?
Solved

Undeliverable mail from random addresses

Posted on 2006-05-02
29
Medium Priority
?
235 Views
Last Modified: 2012-05-05
Starting about 3 weeks ago, I started receiving many e-mails each day that say "Mail delivery failed: returning message to sender", or "Returned mail: see transcript for details" or "Returned mail: User unknown" or "Undeliverable" followed by some bogus message (i.e., stapler rendering, instituitional V, etc.).  The e-mails are being addressed to some random collection of characters @ our website address (i.e., alkj@mywebsite.com).
I don't know if these are all just incoming spam or some virus attempt, OR if there is a computer on our network that has a worm that is actually sending email to all of these addresses and having it rejected - and then the rejections come to me as the default address for our e-mail.
I have we scan for viruses weekly and have not found any. And both our incoming and outgoing e-mails are scanned as well.
How do I determine where these are originating from?  And how can I get them to stop?
0
Comment
Question by:lyonski
  • 10
  • 10
  • 6
26 Comments
 
LVL 97

Expert Comment

by:war1
ID: 16587376
Greetings, lyonski !

A spammer has gotten hold of your email address and put it in the From field when sending spam.  This is called spoofing. You cannot stop it.  Wait it out or get another email address.

Best wishes!
0
 
LVL 17

Expert Comment

by:upul007
ID: 16587848
Agree with war1. Also someone can relay emails from your website. Check on that with your hosting company. Ensure that your network / website is secure first. There is a relay test at www.Dnsreport.com, run the dns report for both and use the extended relay test found on the results sheet to a check both. If someone is spoofing best add the spf records as well. Links in the same result sheet.  
0
 
LVL 97

Expert Comment

by:war1
ID: 16622176
lyonski,

Has the return mail subsided? We have not heard from you. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.

Thanks, war1
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 

Author Comment

by:lyonski
ID: 16631685
Hello war1.  Thanks for checking back with me.

The return mail has NOT subsided.  It is driving me crazy!  I followed the link provided by upul007 and ran the tests.  My domain does not have the spf records that are recommended, so I'm working on getting those added - hopefully will happen today.

When you said "wait it out" - do you think it's likely the spammer will use my address for a while and then stop?
0
 
LVL 97

Expert Comment

by:war1
ID: 16632013
>> When you said "wait it out" - do you think it's likely the spammer will use my address for a while and then stop?

Yes, that is what I mean.  Spammer use your address once and send out thousands of spam. Then they will use another address, and so forth.
0
 
LVL 17

Expert Comment

by:upul007
ID: 16636329
Is there any similarities in the email headers?

What is your email server?
0
 

Author Comment

by:lyonski
ID: 16640734
They are all from different mail delivery subsystems, mail administrators, etc.  And they are all addressed to some random collection of characters @ our domain name.
Should I list my e-mail server here?  Although I already have a problem, I certainly don't want to make it worse.  Is there another way for me to send you that?
0
 
LVL 97

Expert Comment

by:war1
ID: 16641083
Not necessary to list your email server. I get the general idea.  Just wondering if there is a way to filter out the return emails.
0
 
LVL 17

Expert Comment

by:upul007
ID: 16645304
Can you see if there are any similarities on the email header. You can view this by right cliking the message in the inbox and selecting properties. You are aware of to whom it is coming to but what about the originating sources?
0
 

Author Comment

by:lyonski
ID: 16672358
upul007 I'm not sure what all I should be looking for, but I'm not seeing any similarities between the messages.
0
 
LVL 17

Expert Comment

by:upul007
ID: 16679801
Here is a the info I obtained from a junk email to me.

Received: from ibm970007m ([219.166.170.80] unverified) by blah.blah.com with Microsoft SMTPSVC(5.0.2195.6713);
       Sun, 14 May 2006 02:42:37 +0530
Return-path: <Y@blah.com>
Received: from [151.179.225.29] (port=3536 helo=[151.179.225.29])
        by blah.com with esmtp
        id TZaNrd-Cv3454-55
        for salmon@blah.com; Sat, 13 May 2006 16:05:08 +0900
Reply-To: Gena <Y@blah.com>
Message-ID: <4655475.20060513160508@nkartravelhouse.com>
From: Gena <Y@blah.com>
To: <salmon@blah.com>
Subject: Being  r1ch and healthy,  much b3tter than poor and sick.
Date: Sat, 13 May 2006 16:05:08 +0900
MIME-Version: 1.0
Content-Type: text/html
X-Priority: 1
X-Mailer: The Bat! (v3.71.03) Home
X-Spam: Not detected
X-OriginalArrivalTime: 13 May 2006 21:12:37.0812 (UTC) FILETIME=[F63DB740:01C676D1]

If the external recieved from is from one particular IP (which is highly unlikely but probable) all the time, it will be possible for you to block the ip. But as war1 said, had the influx of these emails subsided?
0
 

Author Comment

by:lyonski
ID: 16700642
upul007 - In one of your earliest posts, you said "run the dns report for both and use the extended relay test found on the results sheet to a check both."  I ran the dns report for my domain name and have since had the spf records added.  What is the other part of the "both"?  Also, I don't see an extended relay test on the results sheet.  Could it be called something else?
Do you know of any tools to help trace back who the e-mails are originating from?
0
 
LVL 17

Expert Comment

by:upul007
ID: 16706697
When I meant both was because I assumed that you may have one domain for your website and another for your domain. If not please disregard that.

In your report generated for your domain - Under Mail >(Result) > Open Relay Test > OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

 The HERE in the very last statement above will get you to the test. I think they had changed it.

I used to use McAfee Visual Trace to check originating points.
0
 

Author Comment

by:lyonski
ID: 16708979
So will McAfee Visual Trace be able to take my "undelivered" messages and trace beyond the person I received the message from, back to whomever sent it to the person who said it is undeliverable?  

Yesterday I changed my email accounts so that we no longer have a default.  Mail will need to go to a valid person or department in our organization, or we won't receive it at all.  Do you think that will help stop this madness?  Since someone can spoof a non-existent address, why do they need to use a valid domain name at all?  Why not just make up something completely?
0
 
LVL 17

Expert Comment

by:upul007
ID: 16715231
If the originating point is a legitimate server, visual trace was able to give a graphic trace route to that point. When it is spoofed, the result would be a dead end. Only I had not used the product in a long time. Cant even find it over here anymore.

Your domain is your property, same as you own a house or vehicle. It is legally bound to you. There are features which help to curb your property from being misused but depending on how your setup is implemented, there may be loopholes that others may use to misuse your domain.

The reason that the valid domain name is used by the creator of most probably a virus is to gain maximum damage since it is highly probable that an actual domain will be designated as SAFE.

If the message is returned to an existing users account it will still come in. What is the email server that you use?
0
 

Author Comment

by:lyonski
ID: 16882953
upul007 - Sorry - I didn't realize you responded to my last post a few weeks ago.
Can I e-mail you my e-mail server name?  I'm probably in this mess because I've given out my information too freely in the past!
Thanks,
lyonski
0
 
LVL 17

Expert Comment

by:upul007
ID: 16883054
Hi Lyonski,

You can do that, if you do, please post the link to this question as well. The only thing I can do is to run a dnsreport at my end on your domain. But I think you have already done this.

However having noted that you had added the SPF records, does the emails still get through? If yes how is your email server set to handle emails with unresolved user names? Any way for you to check?

Did you look at the email headers of a few of these questionable emails and compare the headers to see if the originating point is the same?
0
 
LVL 17

Expert Comment

by:upul007
ID: 16883064
Whats your email server by the way?
0
 

Author Comment

by:lyonski
ID: 16885351
About a week after I had the SPF records added, the e-mails were still getting through.  My e-mail server will forward unresolved user names to a default address.  I removed that re-direct so that I stopped getting those e-mails.  After about 5 days, I put back the re-direct for unresolved user names.  The undeliverable e-mail messages continued coming.  So I again have removed the re-direct.
I don't see anything common in the e-mail headers.
0
 
LVL 17

Accepted Solution

by:
upul007 earned 500 total points
ID: 16891651
Your domain is AOKas the saying goes.

By the above and what you had stated, this is as war1 had stated in his first comment. Someone is using your domain to generate SPAM and any and all NDR's come through to you as you have set up unresolved emails to get through to you.

Your domain does not relay. test passed 100%.

If the email headers are not common, and all have an originating IP other than your IP, Then we are certain that the emails are not generating from your location.

Spammer sets up and email with your domain and sends out to so many other domains. Those that have SPF/Reverse DNS in place and are set to reject emails that do not match the exact records, will not allow the email through and would generate an NDR to this which will ultimately get through to you. The spammer is not spamming you but you are basically reaping the benefits of the failed attempts.

Downside is that your domain may end up on SPAM lists that are maintained separately by the recieving domains.

I was not able to find any fault with your domain and need to acknowledge the fact that war1 had nailed it in his first comment. Though I do not agree with the solution to change your domain. Even if you were to trace the originating point of the said emails, it will need to be done at a location to which the spam is actually being sent and not from where the NDR's are being recieved.

I was unable to test your other SPF entry at all. The SMTP one.

If possible, try to wait it out.
0
 
LVL 17

Expert Comment

by:upul007
ID: 16891661
you have another SMTP assigned for the spf records. Check with this company if there had been any suspicious activity with regard to your domain. I managed to check finally and see that they do not relay but what happens if the sender is spoofing your domain name.

Register at http://www.abuse.net/relay.html and check the other domain just to be sure.
0
 

Author Comment

by:lyonski
ID: 16899214
Forgive my ignorance - but what do you mean another SMTP assigned for the spf records.  What is the other domain that I should be checking?
0
 

Author Comment

by:lyonski
ID: 17066826
This still hasn't stopped.  If I change my domain for a period of time, would the spammer be unable to send e-mails using my domain name?  It seems that they would just continue as they have been doing.  Which would essentially mean that I couldn't go back to using my original domain name.  Am I correct in that assumption?
If I could find out who is sending the spam, is there any way to force them to stop?
0
 
LVL 97

Expert Comment

by:war1
ID: 17066835
lyonski,

When you say, "This still hasn't stopped", do you mean the bounced emails come a few at a time, 100 at a time, or 1000 at a time?

Once spammer has your domain name, he can spoof your domain name for a long time.  You cannot stop him.  If the email address is always xxx@domain.com, you can block them if you are sure there are no legit email from xxx@domain.com
0
 

Author Comment

by:lyonski
ID: 17069901
I'm getting about a dozen bounced emails each day.
Unfortunately, there's no similarity that I've been able to identify between any of the e-mails.  Is there any information in the header that can't be spoofed and that could help me determine who is sending the e-mails?
Thanks,
lyonski
0
 
LVL 97

Assisted Solution

by:war1
war1 earned 500 total points
ID: 17069951
lyonski,

If you can get hold of the original header that send the spam, you may be able to identify the original sender IP address.  But this is a bounced message from a legit user, you will not find much info in the header.

If it is only 12 messages a day, live with it.  It the From or To field or Subject has names in common, you can set a mail rule to filter the emails.  Normally the spammer goes on to using another email address, and the bounced emails stop.  But bounce messages continue for a month for you.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question