[greenG4]

Wasn't sure where to post this.

Tonight I got about 300 emails bounced back to me that I did not send. (They all ended up in Mail's junk folder) Someone obviously used my email address as a reply-to in some major spaming. Anyway to tell where these really came from? The emails returned are all different too. Really wierd. Suggestions?

[TETENAL]

I would just ignore the incident. Mail did the right thing and categorized it as SPAM.

You could start digitally signing your e-mails:

http://joar.com/certificates/

Now this wouldn't prevent anybody from using your e-mail address as sender or reply-to address, but it will make sure that your recipients can tell which mails are legitally yours.

[Mastrap]

I had the same thing happen a couple of weeks back. Spammers are the scum of the earth, every last one of them.

[mduell]

FYI the industry term for this is "joe job" (joe jobbed, joe jobbing, etc).

[Tsilou B.]

Tell Mail.app to show the source of two or three of the mails and post the complete contents here. In most cases, it's possible to find out the IP address of the sender (who might have a virus and not know that he's sending out spam). If you continue to get bounced e-mails, you can write to his ISP which is obliged to shutdown his internet connection.

[Big Mac]

Most of the time the cause of such occurrences is a compromised (virus infected) PC that is used to bounce spam all over the place, and the compromised machine most likely had your email address in an address book. If the messages have stopped coming, the problem has most likely been remedied already. If not, take a look at the long headers, find the source server and email the standard addresses (abuse@ webmaster@).

[ghporter]

What Big Mac said. Viruses often spoof the "reply to" address on their infected emails so the infected PC's owner isn't immediately informed by recipients: "Hey, you sent me an email full of virus! Cut it out!"

If it is truly a bounce from something you didn't send, just delete them. They'll stop soon.

[greenG4]

Originally Posted by Tsilou B.

Tell Mail.app to show the source of two or three of the mails and post the complete contents here. In most cases, it's possible to find out the IP address of the sender (who might have a virus and not know that he's sending out spam). If you continue to get bounced e-mails, you can write to his ISP which is obliged to shutdown his internet connection.

I deleted almost all of them already. Here is one:

From: MAILER-DAEMON@manon.ugi.net
Subject: failure notice
Date: February 4, 2006 1:13:10 PM CST
To: info@greensmusic.net

Spam detection software, running on the system "server342.totalchoisehosting.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Hi. This is the qmail-send program at manon.ugi.net. I'm
afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<info@maigrir-rapidement.com>: 213.246.59.155 does not like recipient.
Remote host said: 550 <info@maigrir-rapidement.com>: Recipient address
rejected: User unknown in virtual mailbox table Giving up on
213.246.59.155. [...]

Content analysis details: (15.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.0 NO_REAL_NAME From: does not include a real name
1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0004]
1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: ballzoo.net covepage.info]
4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: ballzoo.net covepage.info]
2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: ballzoo.net covepage.info]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: ballzoo.net covepage.info]
4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: ballzoo.net covepage.info]



From: MAILER-DAEMON@manon.ugi.net
Date: February 4, 2006 1:13:10 PM CST
To: info@greensmusic.net
Subject: failure notice


Hi. This is the qmail-send program at manon.ugi.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<info@maigrir-rapidement.com>:
213.246.59.155 does not like recipient.
Remote host said: 550 <info@maigrir-rapidement.com>: Recipient address rejected: User unknown in virtual mailbox table
Giving up on 213.246.59.155.

--- Below this line is a copy of the message.

Return-Path: <info@greensmusic.net>
Received: (qmail 30863 invoked from network); 4 Feb 2006 03:13:09 -0000
Received: from unknown (HELO imailart.net) (82.35.250.227)
by manon.ugi.net with SMTP; 4 Feb 2006 03:13:09 -0000
Received: from localhost (helo=localhost)
by imailart.net with SMTP id J87Gz028307171;
Sat, 04 Feb 2006 03:19:36 +0000
Message-Id: <zzU787.phpmlr@localhost>
Date: Sat, 04 Feb 2006 03:19:36 +0000
Subject: Erection pack. Time limited offer
From: "Katharina" <info@greensmusic.net>
To: info@maigrir-rapidement.com
X-Mailer: PHP.Mailer v1.4b
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)

<html>
<body>
<center>
<a href="http://dvshjv.ballzoo.net/?35795094"><img border=0 width=467 height=230 src="http://rddkmu.covepage.info/imagedir/fl17.jpg"></a></center>
</body>
</html>

[ghporter]

The "does not like recipient" bit is a giveaway. It means that the virus on the computer doing the mailing harvested something that looked like a valid email address, but wasn't. The mailer daemon caught it-no such user-and bounced it.

Also the subject of the bounced email is, let's say, "questionable."

[Tsilou B.]

Thanks for the e-mail. Look at the headers of the original spam e-mail that was sent from "Katharina" with your e-mail address. The first "received" header (that's the one at the bottom) says that a computer called "localhost" delivered the e-mail to a server named imailart.net:

Received: from localhost (helo=localhost)
by imailart.net with SMTP id J87Gz028307171;

It looks like imailart.net did not record the IP address of "localhost". However, there is no server called imailart.net on the internet, so we can be sure that this "received" header was faked by the virus.
The second "received" header:

Received: from unknown (HELO imailart.net) (82.35.250.227)
by manon.ugi.net with SMTP; 4 Feb 2006 03:13:09 -0000

says that a server who pretended to be "imailart.net" sent the e-mail to manon.ugi.net. manon.ugi.net has recorded the IP address of the sender - it's 82.35.250.227 . This is definitely the real IP address of the spammer.

Now we can look up that IP address. It belongs to

Telewest Broadband IP Network Services
Genesis Business Park
Albert Drive
Woking
Surrey UK

Now we know that some customer of this UK-based broadband ISP has sent the Spam mails. We know his IP address, we also know the exact time he sent his spam mails because the time has also been recorded by manon.ugi.net in the "received" header: 4 Feb 2006 03:13:09 -0000

Telewest's correct address for reports of abuse is abuse@blueyonder.co.uk

You can write to them, tell them the IP address of the spammer and the time when he did it (and of course send them a copy of the e-mail so that they can check this for themselves), and it will be easy for them to find out the real name and address of the spammer, so that they can tell him to buy anti-virus software.

EDIT: You should now edit your last post and remove your e-mail address everywhere so that spam robots cannot find it on this page.

[greenG4]

Thanks for the help, Tsilou. I'm sure exactly how you came up with all of that, but, I really appreciate it. This experience has left me a little peeved. btw, since I own my own domain, I just cancelled the email address--I have many more.

[ghporter]

That address just needs to rest. The virus will run its course in a few weeks and you'll be able to use it again.

I understand your being peeved. It's a sad day when one must reconfigure one's domain, even slightly, because someone ELSE got infected. Viruses are NOT just a Windows problem; they affect ALL OF US in one way or another.