Sign in to follow this  
Piyono

I'm Being Mailbombed

Recommended Posts

For the last few weeks one of my email accounts has been recieving returned email error message to the tune of hundreds a day. It seems that someone's computer is sending out Klez-infected files with my account in the return address field. I've AV'd every computer I have access to using the latest virus definitions but none are infected.

The messages are mostly bounced back from undeliverable addresses and some are from AV programs running on the recieving end. The IPs on the former fall into the range of my ISP's mail server, while the latter come from the recipient's server -- apparantly most of the messgaes going out are to bogus addresses but some do get through.

How do I go about finding out the source?

Piyono

Share this post


Link to post
Share on other sites

Read the message headers. The ip addresses of the mail servers that it is sent though should be in the message. It will not get you all the way, but I should be able to get you to the persons isp.

Kenneth

Share this post


Link to post
Share on other sites

The incoming message has a header that is usually supressed by your mail client. It resembles something like what is below. If you have a line that resembles the one I have bolded, it probably contains IP information regarding the computer transmitting the message.

Status: U

Return-Path: <email@domain.com>

Received: from smtp805.mail.sc5.yahoo.com ([nnn.nnn.168.184])

by farley.mail.mindspring.net (Earthlink Mail Service) with SMTP id 18BNbMY53Nl3pa0

for <email@domain.com>; Thu, 23 Jan 2003 14:39:02 -0500 (EST)

Received: from dialup-nnn.nnn.4.235.dial1.cincinnati1.level3.net (HELO godzilla) (email@domain.com@nnn.nnn.4.235 with login)

by smtp-sbc-v1.mail.vip.sc5.yahoo.com with SMTP; 23 Jan 2003 19:39:00 -0000

From: "Sender" <email@domain.com>

To: "'Receiver'" <email@domain.com>

Subject: test

Date: Thu, 23 Jan 2003 14:39:40 -0500

Message-ID: <001701c2c317$2d67b2b0$b97ba8c0@godzilla>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0018_01C2C2ED.4491AAB0"

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook, Build 10.0.4510

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Importance: Normal

X-MS-TNEF-Correlator: 00000000632489AB6F3EAC4DB6721ADB7C3A58F264314300

Share this post


Link to post
Share on other sites

No, you're all misunderstanding -- the messages I'm getting are not from the attacking computer but from the mail servers of the target computers, defending themselves. All the emails are from "Mail Administrator" or "System Administrator" or "Postmaster". Their anti-virus software is stopping the attackers messages and returning them to [/i]me[/i]... even though my computer is not the perpetrator

See?

Piyono

Share this post


Link to post
Share on other sites

You are being spoofed.You're e-mail address is on someone's computer or many computer's and a virus is sending out e-mails as if they were coming from your pc.Has nothing to do with you or your pc in reality.It will go away one day,when the infected pc's user gets his or her act together..

Share this post


Link to post
Share on other sites

Dingo, that's what I figured.

It's still annoying, though.

Is there no way to trace the offending computer?

Piyono

Share this post


Link to post
Share on other sites

I guess there might be some way,but I'm sorry to say I don't know the answer.you may want to set up a rule to block the address that is sending the stuff back to you as in postmaster@whatever.net(not a real address I hope),this will not cure the trouble but if they are blocked at the server you don't have to see the damn things.That's what I did for some family members and it really helped.

Share this post


Link to post
Share on other sites
Dingo, that's what I figured.

It's still annoying, though.

Is there no way to trace the offending computer?

Piyono

So, if you look at the message header and compare it to the one in my message, what does the line say that cooresponds to the one that I bolded?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this