trace the originating ISP - too many bounces and time outs, but you may have more luck with others.

 

Post up something on your website clearly outlining exactly what has happened and explaining that it is not you sending out the spam - this will hopefully head off any issues you might have when disgruntled receipients come looking for the "spammer".

 

If you do manage to find an originating ISP - when you email them make sure you do so using your domain email so they know that you are who you say you are, and make sure you tell them that their "customer" is forging your account (they'll probably have loads of spam complaints and are ignoring them - forgery is more serious and gets their attention).

 

It might also be worth asking your own ISP if they have any anti spam software that might help, something that might identify that there is no such email address and bounce the email back - this will keep it out of your inbox at the very least.

 

If you can't get to the spammer directly, you can try getting to them through the people who are paying them, although frankly they don't tend to care very much if they are using spam services in the first place - but it's worth a try. Is there a link in the bounced emails to the website that they are advertising? If possible avoid clicking it, just get the URl then do a trace on that to find their abuse dept and report it to them.

 

At the end of the day though, there is very little that you can actually do to stop this happening.

 

One more thing - if you have "catch all" enabled on your email account - disable it or ask your ISP to disable it, that should stop a lot of it getting through.

[tegk68]

b*llocks

 

Snow thank you so much. Will get onto my isp.

 

In the meantime can you look at this transcript and tell me whether I've correctly identified the orginator (of one of many!) - in red - so I can start going through them:

 

 

 

Received: from mx1.xtreme.net.nz ([203.167.235.82])

by mail.domainnamesgb.com (VisNetic.MailServer.v7.2.4.0) with ESMTP id LTN37901

for <[email protected]>; Mon, 30 Oct 2006 10:11:04 -0000

Received: from server.Tritec.local ([203.171.42.11])

by mx1.xtreme.net.nz (xtreme.net.nz [203.171.32.92])

(MDaemon PRO v9.5.1)

with ESMTP id md50010957444.msg

for <[email protected]>; Mon, 30 Oct 2006 22:33:36 +1300

From: [email protected]

To: [email protected]

Date: Mon, 30 Oct 2006 22:30:50 +1300

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="9B095B5ADSN=_01C6CDCBC02E8B2E000037DCserver.Tritec.lo"

X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546

Message-ID: <[email protected]>

Subject: Delivery Status Notification (Failure)

X-Spam-Processed: xtreme.net.nz, Mon, 30 Oct 2006 22:33:36 +1300

(not processed: message from trusted or authenticated source)

X-MDRemoteIP: 203.171.42.11

X-Return-Path:

X-Envelope-From:

X-MDaemon-Deliver-To: [email protected]

X-MDAV-Processed: xtreme.net.nz, Mon, 30 Oct 2006 22:33:36 +1300

X-NAS-Language: English

X-NAS-Bayes: #0: 0; #1: 1

X-NAS-Classification: 0

X-NAS-MessageID: 3246

X-NAS-Validation: {4A77C32F-87D0-44F6-B7BC-35694028E757}

[snow]

No thats the domain that bounced the spam, not the originator. You need the IP of the account that sent the email to that person.

 

You'll need to enable full headers on your email, and go back farther than that, tbh there's likely to be several bounces, start with the very first IP in the header (working from the bottom up)

[cycas]

Someone is forging your domain name as the return address on spam.

 

So far as I know, there is not a lot you can do about this. It's like if someone had printed up a batch of headed paper with your name and address on it and sent out adverts on it.

 

You could try to hunt them down and sue them for damaging your reputation, but chances are you will never find them because they move on so quickly.

 

Any ISP that is hosting this stuff will either get rid of it as quick as they can, or they don't care enough to do anything about it, in my view.

 

They forge some of my domains, too.

 

You could spend your life trying to hunt the buggers down, but they will never stay still long enough for you to have a real pop at them.

Edited November 9, 2006 by cycas

[Karen]

Oh sh*t, thought it might be something like that

 

How did you sort it karen, or didn't you?

 

My spoof emails were apparently coming from somewhere in Russia and I couldn't find anything to do to stop it. All I could do was delete the returned messages on a regular basis, but it is an almighty pain. The really bad bit was that I got blacklisted by Spamcop at one point and my genuine emails got blocked for a few days.

[tegk68]

Thank you all so much

 

Snow, I'm having trouble tracing - no suprise there really but thank you. Karen I'm sorry you haven't got it sorted too and you also Cycas. Don't know why but I'm finding this sort of email abuse quite scary really. Not good for business either

 

Am on hold to my ISP as I write, so will see what they have to say. Will amend my website later on.

 

If I find anything useful out and worth sharing I'll post it here but from what you all tell me, it doesn't seem that likely

[RazorsMum]

I get about 5 of these everyday too

 

This Message was undeliverable due to the following reason:

 

Each of the following recipients was rejected by a remote mail server.

The reasons given by the server are included to help you determine why

each recipient was rejected.

 

Recipient: <[email protected]>

Reason: sorry, no mailbox by that name (#5.7.1)

 

 

Please reply to <[email protected]>

if you feel this message to be in error.

 

The following attachments have been removed from the bounce message: data.zip

 

 

Final-Recipient: RFC822; <[email protected]>

Action: failed

Status: 5.1.1

Remote-MTA: dns; postbox3.fairfax.com.au (203.5.59.44)

Diagnostic-Code: smtp; 550 sorry, no mailbox by that name (#5.7.1)

 

 

Received: from greyhound-data.com ([147.10.64.40])

by omta02ps.mx.bigpond.com with ESMTP

id <20061109170651.DWVJ24597.omta02ps.mx.bigpond.com@greyhound-data.com>

for <[email protected]>; Thu, 9 Nov 2006 17:06:51 +0000

From: [email protected]

To: [email protected]

Subject: Server Report

Date: Fri, 10 Nov 2006 03:50:29 +1100

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0014_BBE3913D.0627B4DD"

X-Priority: 3

X-MSMail-Priority: Normal

Message-Id: <20061109170651.DWVJ24597.omta02ps.mx.bigpond.com@greyhound-data.com>

 

 

 

¼I,ˆF;´‘Kâ€Ã¡Ã«Ã¸Zâ„¢Dƒœ«TÚ¡TW¡{SJúgt‘ïHÕ4›'[1P9’×àOÂâèïuïbrô,3AÃ’Ã’aȶà˜÷

®˜§Ä«?Åð¡¤c•2P½nËœw·àÒÓqIÙ×ÖÊOöo5/kºý>{I}šü剩ɧ#Ã×£rÉþ}:‰WøFqæ½NÀ³OaNýàä®åÅ-Å“Æ’

6±Ã¬ðºJÔÛÜSï°—²ŠÃÃœOâ€8?âíÑʼn¨N£œd¬î÷³0úKAÓrìž¡?PS

`*Ærô¾Ç‹ÃŠ“

e/wfºvòÕÙ"3%O

¾Œ¼·¶QljX˜ç(ýã4®Yá¿ÆæTM,•Õ×4GO[Ã’RQËå¬îi·ÃáIá…u´‰À[y•tN%?;B;àVøóhÕxJ¼è

[ÃŒVVT‰ u»<>‡³žÎºL,Å gm¡ ŸÅ6ÚÑ£$íAÑÂ˜ç ¦ñH~iO%hׄwXâ-Å“R‘v}©ӵ¥h½

Ÿâ

Å¡P½,IO'‰FIåŽYìýÃ`9$Ñ-

;x°†–Q`Tƒ‘rp¨Ãð;Þ­þäž2¢HÞDºæ‰ÚË‘Òq8Å¡V_gÚ•¤·ƒ%¬W&ÓS]¾['†Ì×ú±ÕKdaàò3ú‘&’³ZÃçÊÞ0rŽcl|ɇ

â'ôÌeâ€AãÂÛpCÃÛaÿs•˜Ž

ëuðZ´ ó7:§„0äÕד«aŸn>

–ù&Ãròâ€k)õ/ &Ÿ¹¸S/«s’Ì¢îÂc>‰iÅ mêÆš¶F§.2ÚûÇ}]†Œì¥•{§º‡(Yãm·…°Ң˜ÞÅ/Â4Dº•ykòO±O>g`ø•ª³oX‹•äÖŒxYôæ )Lá[á—

Ü¿Ecä®<šû¦sÃŽ|ÂלÃô§³sV5fÚ

6-éÖ†¨T!´ÖhØ%)

'wÂ0)jœ¼í_z†ƒûäúïZºUq®Z«Ç&½õé“»´šZ½ÂüñY3K¯éà›ææÂå‘åaënT£û#뇹Y#ÑéÎì``›tüºn¦èÀLº%­j—ê Ë4®ÃR¾xÃ.y5–1~fXêß÷Ó«Þ,Â)½L,ÂlC.†›£Ë½3ÜÛÇF^(iØkädÃÇaâ$x¢Ãæi•Ujç`YÔH«oºÅ‚ØdL%Õ#wUzµ¿Â\5ñà’Iê›Â_ê‚C?ëÔ¸â€tÂÃ*Ø~wÈ {AÃê4øÔ

XotØ¢,î;-<?²£™BÖtÞWÂ¥RÉåȾÑ0头Q÷ì®Âoà_*u!Þ$îpʺK,t?ÀjæÓw$CúÊôçؼà&R~pÃ¥&Š§

jJM¤ýæÉx;Öœþçbz-ó×Â

rT]‡¯AÓ'n/gÈ5òÂÃœoâfæªe¨,~é¶ZíÉ6ù$mà˜TñÃÈö)§ÃóZñšH<äZÂ3¼#f4Ìè•Eˆ"~±‡N\‡š«sÙdìZÂã;Ž°åûi0lØR\Æíþ_LZT¢Ž%ðya:a…¨µÇj†f*¢ðÃ*¿ÜþQGŽ[¬^ë'\ÂÃõ§GíÚɘ2Sj¬›vM¥÷sÅÔ¬;ïeiÃÂÂö¹²à

ÂÂ¥9Ëoˆit!›Ãâ€Â¾pðfÎÌüô6ÃyFRuÅ¡ÃÕÊÃ[â€ÂytÆ<òŒ?;Všú¿b,j>Þ ¤ø‹PVÆSkÙ²j0ôì£Ø½mò,ŸÂÅ°ƒ›tµJ‚«¡Kì2}«Û˜ÑF~c`ˆûýš)Z·“:;ír

™“÷!±´h >ý’þ·Ã•åq‰ç¿píÖ<CþY÷>$,­Ãòvî¨â`PF"ÆLy

%MhSή¸×'nƶÃGÃŒh ´«Ú†Ž£^„¦¯

B.iQÒã°žŽkÚÂ[„3ÙW„r¡âíë f•…ýdÆ’Å’â€m¶ÂÛÊ-|»¦¹ÎIª<«ÃþJõ‚s0ηVW#–$ëe­ <nQi— 帆Ëõw¼?n$âl‹áúè4à¡ž‡zÃÚmYÃr‹Â¹˜qÕ#ºÜ4ïÊð

°Ú}j_3¤dÚ§YÆ•ãÃÃ’WÛÃÚ{s‹SþŒ¿Œ!.ÃŽPM¿dNí õ$œÖÙéÞè5_•‚(³Ã¼l….¥ö'äÑ2›`ÇÂR‰ä´Œs8Ãu8OrBâ„¢s8µÄd/bÃgƒÈýÜR±ƒðþHV³¾êGpŠ¸SÎ߯K¢ß4X2a›$ÆÜÂm Å“|F¹Hü­4ª¸¡H‘‰Lq¨ø´uÂ3!QÃ#6qËœÂP1$5Za0¦ê4xV-ü¬"ÕÜ«÷•&xˆÃ¹´ðœ }ðR´.ÇÌ zÅ q n#z4/4W}

ÉÙýp¾dš£jËœ7¸§§\v%Ž$ï%¨;–œ`¿³´»ÃâIÃÓkq‰šOò^¢Õ«ü[°§#ï[™èðå?1)

ïK<}†?Nñ*'ƒ¦¤q³LßטcùHÃQÌÇ/ãþ•Is®°3â„¢*,‘ÛI†ä®Ž`eúÂCÃA w>ˆâÃóOËœR|`á¤è镺ùxá®ÇÈnëÒÃé¥Ç«'®klLb–¯Þkú]ö¿Æê¹Ú50°D¼÷DVÃíæË®|‚â€ÃƒÃ«7iU©«ý‰kw¢9Ž]¤0mZJFEtáùn©|óNG–5ÖƒÂÃ’{8¸^f¶bª~ñ_Ñ–^j•§Âo„PkÇÃW•z1ô©f5:ú‹(¾ÂîV'º

dÃÞ ŽÈœ*†±žÔq,ïMë8×St$

ËÈ]N«v'>]©^Ò

m2í.Šä§7Hé^,T¿¨þÞ_$sÀî·ô¿¦gí…†àNìñ×é`ëwÄÇ>m»ˆ˜IH»$g´G<íŠôD

 

 

Dont understand them just delte them dont care

[tegk68]

RazorsMum, it is very irritating isn't it

 

I have contacted my ISP and sent an example as requested. They are getting back to me.

[RazorsMum]

Best of luck sorting it

 

I just send mine to the spam folder