Undeliverable mail from random addresses

Starting about 3 weeks ago, I started receiving many e-mails each day that say "Mail delivery failed: returning message to sender", or "Returned mail: see transcript for details" or "Returned mail: User unknown" or "Undeliverable" followed by some bogus message (i.e., stapler rendering, instituitional V, etc.).  The e-mails are being addressed to some random collection of characters @ our website address (i.e., alkj@mywebsite.com).
I don't know if these are all just incoming spam or some virus attempt, OR if there is a computer on our network that has a worm that is actually sending email to all of these addresses and having it rejected - and then the rejections come to me as the default address for our e-mail.
I have we scan for viruses weekly and have not found any. And both our incoming and outgoing e-mails are scanned as well.
How do I determine where these are originating from?  And how can I get them to stop?
lyonskiAsked:
Who is Participating?
 
upul007Connect With a Mentor Commented:
Your domain is AOKas the saying goes.

By the above and what you had stated, this is as war1 had stated in his first comment. Someone is using your domain to generate SPAM and any and all NDR's come through to you as you have set up unresolved emails to get through to you.

Your domain does not relay. test passed 100%.

If the email headers are not common, and all have an originating IP other than your IP, Then we are certain that the emails are not generating from your location.

Spammer sets up and email with your domain and sends out to so many other domains. Those that have SPF/Reverse DNS in place and are set to reject emails that do not match the exact records, will not allow the email through and would generate an NDR to this which will ultimately get through to you. The spammer is not spamming you but you are basically reaping the benefits of the failed attempts.

Downside is that your domain may end up on SPAM lists that are maintained separately by the recieving domains.

I was not able to find any fault with your domain and need to acknowledge the fact that war1 had nailed it in his first comment. Though I do not agree with the solution to change your domain. Even if you were to trace the originating point of the said emails, it will need to be done at a location to which the spam is actually being sent and not from where the NDR's are being recieved.

I was unable to test your other SPF entry at all. The SMTP one.

If possible, try to wait it out.
0
 
war1Commented:
Greetings, lyonski !

A spammer has gotten hold of your email address and put it in the From field when sending spam.  This is called spoofing. You cannot stop it.  Wait it out or get another email address.

Best wishes!
0
 
upul007Commented:
Agree with war1. Also someone can relay emails from your website. Check on that with your hosting company. Ensure that your network / website is secure first. There is a relay test at www.Dnsreport.com, run the dns report for both and use the extended relay test found on the results sheet to a check both. If someone is spoofing best add the spf records as well. Links in the same result sheet.  
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
war1Commented:
lyonski,

Has the return mail subsided? We have not heard from you. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.

Thanks, war1
0
 
lyonskiAuthor Commented:
Hello war1.  Thanks for checking back with me.

The return mail has NOT subsided.  It is driving me crazy!  I followed the link provided by upul007 and ran the tests.  My domain does not have the spf records that are recommended, so I'm working on getting those added - hopefully will happen today.

When you said "wait it out" - do you think it's likely the spammer will use my address for a while and then stop?
0
 
war1Commented:
>> When you said "wait it out" - do you think it's likely the spammer will use my address for a while and then stop?

Yes, that is what I mean.  Spammer use your address once and send out thousands of spam. Then they will use another address, and so forth.
0
 
upul007Commented:
Is there any similarities in the email headers?

What is your email server?
0
 
lyonskiAuthor Commented:
They are all from different mail delivery subsystems, mail administrators, etc.  And they are all addressed to some random collection of characters @ our domain name.
Should I list my e-mail server here?  Although I already have a problem, I certainly don't want to make it worse.  Is there another way for me to send you that?
0
 
war1Commented:
Not necessary to list your email server. I get the general idea.  Just wondering if there is a way to filter out the return emails.
0
 
upul007Commented:
Can you see if there are any similarities on the email header. You can view this by right cliking the message in the inbox and selecting properties. You are aware of to whom it is coming to but what about the originating sources?
0
 
lyonskiAuthor Commented:
upul007 I'm not sure what all I should be looking for, but I'm not seeing any similarities between the messages.
0
 
upul007Commented:
Here is a the info I obtained from a junk email to me.

Received: from ibm970007m ([219.166.170.80] unverified) by blah.blah.com with Microsoft SMTPSVC(5.0.2195.6713);
       Sun, 14 May 2006 02:42:37 +0530
Return-path: <Y@blah.com>
Received: from [151.179.225.29] (port=3536 helo=[151.179.225.29])
        by blah.com with esmtp
        id TZaNrd-Cv3454-55
        for salmon@blah.com; Sat, 13 May 2006 16:05:08 +0900
Reply-To: Gena <Y@blah.com>
Message-ID: <4655475.20060513160508@nkartravelhouse.com>
From: Gena <Y@blah.com>
To: <salmon@blah.com>
Subject: Being  r1ch and healthy,  much b3tter than poor and sick.
Date: Sat, 13 May 2006 16:05:08 +0900
MIME-Version: 1.0
Content-Type: text/html
X-Priority: 1
X-Mailer: The Bat! (v3.71.03) Home
X-Spam: Not detected
X-OriginalArrivalTime: 13 May 2006 21:12:37.0812 (UTC) FILETIME=[F63DB740:01C676D1]

If the external recieved from is from one particular IP (which is highly unlikely but probable) all the time, it will be possible for you to block the ip. But as war1 said, had the influx of these emails subsided?
0
 
lyonskiAuthor Commented:
upul007 - In one of your earliest posts, you said "run the dns report for both and use the extended relay test found on the results sheet to a check both."  I ran the dns report for my domain name and have since had the spf records added.  What is the other part of the "both"?  Also, I don't see an extended relay test on the results sheet.  Could it be called something else?
Do you know of any tools to help trace back who the e-mails are originating from?
0
 
upul007Commented:
When I meant both was because I assumed that you may have one domain for your website and another for your domain. If not please disregard that.

In your report generated for your domain - Under Mail >(Result) > Open Relay Test > OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

 The HERE in the very last statement above will get you to the test. I think they had changed it.

I used to use McAfee Visual Trace to check originating points.
0
 
lyonskiAuthor Commented:
So will McAfee Visual Trace be able to take my "undelivered" messages and trace beyond the person I received the message from, back to whomever sent it to the person who said it is undeliverable?  

Yesterday I changed my email accounts so that we no longer have a default.  Mail will need to go to a valid person or department in our organization, or we won't receive it at all.  Do you think that will help stop this madness?  Since someone can spoof a non-existent address, why do they need to use a valid domain name at all?  Why not just make up something completely?
0
 
upul007Commented:
If the originating point is a legitimate server, visual trace was able to give a graphic trace route to that point. When it is spoofed, the result would be a dead end. Only I had not used the product in a long time. Cant even find it over here anymore.

Your domain is your property, same as you own a house or vehicle. It is legally bound to you. There are features which help to curb your property from being misused but depending on how your setup is implemented, there may be loopholes that others may use to misuse your domain.

The reason that the valid domain name is used by the creator of most probably a virus is to gain maximum damage since it is highly probable that an actual domain will be designated as SAFE.

If the message is returned to an existing users account it will still come in. What is the email server that you use?
0
 
lyonskiAuthor Commented:
upul007 - Sorry - I didn't realize you responded to my last post a few weeks ago.
Can I e-mail you my e-mail server name?  I'm probably in this mess because I've given out my information too freely in the past!
Thanks,
lyonski
0
 
upul007Commented:
Hi Lyonski,

You can do that, if you do, please post the link to this question as well. The only thing I can do is to run a dnsreport at my end on your domain. But I think you have already done this.

However having noted that you had added the SPF records, does the emails still get through? If yes how is your email server set to handle emails with unresolved user names? Any way for you to check?

Did you look at the email headers of a few of these questionable emails and compare the headers to see if the originating point is the same?
0
 
upul007Commented:
Whats your email server by the way?
0
 
lyonskiAuthor Commented:
About a week after I had the SPF records added, the e-mails were still getting through.  My e-mail server will forward unresolved user names to a default address.  I removed that re-direct so that I stopped getting those e-mails.  After about 5 days, I put back the re-direct for unresolved user names.  The undeliverable e-mail messages continued coming.  So I again have removed the re-direct.
I don't see anything common in the e-mail headers.
0
 
upul007Commented:
you have another SMTP assigned for the spf records. Check with this company if there had been any suspicious activity with regard to your domain. I managed to check finally and see that they do not relay but what happens if the sender is spoofing your domain name.

Register at http://www.abuse.net/relay.html and check the other domain just to be sure.
0
 
lyonskiAuthor Commented:
Forgive my ignorance - but what do you mean another SMTP assigned for the spf records.  What is the other domain that I should be checking?
0
 
lyonskiAuthor Commented:
This still hasn't stopped.  If I change my domain for a period of time, would the spammer be unable to send e-mails using my domain name?  It seems that they would just continue as they have been doing.  Which would essentially mean that I couldn't go back to using my original domain name.  Am I correct in that assumption?
If I could find out who is sending the spam, is there any way to force them to stop?
0
 
war1Commented:
lyonski,

When you say, "This still hasn't stopped", do you mean the bounced emails come a few at a time, 100 at a time, or 1000 at a time?

Once spammer has your domain name, he can spoof your domain name for a long time.  You cannot stop him.  If the email address is always xxx@domain.com, you can block them if you are sure there are no legit email from xxx@domain.com
0
 
lyonskiAuthor Commented:
I'm getting about a dozen bounced emails each day.
Unfortunately, there's no similarity that I've been able to identify between any of the e-mails.  Is there any information in the header that can't be spoofed and that could help me determine who is sending the e-mails?
Thanks,
lyonski
0
 
war1Connect With a Mentor Commented:
lyonski,

If you can get hold of the original header that send the spam, you may be able to identify the original sender IP address.  But this is a bounced message from a legit user, you will not find much info in the header.

If it is only 12 messages a day, live with it.  It the From or To field or Subject has names in common, you can set a mail rule to filter the emails.  Normally the spammer goes on to using another email address, and the bounced emails stop.  But bounce messages continue for a month for you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.