Umm...what's with all these undeliverable emails?

[ShadowHunter]

I think I have received 10,000 "System Admin - Undeliverable" emails in the past several days. The subjects have time stamps. What is the deal?

Edit: here's a sample

Your message did not reach some or all of the intended recipients.

Subject: Re: Tue, 20 Jan 2004 16:53:16 -0500
Sent: 1/20/2004 1:53 PM

The following recipient(s) could not be reached:

[email protected] on 1/20/2004 1:53 PM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
<usadannshub02.praxair.com #5.1.1 X-Notes; User delayne ([email protected]) not listed in public Name & Address Book>

 

[Mister Natural]

Sounds to me llike you got a virus. Open any email attachments lately?

 

[Nazo]

I've had this once before. It's a possibility for spammers, when spoofing e-mail addresses, to use a real one and for a not so well made e-mail server to send the undeliverable message to the spoofed address instead of the one it originated from. Also, I've noticed that some ISPs don't seem to provide a secure e-mail SMTP at all and just anyone can send e-mail if only they know the username since it doesn't even ask for a password. It could just be that it's caching the last logon and allowing me to send again because I'm on the same IP address, but I'm still pretty suspicious.

EDIT: Oh yeah, and as he says it could be a virus, though typically those will send e-mails with virus attachments to all the people in your address book and won't try sending to addresses not on the list. It's still hardly impossible to have it try to generate addresses.

 

[ShadowHunter]

Well I've considered the virus route. It's still possible, I haven't tested every computer on my network just yet. But I use Norton Corporate, and it updates every day.

So it's possible I'm just a victim for a random spoofing? In that case there's nothing I can do?

 

[Nazo]

Those returned e-mails should have some detailed information which can be used to track a spammer sometimes. You need to turn on the advanced headers (how to do this depends on your e-mail client, so I can't really say) and from there you might be able to complain to the correct people if it does turn out to be such a thing.

If all else fails, most ISPs will let you change your e-mail, usually even just via a part of their website so you don't have to call. You might as well exaust all other things first because not only can it be a pain switching to a new e-mail address, but obviously it's not a very thorough solution to a problem that could just be repeated.

EDIT: What the hey, you could post the FULL e-mail (this includes the full header info) that was returned and that could help us identify just what is going on a little better. BTW, does it have an attachment? A virus wouldn't normally send e-mails without attaching itself to them, though there are a few just made to spam people to death, that usually doesn't work well since just blocking the address solves the problem, so they have to hit harder than that.

 

[ShadowHunter]

Originally posted by Nazo
Those returned e-mails should have some detailed information which can be used to track a spammer sometimes. You need to turn on the advanced headers (how to do this depends on your e-mail client, so I can't really say) and from there you might be able to complain to the correct people if it does turn out to be such a thing.

If all else fails, most ISPs will let you change your e-mail, usually even just via a part of their website so you don't have to call. You might as well exaust all other things first because not only can it be a pain switching to a new e-mail address, but obviously it's not a very thorough solution to a problem that could just be repeated.

EDIT: What the hey, you could post the FULL e-mail (this includes the full header info) that was returned and that could help us identify just what is going on a little better. BTW, does it have an attachment? A virus wouldn't normally send e-mails without attaching itself to them, though there are a few just made to spam people to death, that usually doesn't work well since just blocking the address solves the problem, so they have to hit harder than that.

Thanks for the info. I can change any email addresses at whim, but I don't think the boss will care for that.

There no attachments.

I think this is the header? Can you get something out of it?

Received: from mail pickup service by alpha.cgwi with Microsoft SMTPSVC;
Tue, 20 Jan 2004 16:15:14 -0800
X-POP3-Rcpt: [email protected]
Received: from omr-r09.mx.aol.com (omr-r09.mx.aol.com [152.163.225.154]) by host12.webserver1010.com (8.12.10/8.12.10) with ESMTP id i0L0CRc7013658 for <[email protected]>; Tue, 20 Jan 2004 19:12:27 -0500
Received: from localhost (localhost) by rly-na01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with internal id TAQ28473; Tue, 20 Jan 2004 19:12:27 -0500 (EST)
Date: Tue, 20 Jan 2004 19:12:27 -0500 (EST)
From: "Mail Delivery Subsystem" <[email protected]>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="TAQ28473.1074643947/rly-na01.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-OriginalArrivalTime: 21 Jan 2004 00:15:14.0118 (UTC) FILETIME=[A4105660:01C3DFB3]

--TAQ28473.1074643947/rly-na01.mx.aol.com

--TAQ28473.1074643947/rly-na01.mx.aol.com
Content-Type: message/delivery-status

--TAQ28473.1074643947/rly-na01.mx.aol.com
Content-Type: text/rfc822-headers


edit: by the way, my account is the only one getting these returns, probably because I am configred to receive every email sent to my domain that doesnt match up with an account. that way I filter spelling mistakes in emails and such. its just that these returns started suddenly only a few days ago.

edit2: I can make a little out of that, but we don't have an account called ISPexUo on our domian cadgraphicswest.com

 

[Nazo]

Ok, I admit to being no expert at examining the headers, but I'm thinking that it looks as if all it's telling you there is just the info from the automated response e-mail from AOL's servers. I guess search around and see if you can't find one that has the original message in it. When I had a similar problem once (albiet on a MUCH lower scale) one of the servers automatically returned the original e-mail inside the automated message, so I was able to see the originating address and how it wasn't even on the same ISP as me.

 

[ShadowHunter]

Originally posted by Nazo
Ok, I admit to being no expert at examining the headers, but I'm thinking that it looks as if all it's telling you there is just the info from the automated response e-mail from AOL's servers. I guess search around and see if you can't find one that has the original message in it. When I had a similar problem once (albiet on a MUCH lower scale) one of the servers automatically returned the original e-mail inside the automated message, so I was able to see the originating address and how it wasn't even on the same ISP as me.

Bingo, got it. There is no such thing as [email protected]. Looks like everything goes back to 81.180.103.45?


-----Original Message-----
From: The OEM Store [mailto:[email protected]]
Sent: Sat 1/17/2004 10:50 AM
To: [email protected]
Cc:
Subject: Re: Sat, 17 Jan 2004 13:50:06 -0500


<http://[email protected]/A/A/E/jyeoqwr.gif>

Offer valid until January, 25th 2004 - Limited Stock.

<http://[email protected]/A/A/G/wzokpg.gif>
<http://[email protected]/A/A/A/wmdgfug.gif> Microsoft Windows XP Professional OEM
<http://[email protected]/cdc/?tctxm> Only $50.00
Savings -$220.00

Microsoft Windows XP Professional goes beyond the benefits of
Windows XP Home Edition with advanced capabilities
designed specifically to.. <http://[email protected]/cdc/?merhxp>

Offer ID: #06205

<http://[email protected]/A/A/B/gjrqzl.gif> Adobe Photoshop 7.0 OEM
<http://[email protected]/cdc/?mfatkk> Only $60.00
Savings -$550.00

Adobe Photoshop 7.0 software the professional image-editing
standard helps you work more efficiently .. <http://[email protected]/cdc/?yfozhb>

Offer ID: #69208

<http://[email protected]/A/A/C/hsqomvg.gif> Microsoft Office XP Professional OEM
<http://[email protected]/cdc/?huabwxj> Only $60.00
Savings -$519.00

Microsoft Windows XP Professional is a Windows operating
system designed for businesses of all sizes and for individuals
who demand the most from their computing <http://[email protected]/cdc/?upyhy>

Offer ID: #61179

<http://[email protected]/A/A/D/ilsuqt.gif>
Adobe Illustrator 10 OEM
<http://[email protected]/cdc/?pyzyrn> Only $60.00
Savings -$240.00

ENHANCED! Adobe Illustrator 10 software defines the future
of vector graphics with groundbreaking creative options and
powerful tools for efficiently publishing artwork on
the Web, in print, everywhere... <http://[email protected]/cdc/?caeqp>

Offer ID: #51813

 

[Nazo]

Ok, that is, without a doubt, spam. Too bad it doesn't show the full headers in that original so you can identify the originating address, but, it does show the proof that they are using a fake address on your network for their purposes. See if you can find one that includes full headers in the original message as it's in there that you are most likely to identify the actual spammer. And, since the address doesn't exist, you get the error messages. However, bear in mind that if you are getting 10000 messages (even if that is exagerating) just imagine how many of them are actually going through... If AOL is smart, the e-mail administrator (you?) might just end up being contacted by them eventually. Don't worry though, if they do it will merely be to inform you of the suspicious actions and request that you take action, which you are already doing.

Anyway, do you need to have it set to deliver all messages to your address? I know that, like you said, you wanted to be sure about typos, but, it occurs to me that it would be more beneficial to simply disable that feature so that anyone can see the address seemingly responsible doesn't truly even exist. If someone makes a typo, they will get the undeliverable message very quickly anyway. (E-mail used to be slow, but now it takes only a couple of seconds to get such a message with most servers.)

Oh, interesting thing to note. The spammer isn't even doing it right. If there is any computer on that address, it's not responding to ping or HTTP connections.

 

[Ice Czar]

Query 81.180.103.45 at whois.thur.de
Process query: '81.180.103.45'
Query recognized as IP.
Match found in /etc/gwhois/pattern line 311
Querying whois.ripe.net:43 with whois.

% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 81.180.103.0 - 81.180.103.255
netname: SC-MW-TRADE-GROUPAGE-SRL
descr: SC MW Trade Groupage SRL
descr: Autostrada Bucuresti Pitesti Km 11.5
descr: Comuna Domnesti, Ilfov, Romania
country: ro
admin-c: RD1172-RIPE
tech-c: RD1172-RIPE
status: ASSIGNED PA
mnt-by: AS3233-MNT
mnt-lower: AS3233-MNT
mnt-routes: AS3233-MNT
mnt-routes: RD-MNT
notify: [email protected]
changed: [email protected] 20031129
source: RIPE

route: 81.180.103.0/24
descr: utmnet
origin: AS29203
mnt-by: RD-MNT
changed: [email protected] 20031207
source: RIPE

person: Remus Dumitrescu
address: Timisoara
phone: +40-21-9298756
fax-no: +40-21-9298756
e-mail: [email protected]
nic-hdl: RD1172-RIPE
notify: [email protected]
mnt-by: RD-MNT
changed: [email protected] 20031129
source: RIPE





--
To resolve one of the above handles: whois -h whois.ripe.net HANDLE
OTOH offical handles should be recognised directly.
Please report errors or misfits via the debian bug tracking system.

Query done.

 

[ShadowHunter]

Originally posted by Nazo
Ok, that is, without a doubt, spam. Too bad it doesn't show the full headers in that original so you can identify the originating address, but, it does show the proof that they are using a fake address on your network for their purposes. See if you can find one that includes full headers in the original message as it's in there that you are most likely to identify the actual spammer. And, since the address doesn't exist, you get the error messages. However, bear in mind that if you are getting 10000 messages (even if that is exagerating) just imagine how many of them are actually going through... If AOL is smart, the e-mail administrator (you?) might just end up being contacted by them eventually. Don't worry though, if they do it will merely be to inform you of the suspicious actions and request that you take action, which you are already doing.

Anyway, do you need to have it set to deliver all messages to your address? I know that, like you said, you wanted to be sure about typos, but, it occurs to me that it would be more beneficial to simply disable that feature so that anyone can see the address seemingly responsible doesn't truly even exist. If someone makes a typo, they will get the undeliverable message very quickly anyway. (E-mail used to be slow, but now it takes only a couple of seconds to get such a message with most servers.)

Oh, interesting thing to note. The spammer isn't even doing it right. If there is any computer on that address, it's not responding to ping or HTTP connections.

Assuming I am contacted, what can I do? There isn't any security breach that I can fix, my domain is being spoofed. And I think I will take the "all to me" feature again to my boss, its getting ridiculous.
Yes, 10,000 might be a bit exaggerated. A hundred an hour would not though

 

[ShadowHunter]

Originally posted by Ice Czar
Query 81.180.103.45 at whois.thur.de
Process query: '81.180.103.45'
Query recognized as IP.
Match found in /etc/gwhois/pattern line 311
Querying whois.ripe.net:43 with whois.

% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 81.180.103.0 - 81.180.103.255
netname: SC-MW-TRADE-GROUPAGE-SRL
descr: SC MW Trade Groupage SRL
descr: Autostrada Bucuresti Pitesti Km 11.5
descr: Comuna Domnesti, Ilfov, Romania
country: ro
admin-c: RD1172-RIPE
tech-c: RD1172-RIPE
status: ASSIGNED PA
mnt-by: AS3233-MNT
mnt-lower: AS3233-MNT
mnt-routes: AS3233-MNT
mnt-routes: RD-MNT
notify: [email protected]
changed: [email protected] 20031129
source: RIPE

route: 81.180.103.0/24
descr: utmnet
origin: AS29203
mnt-by: RD-MNT
changed: [email protected] 20031207
source: RIPE

person: Remus Dumitrescu
address: Timisoara
phone: +40-21-9298756
fax-no: +40-21-9298756
e-mail: [email protected]
nic-hdl: RD1172-RIPE
notify: [email protected]
mnt-by: RD-MNT
changed: [email protected] 20031129
source: RIPE





--
To resolve one of the above handles: whois -h whois.ripe.net HANDLE
OTOH offical handles should be recognised directly.
Please report errors or misfits via the debian bug tracking system.

Query done.

Wonderful, so the guy is in Romania. Which means we can't take any legal action?

 

[Ice Czar]

well the IP is in Romania, not necessarilly the same thing, he could be your next door neighbor

 

[Nazo]

Yeah, that IP address pointed to there isn't even a web server. I'm thinking that maybe it wasn't even a static IP, so the address was fine when they spammed with it, but not later. Heck, it might be a fake on purpose even. Of course, it's still quite possible that they really are in that location and, if so, it depends on the laws for that country, but most countries don't have very strict laws regarding such things and won't really punish people much. I think that maybe someone who knows in more detail how the whole e-mail system works may or may not be able to help more than me as far as maybe some kind of steps to take to stop them.

Anyway, should you get contacted by some ISP or anything about this, simply tell them the truth. Tell them that you are trying to figure out what to do and would welcome any help on their part. Generally when they do this kind of thing, what happens, if it ever gets reported at all, is they ask the e-mail provider/ISP to stop allowing that particular user on their service. Of course, you aren't really allowing them to use your service, they are using their own along with some simple tricks, so really it's their ISP or e-mail provider that is supposed to take such steps.

Anyway, the problem with e-mail is that it lacks a lot of the securities and all that it really should have had. This is because it's one of those VERY old standards from back before these things became standard when networking was more business than anything else and it just didn't really occur to them that someone would seek out flaws and exploit them. Some of the same problems have shown up in other such old methods (for example, I hear that one can spoof the IP address in UDP packets to trick firewalls into letting them in and that sort of thing.)

 

[ShadowHunter]

Originally posted by Nazo
Yeah, that IP address pointed to there isn't even a web server. I'm thinking that maybe it wasn't even a static IP, so the address was fine when they spammed with it, but not later. Heck, it might be a fake on purpose even. Of course, it's still quite possible that they really are in that location and, if so, it depends on the laws for that country, but most countries don't have very strict laws regarding such things and won't really punish people much. I think that maybe someone who knows in more detail how the whole e-mail system works may or may not be able to help more than me as far as maybe some kind of steps to take to stop them.

Anyway, should you get contacted by some ISP or anything about this, simply tell them the truth. Tell them that you are trying to figure out what to do and would welcome any help on their part. Generally when they do this kind of thing, what happens, if it ever gets reported at all, is they ask the e-mail provider/ISP to stop allowing that particular user on their service. Of course, you aren't really allowing them to use your service, they are using their own along with some simple tricks, so really it's their ISP or e-mail provider that is supposed to take such steps.

Anyway, the problem with e-mail is that it lacks a lot of the securities and all that it really should have had. This is because it's one of those VERY old standards from back before these things became standard when networking was more business than anything else and it just didn't really occur to them that someone would seek out flaws and exploit them. Some of the same problems have shown up in other such old methods (for example, I hear that one can spoof the IP address in UDP packets to trick firewalls into letting them in and that sort of thing.)

Well, thanks for the help. I guess I'm just ultimately stuck with getting my domain name faked all across the planet.