You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Adam Kane <ka...@linkitsoftware.com> on 2005/05/20 20:54:15 UTC
Returned Mail errors?
In the past few weeks we have been receiving e-mails coming into our
info@domain account like the following (see below)
our info@ account is not an actual mailbox, it is a forwarded account
that forwards to 5 people, and nobody can send from it. The subject's
of these emails are "Returned Mail: see transcript for details"
any suggestions would be appreciated.
here is the body of the emails. just this morning we received like 15 of these all with slightly different body content.
-------------
The original message was received at Fri, 20 May 2005 11:56:14 +0530
from mail003.ownmail.com [203.199.89.92]
----- The following addresses had permanent fatal errors -----
<in...@avchecked.wsabom.com>
(reason: 550 5.7.1 <in...@mail.wsabom.com>... Relaying denied. IP name possibly forged [203.197.68.74])
(expanded from: <in...@avchecked.wsabom.com>)
----- Transcript of session follows -----
... while talking to mail.wsabom.com.:
>>>>>> DATA
>>>
>>>
<<< 550 5.7.1 <in...@mail.wsabom.com>... Relaying denied. IP name possibly forged [203.197.68.74]
550 5.1.1 <in...@avchecked.wsabom.com>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
------------------------------------------------------------------------
Reporting-MTA: dns; wsa.wsabom.com
Received-From-MTA: DNS; mail003.ownmail.com
Arrival-Date: Fri, 20 May 2005 11:56:14 +0530
Final-Recipient: RFC822; in@avchecked.wsabom.com
X-Actual-Recipient: RFC822; in@mail.wsabom.com
Action: failed
Status: 5.7.1
Remote-MTA: DNS; mail.wsabom.com
Diagnostic-Code: SMTP; 550 5.7.1 <in...@mail.wsabom.com>... Relaying denied. IP name possibly forged [203.197.68.74]
Last-Attempt-Date: Fri, 20 May 2005 11:56:21 +0530
------------------------------------------------------------------------
Return-Path: <in...@linkitsoftware.com>
Received: from mail003.ownmail.com (mail003.ownmail.com [203.199.89.92])
by wsa.wsabom.com (8.12.8/8.12.8) with ESMTP id j4K6Nctj025201
for <in...@avchecked.wsabom.com>; Fri, 20 May 2005 11:56:14 +0530
Received: (from root@localhost)
by mail003.ownmail.com (8.12.11/8.12.11) id j4K5pXQb004452
for in@avchecked.wsabom.com; Fri, 20 May 2005 11:21:33 +0530
Received: from jbstertb.com (202-177-176-156.sify.net [202.177.176.156] (may be forged))
by mail003.ownmail.com (8.12.11/8.12.11) with SMTP id j4K5on5v003166;
Fri, 20 May 2005 11:20:50 +0530
From: info@linkitsoftware.com
To: 3Dvikas@wsabom.com
Date: Fri, 20 May 2005 05:28:10 UTC
Subject: The Whore Lived Like a German
Importance: Normal
X-Mailer: Outlook 8.86
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <ef...@linkitsoftware.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-OM-Loop: in@wsabom.com
X-Auto-Reply: No
X-Logged: Logged by wsa.wsabom.com as j4K6Nctj025201 at Fri May 20 11:56:14 200
-------------
Re: Returned Mail errors?
Posted by Jim Maul <jm...@elih.org>.
Adam Kane wrote:
> In the past few weeks we have been receiving e-mails coming into our
> info@domain account like the following (see below)
>
> our info@ account is not an actual mailbox, it is a forwarded account
> that forwards to 5 people, and nobody can send from it. The subject's
> of these emails are "Returned Mail: see transcript for details"
>
>
>
Yeah so someone (spam,virus,etc) used your info@ address to send out
messages (forged your name) and now your getting all the bounces from
it. This happens daily and there isnt much you can do about it. I have
an account set up info@mydomain which is ONLY listed on my whois record.
so obviously spammers are checking whois to get addresses even though
its not legal..the account itself is only an alias, it doesnt even
exist..yet check the mail i get daily to this account:
Glenda Riddle 2:38 pm + ---->SPAM<---- get bigger...
Joni 11:46 am + ---->SPAM<---- Don`t buy her flowers, give her mil...
Ferne Campbell 10:29 am + ---->SPAM<---- Does your girl like surprises?
Carmen Kaufman 11:08 am + ---->SPAM<---- Aggressive Investors Alert dIKE3k
Lenore Rosado Thu, 10:34 am + ---->SPAM<---- Take it to The Bank Stocks
qKen2
Joey Scott Wed, 9:51 pm + ---->SPAM<---- Multiple O'Gazm 4 men
Carla Tue, 5:06 pm + ---->SPAM<---- Kiss those big legs goodbye
Dick Cotton Tue, 3:26 pm + ---->SPAM<---- Please respond in 24 hrs (ref
# 438 531 ...
Whitney Taylor Tue, 12:53 pm + ---->SPAM<---- This stuff is not really
expensive as ...
Julie Mcallister Sun, 8:20 pm + ---->SPAM<---- it`s julie here
Herbert Fowler Sun, 5:30 am + ---->SPAM<---- Account update Julian
Louisa Sun, 3:46 am + ---->SPAM<---- Goodbye to the Excess inches
Basil Burton Sun, 12:55 am + ---->SPAM<---- women will love you
-Jim
Re: Returned Mail errors?
Posted by Matt Kettler <mk...@evi-inc.com>.
Adam Kane wrote:
> In the past few weeks we have been receiving e-mails coming into our
> info@domain account like the following (see below)
>
> our info@ account is not an actual mailbox, it is a forwarded account
> that forwards to 5 people, and nobody can send from it. The subject's
> of these emails are "Returned Mail: see transcript for details"
>
>
> any suggestions would be appreciated.
Those are failed deliveries of the "german political spam" generated by the
recent sober worm.
An infected machine generated spam using your info address as the forged sender,
and started sending messages. What you're seeing here is bounces from failed
deliveries.
You might want to take one of the sober spam rulesets, such as this one:
http://weblog.erenkrantz.com/~jerenk/german_spam.cf
and modify it into a series of body rules looking for "Subject: ...".
Re: Returned Mail errors?
Posted by Andy Jezierski <aj...@stepan.com>.
Adam Kane <ka...@linkitsoftware.com> wrote on 05/20/2005 01:54:15 PM:
> In the past few weeks we have been receiving e-mails coming into our
> info@domain account like the following (see below)
>
> our info@ account is not an actual mailbox, it is a forwarded
> account that forwards to 5 people, and nobody can send from it. The
> subject's of these emails are "Returned Mail: see transcript for
details"
>
>
> any suggestions would be appreciated.
> here is the body of the emails. just this morning we received like
> 15 of these all with slightly different body content.
> -------------
[snip]
Those are the un-deliverables from the German Spam that's being sent out
by the latest Sober virus. I've had good luck with these rules, although
I increased the score so that they would get deleted.
http://www.exit0.us/index.php?pagename=GermanSoberSpamBounceRules
Andy