Of course I haven't sent any of these messages.
Is any/everyone else getting these?
If so, can anyone explain what is going on?
Yesterday I had around 800 of these messages, and they seem to be increasing
exponentially.
This is beyond a joke, as legitimate emails are getting lost in the sheer
volume of spam (in other words I have been accidentally deleting them!)
As far as I am aware, my systems are clean of virii.
Thanks in anticipation.
--
Martin Rigby
>Over the last couple of weeks or my Demon account has been bombarded with
>these and similar messages, supposedly relating to messages I have sent.
unless you post an example, including all headers, all answers cannot be
anything other than educated guesses
>Of course I haven't sent any of these messages.
the likelihood is that you are in the address books of people infected
by viruses, especially "MyDoom". Less likely, but possible, is that the
sender of bulk unsolicited email ("a spammer") has borrowed your address
to attempt to make their messages look more plausible
>Is any/everyone else getting these?
yes, no
>Yesterday I had around 800 of these messages, and they seem to be increasing
>exponentially.
you could of course have a mail loop ... as I said initially, without a
copy of the message it's hard to say :(
--
richard writing to inform and not as company policy
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM
Spammers generally use false From addresses, to try to disguise the
source of their spam. Unfortunately a spammer is currently using your
address for this. He'll probably switch to using a different address
before long.
--
John Hall Weep not for little Leonie
Abducted by a French Marquis!
Though loss of honour was a wrench
Just think how it's improved her French. Harry Graham (1874-1936)
Some of the worms have been known to send fake error messages.
Most of those floating around at the moment are essentially adverts sent
by anti-virus software. I describe them as adverts because the AV
system identifies the virus, and the vendor should know that the source
info is faked. So they're sending a warning message to somebody for
whom they have no evidence of infection.
Stupid bastards.
Use a mail-filter program which can be set to filter this stuff out.
Mailwasher is good, but it needs some work.
--
David G. Bell -- SF Fan, Filker, and Punslinger.
"History shows that the Singularity started when Sir Tim Berners-Lee
was bitten by a radioactive spider."
> Over the last couple of weeks or my Demon account has been bombarded with
> these and similar messages, supposedly relating to messages I have sent.
>
> Of course I haven't sent any of these messages.
>
> Is any/everyone else getting these?
It's not my turn this week.
> If so, can anyone explain what is going on?
Your domain is being used in source addresses of UCE and/or viruses.
> Yesterday I had around 800 of these messages, and they seem to be increasing
> exponentially.
>
> This is beyond a joke, as legitimate emails are getting lost in the sheer
> volume of spam (in other words I have been accidentally deleting them!)
You might be able to setup your email system so only that addressed
to your main users are delivered/collected. Most UCE I get are to
one of two addresses I've used in distant past for ng postings. I'd
say they account for possibly as much as 90% of incoming email and I
see none of that as they are all deleted from the server. Email to
other invalid usernames share the same fate. There are also local
rules to allow mail to certain usernames such as postmaster or from
known sender addresses along with other rules to delete email from
previous UCE sources which leaves just a few no matches per week.
Should your email client not offer these facilities there are many
programs for different platforms that will automate the task. I use
Mailwasher on Win98 but others might be more suitable for your setup
(pop3 scan mailbox, k9, pop3clean).
David
--
The Reply-To: is valid for at least 30 days after posting date
David Lord - da...@lordynet.demon.co.uk
}In article <f6e630t6doli0o6j6...@4ax.com>, Martin Rigby
}<martin...@hotmail.com> writes
}
}>Over the last couple of weeks or my Demon account has been bombarded with
}>these and similar messages, supposedly relating to messages I have sent.
}
}unless you post an example, including all headers, all answers cannot be
}anything other than educated guesses
}
}>Of course I haven't sent any of these messages.
}
}the likelihood is that you are in the address books of people infected
}by viruses, especially "MyDoom". Less likely, but possible, is that the
}sender of bulk unsolicited email ("a spammer") has borrowed your address
}to attempt to make their messages look more plausible
}
}>Is any/everyone else getting these?
}
}yes, no
}
}>Yesterday I had around 800 of these messages, and they seem to be increasing
}>exponentially.
}
}you could of course have a mail loop ... as I said initially, without a
}copy of the message it's hard to say :(
Thanks Richard (and others posting further down)
Headers:
Return-path: <>
Received: from punt-3.mail.demon.net by mailstore
for mar...@mjrigby.demon.co.uk id 1AtWXQ-0007dX-GM;
Wed, 18 Feb 2004 18:35:12 +0000
Received: from [194.217.242.71] (helo=anchor-hub.mail.demon.net)
by punt-3.mail.demon.net with esmtp id 1AtWXQ-0007dX-GM
for mar...@mjrigby.demon.co.uk; Wed, 18 Feb 2004 18:35:12 +0000
Received: from [64.7.16.41] (helo=infomak.com)
by anchor-hub.mail.demon.net with smtp id 1AtWXP-0000AE-CA
for mar...@mjrigby.demon.co.uk; Wed, 18 Feb 2004 18:35:11 +0000
Received: (qmail 20600 invoked for bounce); 18 Feb 2004 10:50:58 -0000
Date: 18 Feb 2004 10:50:58 -0000
From: MAILER...@infomak.com
To: mar...@mjrigby.demon.co.uk
Subject: failure notice
Message-Id: <E1AtWXP-...@anchor-hub.mail.demon.net>
===========================================================================
Body
Hi. This is the qmail-send program at infomak.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<gvm...@infomak.com>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is a copy of the message.
Return-Path: <mar...@mjrigby.demon.co.uk>
Received: (qmail 20120 invoked from network); 18 Feb 2004 10:32:53 -0000
Received: from unknown (HELO smtp-out6.blueyonder.co.uk) (195.188.213.9)
by 0 with SMTP; 18 Feb 2004 10:32:53 -0000
Received: from 82-38-206-13.cable.ubr05.shef.blueyonder.co.uk ([82.38.206.13])
by smtp-out6.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600);
Wed, 18 Feb 2004 10:47:21 +0000
Message-ID: <001601c3f670$f85632b2$da8f81ea@iwkqfecbltxj>
Reply-To: "=?windows-1251?B?xevl7eA=?=" <sa...@mail.com>
From: "=?windows-1251?B?xevl7eA=?=" <mar...@mjrigby.demon.co.uk>
To: <gv...@co.ru>,
<gvl...@mai.ru>,
<gvlad...@yandex.ru>,
<gvl...@corvu.com>,
<gv...@popmail.com>,
<g...@frog.ru>,
<g...@sch63.edu.yar.ru>,
<g...@skmost.ru>,
<g...@ua.fm>,
<gvm...@gvenglish.com>,
<gvme...@eunet.yu>,
<gvm...@infomak.com>,
<gvm...@attglobal.net>,
<g...@nadym.ru>,
<g...@nadym.rues@ipcom.ru>,
<g...@voskresensk.ru>,
<gvoe...@mosproject.ru>,
<gv...@extra.hu>,
<gvol...@glasnet.ru>,
<gvor...@bigfoot.com>,
<gvo...@yandex.ru>,
<gvoz...@land.ru>,
<gv...@cat.icp.ac.ru>,
<gv...@deol.ru>,
<gv...@irnet.ru>,
<gv...@witenights.ru>,
<gvoz...@yandex.ru>,
<gvo...@dialup.ptt.ru>,
<gvo...@infline.ru>,
<gvo...@karelia.iasnet.ru>,
<gvo...@mailexcite.com>,
<gvo...@ufn.ioc.ac.ru>,
<gvo...@uniyar.ac.ru>,
<gvozd...@mtu-net.ru>,
<gvoz...@duma.gov.ru>,
<gvoz...@potolok.com>,
<gvo...@takas.lt>,
<gvoz...@centro.ru>,
<gvo...@siberianet.ru>,
<gvo...@gross.ru>,
<gvoz...@mtu-net.ru>,
<
Subject: =?windows-1251?B?xuXt+ejt4CDiIOHo5+3l8eU=?=
Date: Wed, 18 Feb 2004 13:43:30 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00B9_01C2A75B.5DB29350"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Return-Path: mar...@mjrigby.demon.co.uk
X-OriginalArrivalTime: 18 Feb 2004 10:47:23.0706 (UTC)
FILETIME=[976D29A0:01C3F60C]
This is a multi-part message in MIME format.
------=_NextPart_000_00B9_01C2A75B.5DB29350
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_00B9_01C2A75B.5DB29350
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD><TITLE></TITLE>
=========================================================================
Then a load of HTML which I have snipped.
This is just a random sample, no idea really how typical it is.
One other (deleted earlier) appeared to have "identified me a source of bulk
UCE ..." or some similar terminology - that message appeared to come from
Belgium.
The ".ru" appears to be a very common ingredient.
Thanks, and hope this is of some use
--
Martin Rigby
>Return-Path: <mar...@mjrigby.demon.co.uk>
>Received: (qmail 20120 invoked from network); 18 Feb 2004 10:32:53 -0000
>Received: from unknown (HELO smtp-out6.blueyonder.co.uk) (195.188.213.9)
> by 0 with SMTP; 18 Feb 2004 10:32:53 -0000
>Received: from 82-38-206-13.cable.ubr05.shef.blueyonder.co.uk ([82.38.206.13])
>by smtp-out6.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600);
> Wed, 18 Feb 2004 10:47:21 +0000
an insecure blueyonder customer is relaying spam which has been forged
to come from you :( people who reject it will create a message back to
you (as required by the standards)
complain to <ab...@blueyonder.co.uk>
}In article <qgc730tc8u4vfbk98...@4ax.com>, Martin Rigby
}<martin...@hotmail.com> writes
}
}>Return-Path: <mar...@mjrigby.demon.co.uk>
}>Received: (qmail 20120 invoked from network); 18 Feb 2004 10:32:53 -0000
}>Received: from unknown (HELO smtp-out6.blueyonder.co.uk) (195.188.213.9)
}> by 0 with SMTP; 18 Feb 2004 10:32:53 -0000
}>Received: from 82-38-206-13.cable.ubr05.shef.blueyonder.co.uk
([82.38.206.13])
}>by smtp-out6.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600);
}> Wed, 18 Feb 2004 10:47:21 +0000
}
}an insecure blueyonder customer is relaying spam which has been forged
}to come from you :( people who reject it will create a message back to
}you (as required by the standards)
}
}complain to <ab...@blueyonder.co.uk>
Thanks,
Before I do (which will probably be this evening), do I presume correctly that
this is an "open mail relay" issue, the kind of things we Demon customers have
been warned on a fairly regular basis not to operate, or is this something
different?
Regards
--
Martin Rigby
>On Wed, 18 Feb 2004 22:16:34 +0000, Richard Clayton <ric...@highwayman.com>
>uttered:
>
>}an insecure blueyonder customer is relaying spam which has been forged
>}to come from you :(
>Before I do (which will probably be this evening), do I presume correctly that
>this is an "open mail relay" issue,
it could be an open proxy, or a trojan dropped by a virm....
> } }complain to <ab...@blueyonder.co.uk>
>
> Thanks,
>
> Before I do (which will probably be this evening), do I presume
> correctly that this is an "open mail relay" issue, the kind of things
> we Demon customers have been warned on a fairly regular basis not to
> operate, or is this something different?
Probably not an open relay - the spam that forged your address in the
return-path was injected directly by a BlueYonder MTA. Clueless as
BlueYonder evidently are, I doubt that machine is an open relay. It got
to the BlueYonder mailserver from a customer machine that isn't a proper
mailserver - a relay would have added its own Received: header. It's
either a proxy, an owned machine, or some kind of zombie. Or all three.
BlueYonder are emitting spam on behalf of a customer machine through
their own mailserver. 195.188.213.9 is listed on numerous blocklists for
spamming; that means that BlueYonder customers will have their mail
bounced at lots of places. Evidently BlueYonder don't care. They are
primarily a cable-tv company, after all.
If I want TV channels, I don't ask a telephone company. If I want
telephone services, I don't ask an ISP. And conversely, if I want
internet service, I don't ask a television company (not any more).
--
Jack
[Refugee from NTLWorld]
openrbl.org list of DNSBL blocklists this particular IP address
currently appears on:
http://openrbl.org/ip/82/38/206/13.htm
The most informative and useful DNSBL listing:
http://dsbl.org/listing?82.38.206.13
This particular machine has, or had on 16 February 2004, multiple
exploitable insecure open proxy vulnerabilities:
Port 80, HTTP POST
Port 1080, SOCKS4
Port 1080, SOCKS5
This is probably, at a guess, a misconfigured Microsoft Internet Security
& Acceleration Server, or something similar.
A 2002 ZDNet UK article explaining the issue of hijacked open proxies
in general:
http://news.zdnet.co.uk/story/0,,t269-s2122679,00.html
Another useful URL:
http://www.fr2.cyberabuse.org/?page=abuse-proxy
--
Anthony
ant...@catfish.demon.co.uk
Thanks to all the posters, I have just sent an email to BlueYonder (more in
hope than in anticipation it has to be said), so let's see what happens.
Norton AV just detected a virus from two "legitimate" emails - d'oh!
It's crazy out there!
Cheers
Martin
Any suggestions apart from applying for a new domain? :-(
--
Gordon
If they're proper error messages, they won't have the SMTP-level data to
send an error message back, and so you can bounce them by any method you
like. I use SMTP software, and reject emails to an invalid UserID.
There are Perl scripts which will delete such emails via the POP3
server, and a Windows version of Perl. Spam-filter programs can be set
to do the same. Specific email programs may have features to deal with
this, too.
You are getting a lot. Whatever you do, it's a good idea to delete the
rejected emails from the server, rather than just not collect them.
<... snip>
I've got much the same story - hundreds of 'Mail Delivery Failure'
notices or 'You have a virus' notices delivered mostly to fake email
names@cockaigne. When I look at the headers of these messages it's clear
that the offending message was labelled as being from cockaigne but the
originating DNS has nothing to do with me, just like Martin's messages.
Although it's a terrific bore, and thank demon for Brightmail or I'd be
snowed under altogether, it's not difficult to delete them.
What worries me is that sooner or later some Brightmail-type program is
going to identify cockaigne as a spammer address. Is this possible,
probable, or do these antispam programs understand that the headers are
forged?
--
Kate B
PS 'elvira' is spamtrapped - please reply to 'elviraspam' at cockaigne if you want
to reply personally
It's a real PITA though, and I hope whoever originates it soon moves on
to better things. :-(
--
Gordon
What I do is accept only the bounce messages sent to my real identities.
And then use envelope rejection to zap anything that has been forged to
look like it came from my domain but from a non-existent user.
/<>$/f will zap everything with a null return path
(be sure to put accept rules for any real IDs ahead of it)
You don't want to lose real undeliverable message warnings.
I note that recently something new? is forging a lot of stuff from
<random_word>mar...@n.d.c.u et al.
Most times the spammers only use your domain for a short while so you
just have to live with it. If you are feeling energetic check the
headers for any major corporate types with unsecured open mail relays.
OTOH the current crop look like they are from yet another Trojan.
Regards,
--
Martin Brown
As it 'appens, I did that for one day, then the flood dropped from 3000
per day to 62 overnight, but after a quiet spell of 30 per day it has
gone into 3 figures again. I don't like bouncing stuff back into the
system, but will do so intermittently in case it is helping to stop the
flow.
--
Gordon