Suddenly recieving hundreds of Undelivered Mail Returned to Sender from various domains

Discussion in 'Email' started by markfalto, Dec 17, 2013.

  1. I cant stop or filter these emails thier flooding my inbox. I have changed my password. I think some spamming company is spoffing my email and im getting the undeliverable messages...


    example #1
    from: [email protected]

    This is the mail system at host mc.internetmailserver.net.

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    The mail system

    : host mx1.hotmail.com[65.55.37.120] said: 550 SC-002
    (COL0-MC4-F22) Unfortunately, messages from 64.79.170.97 weren't sent.
    Please contact your Internet service provider since part of their network
    is on our block list. You can also refer your provider to
    http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL
    FROM command)



    example #2
    from: System Administrator (which shows as null;)


    Could not deliver message to the following recipient(s):

    Failed Recipient: [email protected]
    Reason: Remote host said: 550 Action not taken

    -- The header and top 20 lines of the message follows --

    Received: from sm09.internetmailserver.net (sm09.dotnetplayground.com [192.168.120.29]) by smg02.internetmailserver.net with SMTP;
    Tue, 17 Dec 2013 11:01:22 -0800
    Received: from WORLDST-0JQM384 (194.149.107.35.adsl.nextra.cz [194.149.107.35]) by sm09.internetmailserver.net with SMTP;
    Tue, 17 Dec 2013 11:00:58 -0800
    X-Mailer: markfalto.com
    Message-ID: [email protected]
    Subject: Re:
    From:
    To: , , , , , , , , , , , , , ,

    Hello! [spammers link removed]


    Help!
     
  2. martino

    martino DiscountASP.NET Staff

    It looks like your email user was compromised. I would strongly suggest you run your virus scans on your computer and make sure they are clean. Then change the password for the email user.
     
  3. Hi, I would also like to report the same problem. I have received numerous return emails exactly the same as markfalto. e.g. below

    _________________________________________
    This is the mail system at host mc.internetmailserver.net.

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    The mail system

    <[email protected]>: host mx2.hyperia.com[217.20.240.64] said: 550
    [email protected] unknown user account (in reply to RCPT TO command)
    _________________________________________

    Could not deliver message to the following recipient(s):

    Failed Recipient: [email protected]
    Reason: Remote host said: 550 Action not taken

    Failed Recipient: [email protected]
    Reason: Remote host said: 550 Action not taken

    Failed Recipient: [email protected]
    Reason: Remote host said: 550 Action not taken


    -- The header and top 20 lines of the message follows --

    Received: from sm07.internetmailserver.net (UnknownHost [192.168.120.27]) by smg06.dotnetplayground.com with SMTP;
    Fri, 27 Dec 2013 14:47:56 -0800
    Received: from mycomputer (ppp91-76-26-202.pppoe.mtu-net.ru [91.76.26.202]) by sm07.internetmailserver.net with SMTP;
    Fri, 27 Dec 2013 14:48:44 -0800
    From: "Rina Triminio" <[email protected]>
    To: "hernandezima" <[email protected]>,
    "igodoy77" <[email protected]>, "hernandezina" <[email protected]>
    Subject: hello
    Date: Thu, 27 Dec 2013 11:47:26 +0100
    MIME-Version: 1.0
    X-mailer: Microsoft Office Outlook, Build 11.0.5510
    Reply-To: [email protected]
    Content-type: Multipart/mixed; boundary="01174424_2F46826B_boundary"
    Content-Description: Multipart message

    --01174424_2F46826B_boundary
    Content-type: text/html; charset=UTF-8
    Content-Transfer-Encoding: Quoted-printable
    Content-Disposition: inline
    Content-Description: HTML text

    =EF=BB=BF<html><head><meta http-equiv=3D"content-type" content: text/html;=
    charset=3DUTF-8></head><body><a href=
    =3D"http://ozkapukaya.com/hbtmgavn/jgjxnqopnxxovw.html">http://ozkapukaya.com/=
    hbtmgavn/jgjxnqopnxxovw.html</a> <br><br><br><br><br><br><br><br><br> Rina=
    Triminio <br><br> 12/27/2013 11:47:26 PM</body></html>
    --01174424_2F46826B_boundary--

    _________________________________________

    I understand you have replied to above post, however maybe you guys need to check on your side if asp.net has been compromised in some way as this is now two of your users (that I know of) experiencing the same email hacking.

    thanks very much
    Jayne
     
  4. martino

    martino DiscountASP.NET Staff

    Jayne we have been seeing a larger number of email users being compromised but there is nothing wrong with the email server.

    I feel that there is a large number people getting there email users hacked because their computers have been compromised. For example just take a look at this web page article from CNN. I don't believe it applies to us but it gives you an idea of what is going around on the internet around this time.
     
  5. I am getting that too. Could be due to backscatter.
    Mostly if you a current AV your computer may be clean but someone is spoofing your email address and or email domain to send SPAM.

    Picture this you send an email/quote etc to a friend. If friend's machine is compromised with spyware, bots or whatever the spyeare may see your email in friend's inbox and upload your email address to a spyware master server or another compromised server as a harvested genuine email address. And your email will now be used by the spyware master server for SPAMMING changing mail header (reply-to field) to make it appear if you are the sender of their SPAM. And because you email is not (blacklisted yet probably) the SPAM has a better chance of reaching the SPAM targets.

    Check this link for a more in depth explanation

    http://www.blazingfibre.net/tech/bounceflood.htm
     
    Last edited: Jan 3, 2014
  6. martino

    martino DiscountASP.NET Staff

    Yeah spoofing is a big one too. However, you can see if it's spoofing if our email server isn't listed in the email header as the originating email server. From the two email headers above the email message went through our mail Gateways indicating that the message was sent through our email server with SMTP authentication. This means that the email user was compromised and the spammer was using the email user to send out spam.

    The other nasty ones are the people that compromised the email user and change the from field. Those can get tricky to investigate sometimes but we'll still find them.

    If you believe your email user has been compromised. The best thing to do is contact our support department. Run the virus scans on your computer for any malware or virus. Then after you have confirm that the computer is clean. Change the password for the email user.

    If the email user gets compromised again. Scan all the computers on your network just to be on the safe side. It might be possible another computer on the same network may have been compromised and started sniffing the network traffic. Leading to the compromised email user.
     
  7. Here is what I am getting, is this compromise on PC or its spoofing??

    ***************************************************************************
    This is the mail system at host mc.internetmailserver.net.

    I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can delete your own text from the attached returned message.

    The mail system

    <[email protected]>: host mx.oit.duke.edu[152.3.72.25] said: 550 5.1.1

    <[email protected]>: Recipient address rejected: undeliverable address: host

    mail-routing.oit.duke.edu[152.3.70.26] said: 550 5.1.1 <[email protected]>:

    Recipient address rejected: User unknown in relay recipient table (in reply

    to RCPT TO command) (in reply to RCPT TO command)"
    ****************************************************************************

    and the details text is here => where "[email protected]" is my actual email address.
    *************************************************************************
    Reporting-MTA: dns; mc.internetmailserver.net
    X-Postfix-Queue-ID: B1B0E62289
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Fri, 3 Jan 2014 02:34:19 -0800 (PST)

    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.1.1
    Remote-MTA: dns; mx.oit.duke.edu
    Diagnostic-Code: smtp; 550 5.1.1 <[email protected]>: Recipient address rejected:
    undeliverable address: host mail-routing.oit.duke.edu[152.3.70.26] said:
    550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in
    relay recipient table (in reply to RCPT TO command)
    **********************************************************************
     
  8. Virus scan showed nothing.
    Changed my email password. In case its an new spyware I actually typed my password in notepad and pasted it into the password fields to avoid unknown keyloggers/rootkits.
    Since then things seem to be ok.
    But from the headers above was the compromise on my system or was it a spoof????
     
  9. martino

    martino DiscountASP.NET Staff

    Did you really send that email message to the email user in the bounce back email message?

    If not then it does look a little suspicious because it did reach our mail channels. I would suggest you open a ticket with support department and ask them to check the SMTP logs for your email user. Also, provide them with the full email header unedited.
     
  10. I did not send the initial email and this is a typical bounce I was getting of about 400 messages. This seems to have stopped now, I have already changed my password.

    Ticket submitted : 11E-1A5BBF8F-02EC
     
    Last edited: Jan 4, 2014
  11. mjp

    mjp

    If you do have a keylogger on your system, typing your password in another program won't protect it. A keylogger will log every keystroke, no matter which program you happen to be in. FYI.
     
  12. I agree that a keylogger can log every keystroke.
    1) However most spyware will pay special attention to the password windows class in a program or browser.
    2) Spyware have to optimize data that they collect and send to their "mother server" so if it sends everything I am typing how do they determine which is the password or not.
    3) Like right now I am typing this text in a browser a few hundred bytes imagine by end of the day it could easily reach several KB and there is no password here, so if it uploads every data like that from every compromised system they how would they be able to optimize their attacks.
    4) I agree typing in excel, word, notepad is not a complete defence but could give temp relief when you need to change password on a compromised system while you still cleaning it up.

    In my case I did not actually find a key logger in virus scanning but I believe my password may have been stolen another compromised site. eg. Adobe where I am registered.
     
  13. Another technique to reduce this kind of thing is to make public facing email addresses that I use to register in various sites into aliases in my mail server.
     
  14. I have also just started to experience this problem. One morning last week I had about 15 Undelivered Mail messages for unknown recipients and unknown email addresses. Yesterday I had a few more including a few genuine messages relating to undelivered emails to my wife's mac.com account. This morning I had another dozen or so Undelivered Mail messages, again to unrecognised addresses. I have run a full virus check (negative) and will now change my email password.
     
  15. mjp

    mjp

    It worth remembering that aside for a compromise, you can also see bounces like that from email sent by spammers who just create hundreds of fake email addresses using your domain name, but never send any mail through our servers.

    Fake headers using domains that are harvested and selected at random are used by thousands of spam bots. If that is the source of the bounces, unfortunately there isn't anything you can do to stop them.

    On the bright side, if spammers use your domain that way, they don't usually do it for long.
     
  16. The odd thing is that the apparent spam has coincided with some genuine Undelivered Mail first to mac.com and now to Comcast.net. I have not experienced any genuine Undelivered Mail for years and this has confused the situation. Hopefully this current bout of spamming will be short lived. Thanks for your response.
     
  17. I'm getting nothing on a virus scan too. I've used eset, norton and malwarebytes. So I don't think my pc is compromised so I wonder how they're doing this. Spoofing? I wonder if there is a way to find out who is doing this? Spam is illegal and seeing as all this these emails look like they're coming from me I think this could look bad on me right?
     
  18. mjp

    mjp

    There is not an easy way to find out who is doing it. You can track down IPs if you have a lot of time to spend on it, but they will never lead you to a person who you can arrest or flog or torture in some other way. ;)

    It's annoying, but as I mentioned previously, it's usually temporary.
     
  19. One of my clients reported this issue too. He contacted me directly, as the email delivery failed constantly. He received a message "Certain mail servers are currently on our blacklist. We are working on having them de-listed." He wanted to track down the IP, but failed. I suggested a virus scan, but I guess it's in vain.
     
  20. martino

    martino DiscountASP.NET Staff

    To prevent spoofing you need to set up a DKIM or SPF record: https://support.discountasp.net/kb/a1602/email-authentication-through-spf-and-dkim.aspx
     

Share This Page