Sunday, May 23, 2010

Why am I getting bounce-backs on emails I never sent?

Folks,

My in-box is being flooded with bounce-backs like the one below on emails I never sent. Any ideas?

Mike
III

-----Original Message-----
From: Mail Delivery Subsystem
To: georgemason1776@aol.com
Sent: Sun, May 23, 2010 12:37 pm
Subject: Returned mail: see transcript for details


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to the e-mail
administrator or Postmaster at that destination.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----

(reason: 554 DT:SPM mx31, UcCowKDrPa7BWflLau93AA--.3476S2 1274632646
http://mail.163.com/help/help_spam_16.htm?ip=64.12.206.39&hostid=mx31&time=1274632646)

----- Transcript of session follows -----
... while talking to 163mx04.mxmail.netease.com.:
>>> DATA
<<< 554 DT:SPM mx31, UcCowKDrPa7BWflLau93AA--.3476S2 1274632646
http://mail.163.com/help/help_spam_16.htm?ip=64.12.206.39&hostid=mx31&time=1274632646
554 5.0.0 Service unavailable

Original-Recipient: rfc822;szgmyxgs@163.com
Final-Recipient: RFC822; szgmyxgs@163.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; 163mx04.mxmail.netease.com
Diagnostic-Code: SMTP; 554 DT:SPM mx31, UcCowKDrPa7BWflLau93AA--.3476S2
1274632646 http://mail.163.com/help/help_spam_16.htm?ip=64.12.206.39&hostid=mx31&time=1274632646
Last-Attempt-Date: Sun, 23 May 2010 12:37:27 -0400

Return-Path:
Received: from mtaout-db05.r1000.mx.aol.com (mtaout-db05.r1000.mx.aol.com
[172.29.51.197])
by imr-ma01.mx.aol.com (8.14.1/8.14.1) with ESMTP id o4NGbDU9001260
for ; Sun, 23 May 2010 12:37:13 -0400
Message-Id: <201005231637.o4NGbDU9001260@imr-ma01.mx.aol.com>
Received: from PC-201002280947 (unknown [113.97.231.105])
by mtaout-db05.r1000.mx.aol.com (MUA/Third Party Client Interface) with
ESMTPA id 68326E000088
for ; Sun, 23 May 2010 12:37:12 -0400 (EDT)
From: "georgemason1776"
Subject: =?GB2312?B?tPq/qrXYt72wbMaxvt0xMzU=?= 342 44126 =?GB2312?B?wfW+rcDt?=
To: szgmyxgs@163.com
Content-Type: text/html
Date: Mon, 24 May 2010 00:37:10 +0800
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:123148576:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c54bf959b87bc7
X-AOL-IP: 113.97.231.105

22 comments:

Scott J said...

Someone who has your address in their addressbook has gotten a rather common virus that mines that person's address book for addresses and then mails itself out with those mined addresses as the sender.

The receiving system detects the threat and bounces a message back to the spoofed sender. You in this case.

The person with the infected computer needs to run something like McAfee Stinger to kill the active bug: http://vil.nai.com/vil/stinger/

And then get some quality anti-virus installed. I like Avast because it's effective, has a free version and has an easy to use boot-time scan (the only way to truly clean viruses): http://www.avast.com/index

Anonymous said...

Sounds like a virus to me.

Dennis308 said...

I´m no geek but I would do a virus check,delete the file and do a system restore. I think you have been attacked by a virus.

Dennis
III
Texas

Brian K Miller said...

Someone is probing your mailbox to see if it's real. This is one method commercial mailing lists use to verify their lists. Make sure your inbox filters are strict enough and eventually (after five or ten years) they will stop.

Dismal, I know. Such is life in cyberspace.

Mike Gogulski said...

Your email address is being used as a bogus-but-plausible source address for spam. It's been happening to me sporadically since 1994.

Weaver said...

Scott J is correct but it would be a good idea to check out your system as well. Another free online scan that seems to work pretty well can be found at trendmicro.com.

Weaver

MamaLiberty said...

Every once in a while I get a massive number of these things to my "editor@" address at The Price of Liberty. At one point I was getting nearly 500 spam emails a day, much of it porn.

My on line spam/varmint filter catches them ALL. Your ISP should be catching these for you as well. Talk to your ISP provider.

Do that or get some sort of heavy duty anti=spam/virus software before you clean your machine. Otherwise, you'll just get reinfected.

Technology, never more than half a step ahead of the vandals and psychopaths, unfortunately.

Old NFO said...

Your address book has been hacked... Your best bet is to change your email addy to a new one, otherwise it will only get worse.

barrycare said...

You've been Joe Jobbed
http://en.wikipedia.org/wiki/Joe_job

"A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against him ..."

Anonymous said...

Could also be a spambot on your ISP's servers using your valid address to send spam to others in your email list and they're bouncing. Happens to my older hotmail account once in a while. Forward the whole thing (without any additional comment)to your provider's abuse address and they'll usually ferret out and block the bot after a day or so. It'll come back from time to time, probing and hijacking as often as it's programmed to check for availability. It may also be due to your (now) higher profile in the world. Sometimes the little darlings who spread these will get on a political panties in a bunch and go after those they don't agree with.

This is another good reason for all of us to only send text and not html in mail. Makes it easier to keep the viruses down.

Diogenes said...

I concur with Scott J. Avast is a great anti-virus and once installed you can pretty much forget about it. Make sure that you use the McAffe scan first though,(avast sees the scan as a virus and blocks it)

This is actually pretty simple and not as suspicious as you might believe.(basically saying, this more than likely isn't some .GOV attack on you.)

Anonymous said...

Well, I typed this in the address bar:

http://help.163.com/09/1224/17/5RAJ4LMH00753VB8.html

Of course, you'll have to type that in yourself to see the Chinese page.

Then, I typed this in the search bar:

rfc822;szgmyxgs@163.com

And came up with ... type it in the search bar to get to the page:

Sipsey Street Irregulars: Why am I getting bounce-backs on emails ...
May 23, 2010 ... Original-Recipient: rfc822;szgmyxgs@163.com. Final-Recipient: RFC822; szgmyxgs@163.com. Action: failed. Status: 5.0.0 ...
sipseystreetirregulars.blogspot.com/.../why-am-i-getting-bounce-backs-on-emails.html - 4 hours ago

AND:

news aggregator | End the War on Freedom
comFinal-Recipient: RFC822; szgmyxgs@163.comAction: failedStatus: 5.0.0Remote-MTA: DNS; 163mx04.mxmail.netease.comDiagnostic-Code: SMTP; 554 DT:SPM mx31, ...
billstclair.com/blog/aggregator - 2 hours ago


I haven't done them all, but I would say you have been hi-jacked.

For those who are not "program savvy" ... Iolo System Mechanic Professional comes in handy of keeping the pirates at bay.

http://www.iolo.com/system-mechanic/pro/

Anonymous said...

Another vote for Avast free version, also suggest spywareblaster and spyware terminator, all available @ majorgeeks.com.

Anonymous said...

That's an NDR from someone with a poorly configured MX. Ignore it.

Rhett III

Anonymous said...

It could be one of a few things. First thing that comes to mind is "worm sign" from someone else's email address book that is being used by the worm/virus. Could also be some internet criminal who owns a "botnet or spambot" and your email address is being used. Finally there could be some email routing issue(s) at AOL or some other ISP, ie their DNS server may be compromised.

J4rh34d said...

I used to get hundreds of these a day - I have one particular email address that is 14 years old. You may notice that the email that was supposedly from you was sent by a program you do not use. This is a sure sign that somebody else's addressbook was hacked.
I ended up changing my ISP for that address. I still get those spam-bounces, but they stay at the new ISP's spam dumpster and out of my inbox.
Your current ISP may be able to help you with this.

Dedicated_Dad said...

20 years in IT - I know of which I speak.

Scott J nailed it.

Somewhere out there, someone (or someTHING) is sending mail (probably a worm mailing copies of itself) claiming to be from you.

Don't feel bad - it's also sending mail claiming to be FROM every other person in the victim's address-book.

Since the receiving system doesn't know who the real sender is, it sends the response to YOU.

These worms SUCK - especially because it makes it impossible to know who is infected.

What can YOU do?

Nothing.

Well, on second thought the one thing you CAN do is be prepared to explain when people start complaining about mail "you" are sending...

Otherwise, ignore it.

DD

Pwai said...

There's an IP address in the header information.

Google "IP trace" whenever you see and input that address as follows:

http://www.ip-adress.com/ip_tracer/64.12.206.39

That's in Wichita.

You can also google "traceroute" and do the same to see the "hops", and trace the IP at each location along the route. When it hits Timeout, the last IP is the end of the trace.

What does all this do for you? Nothing really, except reduce the feeling of total helplessness a little.

The China IP is:

220.181.8.90

Good luck.

III more than them said...

http://housecall.trendmicro.com/
Trend Micro's Online Housecall. Free.

Entering "szgmyxgs@163.com" into a Firefox browser elicits a message that you are trying to log into a server that does NOT require authorization, and says that it "may be an attempt to trick you."

Entering 163.com into the Whois search feature returns this, "The IP address from which you have visited the Network Solutions Registrar WHOIS database is contained within a list of IP addresses that may have failed
to abide by Network Solutions' WHOIS policy."

You might have an e-mail redirector on your box, or a worm.

I'd run the Trend Micro tool.
Also, "Ad Aware" http://www.lavasoft.com/single/trialpay.php

III more than them said...

One other thing.....

My e-mail /ISP has an online sign-on option. I can use my web browser to "login" to my mail and view the subjects and senders without actually having to download them. I can delete anything I don't want without having to open them.... then I pull them down. If you have that option, it can save heartache. Does create a couple extra steps, but it's been worth it for me. I haven't had anything like that since instituting this policy.

Anonymous said...

http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29

-S
III

Anonymous said...

The previous posts have it in the bag, either someone is deliberately attemtping to spoof you or an infection has aquired their address book.

Avast5 is a really good virus scanner with a bootime feature that is quite effective. Additionally, to keep safe from other types of malware, consider installing and running MalwareBytes (from Malwarebytes.org) for a very effective malware scan.