Returned email I didn't send

Discussion in 'malware problems & news' started by Mike360000, Jan 15, 2004.

Thread Status:
Not open for further replies.
  1. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Hi All,
    Well I thought it would be a little longer than this before I returned but now I have a problem with my email. NOT my friends which brought me here last week.

    I normally, almost entirely use Yahoo for my email. My main email through my ISP I rarely use. However the last couple of days I have recieved about 15 to 20 emails each day from my ISP email with a return header saying "User Unknown"

    Well gee I never sent any of those emails. I have McAfee AV, SpywareBlaster, SpywareGuard, XCleaner, Spybot S&D, CWShredder and AdAware6, and have used them all to check my system last night after finding all those returned emails. Didn't find anything and tonight I check and like I said about 15 emails have been sent back saying "User Unknown". So far this hasn't happened with my Yahoo account.

    So I need some ideas of what to do, er how to check this problem out.

    Thanks again,
    Mike
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Mike,

    Could you post such a header (x-out your personal related info).

    One of the possibilities could be, your email address has been spoofed.

    regards.

    paul
     
  3. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Hi and thanks.
    Sorry I wasn't never very good in understanding the communications regarding how the messages were transferred. So if you see something I should have deleted, go at it. I did notice while copying this here for you, that this junk is also from porn spammers. You can see it in the header routing. Anyhow just to state for the record I don't open porn on computers and I try to advise others against it. But it looks like I've done something wrong somewhere. Oh BTW, I have this link showing, "Download Attachment: attachment32 or 21" in the message below. Well the whole email returned to me was only 3k with no attachment. But it goes somewhere..... It said this under properties General: attachment32?fold=INBOX&msgvw=INBOXMN382DELIM4487&part=3&FileName=attachment32
    and this under Protocol: HyperText Transfer Protocol
    --- TYPE NET/AGENT/MOBMAIN/ATTACHMENT32?FOLD=INBOX&MSGVW=INBOXMN382DELIM4487&PART=3&FILE
    --- ADDRESS/URL http://mail.alltel.net/agent/mobmain/attachment32?fold=INBOX&msgvw=INBOXMN382DELIM4487&part=3&FileName=attachment32

    Any help much appreciated,
    Mike

    From:    Mail Delivery Subsystem <MAILER-DAEMON@aol.com> FPRIVATE "TYPE=PICT;ALT=Add Address"    
    Date:    2004/01/14 Wed PM 02:01:36 CST   
    To:    <xxxxx@alltel.net>   
    Subject:    Returned mail: User unknown   

    *** ATTENTION ***

    Your e-mail is being returned to you because there was a problem with its
    delivery. The address which was undeliverable is listed in the section
    labeled: "----- The following addresses had permanent fatal errors -----".

    The reason your mail is being returned to you is listed in the section
    labeled: "----- Transcript of Session Follows -----".

    The line beginning with "<<<" describes the specific reason your e-mail could
    not be delivered. The next line contains a second error message which is a
    general translation for other e-mail servers.

    Please direct further questions regarding this message to your e-mail
    administrator.

    --AOL Postmaster



    ----- The following addresses had permanent fatal errors -----
    <doloresgn@cs.com>

    ----- Transcript of session follows -----
    ... while talking to airmail-02.mail.aol.com.:
    >>> RCPT To:<doloresgn@cs.com>
    <<< 550 MAILBOX NOT FOUND
    550 <doloresgn@cs.com>... User unknown

    Reporting-MTA: dns; str-d03.mail.aol.com
    Arrival-Date: Wed, 14 Jan 2004 14:59:32 -0500 (EST)

    Final-Recipient: RFC822; doloresgn@cs.com
    Action: failed
    Status: 5.1.1
    Remote-MTA: DNS; airmail-02.mail.aol.com
    Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
    Last-Attempt-Date: Wed, 14 Jan 2004 15:01:36 -0500 (EST)


    Download Attachment: attachment21

    Received: from rly-ya06.mx.aol.com (rly-ya06.mail.aol.com [172.18.141.38]) by
    str-d03.mail.aol.com (v92.16) with ESMTP id RELAYIN9-a40059fa413c; Wed, 14 Jan
    2004 14:59:32 -0400
    Received: from alltel.net (jciq.ciq.uchile.cl [146.83.60.180]) by rly-ya06.mx.
    aol.com (v97.10) with ESMTP id MAILRELAYINYA61-76b40059f943c8; Wed, 14 Jan 2004
    14:59:27 -0500
    Received: from unknown (HELO mxs.perenter.com) (64.198.132.16)
       by asx121.turbo-inline.com with NNFMP; Thu, 15 Jan 2004 11:24:03 -0700
    Received: from unknown (HELO mts.locks.grgtween.net) (212.131.184.187)
       by mx03.listsystemsf.net with NNFMP; 15 Jan 2004 04:14:14 -0800
    Message-ID: <175901c3dac9$397841d0$a5fa4dc3@lcyjp>
    Reply-To: <xxxx@alltel.net>
    From: <xxxx@alltel.net>
    To: "My Contacts" <doloresgn@cs.com>
    Subject: Jennifer r Lopez - Paris d Hilton and Jessica y Simpson
    Date: Wed, 14 Jan 2004 10:07:08 -0800
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
       boundary="----=_NextPart_DD3_CE9F_40D5E4AB.EB99A15C"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 5.50.4133.2400
    X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
    X-AOL-IP: 146.83.60.180
    X-AOL-SCOLL-SCORE: 1:XXX:XX
    X-AOL-SCOLL-URL_COUNT: 4

    Download Attachment: attachment32

    email address removed for security/harvesting reasons - Pieter
     
  4. sakharg

    sakharg Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    62
    I've been getting tons of this stuff too, over the last 3 days : here's an example. Question is: what to do? I don't let it get to my mailbox because I use Mailwasher, but what else?

    Example:

    Hi. This is the qmail-send program at www.inet-80.com.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <john@inet-80.com>:
    Sorry, no mailbox here by that name. vpopmail (#5.1.1)

    --- Below this line is a copy of the message.

    Return-Path: <xxx>
    Received: (qmail 97736 invoked from network); 15 Jan 2004 10:34:06 -0000
    Received: from framed-user-19.62.151.235.ya.com (62.151.235.19)
    by 66.70.74.190 with SMTP; 15 Jan 2004 10:34:06 -0000
    Received: from [14.114.14.65] by framed-user-19.62.151.235.ya.com with ESMTP id 41905628; Fri, 16 Jan 2004 07:06:06 +0400
    Message-ID: <c$$p3kxno$89$5795@7gv4g6qfz76>
    From: "Emerson Robles" <xxx>
    Reply-To: "Emerson Robles" <xxx>
    To: john@inet-80.com
    Subject: Feel like a kid again epw
    Date: Fri, 16 Jan 2004 07:06:06 GMT
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
       boundary="1.FEDE.FE84BAFF86"
    X-Priority: 3
    X-MSMail-Priority: Normal
     
  5. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Well here is another type email I had returned that I know nothing about. It is quiet different though. And another thing, I keep no addresses email or otherwise in OutLook.----Mike

    From: MAILER-DAEMON@yahoo.com
    Date: 2004/01/14 Wed AM 11:53:43 CST
    To: mike36000@alltel.net
    Subject: Delivery failure
    Message from yahoo.com.
    Unable to deliver message to the following address(es).

    <devil234@yahoo.com>:
    This user doesn't have a yahoo.com account (devil234@yahoo.com) [-5]

    <devil2475@yahoo.com>:
    Sorry your message to devil2475@yahoo.com cannot be delivered. This account has
    been disabled or discontinued [#102].

    --- Original message follows.

    X-YahooFilteredBulk: 66.130.140.147
    Return-Path: <xxxx@alltel.net>
    Received: from 66.130.140.147 (HELO alltel.net) (66.130.140.147)
    by mta263.mail.scd.yahoo.com with SMTP; Wed, 14 Jan 2004 09:53:39 -0800
    Received: from unknown (130.59.235.116)
    by mmx09.tilkbans.com with NNFMP; 15 Jan 2004 06:18:15 -0900
    Received: from unknown (35.52.226.201)
    by smtp-server1.cfdenselr.com with smtp; 14 Jan 2004 21:09:34 -0300
    Message-ID: <0e8801c3dab8$0517cf70$bf1eb0f8@d>
    Reply-To: <xxxx@alltel.net>
    From: <xxxx@alltel.net>
    To: "My Contacts" <devil234@yahoo.com>,
    "My Contacts" <devil2475@yahoo.com>
    Subject: Jennifer n Lopez - Paris c Hilton and Jessica w Simpson
    Date: Wed, 14 Jan 2004 17:03:59 +0100
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_CBB_F1AC_A8EC2C03.89A6B1FB"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 5.50.4522.1200
    X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

    This is a multi-part message in MIME format.

    ------=_NextPart_CBB_F1AC_A8EC2C03.89A6B1FB
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable


    ------=_NextPart_CBB_F1AC_A8EC2C03.89A6B1FB
    Content-Type: text/html;
    charset="iso-8859-1"
    Content-Transfer-Encoding: base64

    PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
    L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
    dD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE1FVEEgY29udGVudD0iTVNIVE1M
    IDUuNTAuNDUyMi4xMjAwIiBuYW1lPUdFTkVSQVRPUj4NCjxTVFlMRT48L1NUWUxFPg0KPC9IRUFE
    PjxGT05UIGZhY2U9QXJpYWw+PEZPTlQgc2l6ZT0yPg0KPEJPRFk+DQo8RElWPjxwPkNoZWNrIHRo
    aXMgb3V0Li48L3A+DQo8cD5XZSBoYXZlIDxhIGhyZWY9Imh0dHA6Ly9wYXJpcy5hbGw0ZnJlZS5p
    bmZvIj5QYXJpcyBIaWx0b248L2E+LCA8YSBocmVmPSJodHRwOi8vamVzc2ljYS5hbGw0ZnJlZS5p
    bmZvIj5KZXNzaWNhDQpTPFNUUk9ORz5pbTwvU1RST05HPnBzb248L2E+IGFuZCA8YSBocmVmPSJo
    dHRwOi8vamVubmlmZXIuYWxsNGZyZWUuaW5mbyI+SmVubmlmZXIgTG9wZXo8L2E+Ljxicj4NCjxi
    cj4NCjxicj4NCllvdSBoPEI+YTwvQj52ZSByZWNlaXZlZDxTUEFOPiB0aDwvU1BBTj5pcyBtZXNz
    YWdlIGJlPFNQQU4+Y2F1PC9TUEFOPjxVPnM8L1U+ZSB5b3Ugb3Igc29tPEk+ZW88L0k+bmUgdXNp
    bmcgeTxFTT5vdTwvRU0+ciBhZGRyZXNzIHM8Rk9OVCBmYWNlPUFyaWFsPmk8L0ZPTlQ+Z25lZA0K
    dXAgdG8gb25lIG9mIDxJPm88L0k+dXI8VT4gPC9VPmZyZWVzaXRlcy4gPGJyPg0KPGEgaHJlZj0i
    aHR0cDovL3JlbW92ZS5hbGw0ZnJlZS5pbmZvIj5IRVJFPC9hPjwvcD4NCjxwPmEgYiA8U1BBTj5j
    IGQgZSBmIGcgPC9TUEFOPmggaSBqIGsgbCBtIG4gbyBwIHEgciBzPEVNPiA8L0VNPnQgdSB2IHcg
    eCB5IDxTUEFOPnogejwvU1BBTj4geSB4IHcgdiB1PEVNPiA8L0VNPnQgcyByIHEgcCBvIG4gbSBs
    IGsgaiBpIGggZyBmIGUgZCBjIDxGT05UIGNvbG9yPSM3MDc0ZWY+YiA8L0ZPTlQ+YTwvcD4NCg0K
    PEZPTlQgY29sb3I9IiNGQkZCRkIiPg0KeWp4DTxGT05UIGZhY2U9QXJpYWw+CjwvRk9OVD52Yyxy
    ZXENCmlrDQpvZTxVPnA8L1U+YmgNCjxTUEFOPnQNCnJoY3k8L1NQQU4+czxCPm88L0I+bXANCnJp
    bW9jaXdzbG08Uz5pPC9TPmF6aXVxc29kemdrbG1kc2l1cjxCPnVmPC9CPnJueGthbWhjPEVNPnBp
    PC9FTT4NCnh4amJybWo8Rk9OVCBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPm1vPC9GT05UPno8U1BB
    Tj5scHZscWJsdQ0KPC9TUEFOPmxicW53YWtpcnc8RU0+a2phPC9FTT5rcWgNCnBmPFM+bzwvUz56
    aXR1dng8U1BBTj52aWVnZG08L1NQQU4+c2oNCnJsd3pwbTxTUEFOPnZsdmY8L1NQQU4+bndxb291
    bzxTUEFOPmtqZTwvU1BBTj5nbGR0bDxTUEFOPnBya2x0aG48L1NQQU4+cmpuPEI+dWs8L0I+dGNj
    aW9lYg0Ka290dXhxbTxCPmgNPC9CPgpua21jZ2E8Rk9OVCBmYWNlPVRhaG9tYT5tdTwvRk9OVD5q
    bm9mDQo8L0RJVj48L0JPRFk+PC9IVE1MPjwvRk9OVD48L0ZPTlQ+

    ------=_NextPart_CBB_F1AC_A8EC2C03.89A6B1FB--

    *** MESSAGE TRUNCATED ***

    Edited out email address - Pieter
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Looks like classical examples from email spoofing/hijacking. Someone having your email address in his/hers address book could easily have been infected witg for example

    http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

    (copy and paste this link in your browser) Sobig - have a look at the link for more explanation.

    In order to avoid a possible complaint at your ISP from those who actually did receive such emails who do like like coming from you, it wouldn't hurt to inform your ISP, sending themthe emails coming with full headers.

    regards.

    paul
     
  7. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"

    Followed instruction, results: w32.sobig.f NOT FOUND.

    I had also tried the HouseCall checker I found listed here last night. It didn't find anything either.
    Any other ideas?

    Thanks,
    Mike
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Mike,

    I might have not explained that well: in this example, we are talking about others being infected > having (amongst others) your email address in their address book > and your email address is being harvested/used to send email under your name to third parties.

    regards.

    paul
     
  9. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    "we are talking about others being infected"

    Well that's what confused me because I haven't given out that address for email. Not to any person. I only give it out when some websites requires an ISP verified mail address.

    Thanks,
    Mike
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That would be rather sufficient in principal ;)

    regards.

    paul
     
  11. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    "That would be rather sufficient in principal "

    Why I guess so, but I meant like for example, overclockers.com the website I stay at mainly. To join their forums you have to register and to register you have to submit a POP3/ISP valid email address for confirmation. I have about 3 total sites that requires this. I guess maybe their site got robbed then? :eek:

    Anyhow I haven't had any returns so far today.

    Cheers,
    Mike
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Mike,

    "robbed" would not be my wording. We do advize our members to make sure to enable "email hidden"in their member profile - and for good reasons: email address harvesting robots are very common these days. In case an email addres has been "harvested" the next step isn't a very big one.

    regards.

    paul
     
  13. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Alrighty Bill :cool:

    I would call it robbed if somebody stole something from a website that hadn't been offered to them. Anyhow I get your meaning.

    I just hate to see the net sink into this pit I see coming if something isn't actually done about all this spamming, trojans, parasites....etc.

    It is getting to be a pain for me and I'm not completely computer illiterate. Can you imagine what the new or average user is going through?

    I think politicians are actually going to use this to their advantage though. They'll let the problem get so bad that people will be willing to trade several of their Internet and computer freedoms they enjoy today just so they can be better protected. I can see a Internet taxes, most likely a global tax coming from it. I can see hardware being designed with special tracking coding, which BTW would not track for MALware but would track you and your programs, to be legitiment as well. And we could have premium internet channels, pay as you go to avoid the clutter of the outside world. And if nothing is done, things will actually get so bad the less knowledgeable will simply begin to withdraw from the net.

    It doesn't look too bright at the moment for the future of the net.

    Cheers,
    Mike
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    grin :D

    A matter of opinion IMHO: in case someone feels the need to protect data, s/he should take care of that. If not (deliberately or because of the lack of knowledge) - it's free access. But yes: I do get the meaning indeed.

    ...and it's hardly started off yet.

    Well, it's a rather new highway, everybody is allowed to drive (without any license or even lessons) and the road is crowded - with all sorts of vehicules, good ones and very bad ones. How long did it take after Henry Ford created the T-Ford before a drivers license was obligatory from a legal point of view - decades. Many, many died along the way.

    You could be right here. I'd rather not pull this thread into a political orientated one.

    As for: the worst is yet to come - personally I do agree. Wether or not in the long term this will turn out to be merely a temp obstacle: I don't know. But it could well be no more then that.

    regards.

    paul
     
  15. controler

    controler Guest

    this look suspicious alone

    Subject: Jennifer n Lopez - Paris c Hilton and Jessica w Simpson

    Plus there was attachments/

    con
     
Loading...
Thread Status:
Not open for further replies.