Mail Delivery System emails???
Walter Goldschmidt
System. Subject:Mail Delivery Failure. Then below I have pasted what they
say. The also have an attached file which I scanned for a virus and found
none. The attached file is called ATT00069.dat I've attached that file
but I don't know if it will come through or not. Appreciate any help on
this.
Walt
This message was created automatically by the mail system (ecelerity).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
>>> Webbe...@msn.com (after RCPT TO): 550 Requested action not taken:
>>> mailbox unavailable
--------------------------------------------------------------------------------
------ This is a copy of the original message, including all headers. ------
Return-Path: <wgolds...@woh.rr.com>
Authentication-Results: cdptpa-omtalb.mail.rr.com
smtp.user=wgolds...@woh.rr.com; auth=pass (PLAIN)
X-Authority-Analysis: v=1.1 cv=Inhw+Jdt7z1D3BivGPfn2aw54OvUEJw5lAn/booRZkE=
c=1 sm=0 a=8YLJaDplg2QA:10 a=IkcTkHD0fZMA:10 a=U6zP4io0eyXriI5kRbCzZQ==:17
a=d7R94OsRAAAA:20 a=gjV1xc0t9rE_m_cTh2YA:9 a=Z8v8luvMMntYOCPAby4A:7
a=dGo9NWTa6S_Fgz_JYQY6Zxa1k0oA:4 a=QEXdDO2ut3YA:10 a=F0BH2fg0mm0A:10
a=U6zP4io0eyXriI5kRbCzZQ==:117
X-Cloudmark-Score: 0
X-Originating-IP: 190.41.121.100
Received: from [190.41.121.100] ([190.41.121.100:17547] helo=Devin)
by cdptpa-oedge04.mail.rr.com (envelope-from <wgolds...@woh.rr.com>)
(ecelerity 2.2.3.46 r()) with ESMTPA
id 12/1D-13137-F4627CC4; Tue, 26 Oct 2010 19:04:47 +0000
Message-ID: <5E40AE51...@woh.rr.com>
Date: Tue, 26 Oct 2010 14:04:49 -0500
From: Devin Rheome <wgolds...@woh.rr.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.7)
Gecko/20100713 Thunderbird/3.1.1
MIME-Version: 1.0
To: "Webber00799" <Webbe...@msn.com>
Subject: D'o you id;entify m'e o:n that picture?
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>D'o you id;entify m'e o:n that picture?</title>
</head>
<body bgcolor="#ffffff" text="#000000">
<a href="http://LNK.by/edq3P">http://LNK.by/edq3P</a>
Name was dark eyes and called<br>
Help thinking as much better. Whether he sat down beside the matter<br>
Rejoined kate gently at length in short<br>
<br>
</body>
</html>
Magnus
receiving account is over capacity, or that MSN rejected the email as spam.
Like a fool I checked the link.
It appears to be using your smtp server and account password (I'm not 100%
sure of this)
Are you sending these intentionally? (I doubt)
Do these messages also appear in your Sent folder? (big trouble)
Is the "to" email in your address book? (probably not)
>>>>Please expunge your email info when posting<<<<<
This is how the spammers get your address.
Download malwarebytes antimalware and superantispyware. Install, and update
their signature files. Do a FULL scan of your system one at a time. Clean,
reboot to safe mode, and scan again.
It would be prudent to change your email password with road runner.
"Walter Goldschmidt" <@woh.rr.com> wrote in message
news:ia79it$m9j$1...@news.eternal-september.org...
> Keep getting these emails, about 20 to 30 a day. They say From:Mail
> Delivery
> System. Subject:Mail Delivery Failure. Then below I have pasted what they
> say. The also have an attached file which I scanned for a virus and found
> none. The attached file is called ATT00069.dat I've attached that
> file
> but I don't know if it will come through or not. Appreciate any help on
> this.
>
>
> Walt
>
> This message was created automatically by the mail system (ecelerity).
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
>>>> Webbe...@msn.com (after RCPT TO): 550 Requested action not taken:
>>>> mailbox unavailable
>
>
>
> --------------------------------------------------------------------------------
>
>
> ------ This is a copy of the original message, including all
> headers. ------
>
> Return-Path: <XXXX...@woh.rr.com>
> Authentication-Results: cdptpa-omtalb.mail.rr.com
> smtp.user=XXXX...@woh.rr.com; auth=pass (PLAIN)
> X-Authority-Analysis: v=1.1
> cv=Inhw+Jdt7z1D3BivGPfn2aw54OvUEJw5lAn/booRZkE=
> c=1 sm=0 a=8YLJaDplg2QA:10 a=IkcTkHD0fZMA:10 a=U6zP4io0eyXriI5kRbCzZQ==:17
> a=d7R94OsRAAAA:20 a=gjV1xc0t9rE_m_cTh2YA:9 a=Z8v8luvMMntYOCPAby4A:7
> a=dGo9NWTa6S_Fgz_JYQY6Zxa1k0oA:4 a=QEXdDO2ut3YA:10 a=F0BH2fg0mm0A:10
> a=U6zP4io0eyXriI5kRbCzZQ==:117
> X-Cloudmark-Score: 0
> X-Originating-IP: 190.41.121.100
> Received: from [190.41.121.100] ([190.41.121.100:17547] helo=Devin)
> by cdptpa-oedge04.mail.rr.com (envelope-from <XX...@woh.rr.com>)
> (ecelerity 2.2.3.46 r()) with ESMTPA
> id 12/1D-13137-F4627CC4; Tue, 26 Oct 2010 19:04:47 +0000
> Message-ID: <5E40AE51...@woh.rr.com>
> Date: Tue, 26 Oct 2010 14:04:49 -0500
> From: Devin Rheome <XXXX...@woh.rr.com>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.7)
> Gecko/20100713 Thunderbird/3.1.1
> MIME-Version: 1.0
> To: "Webber00799" <Webbe...@msn.com>
> Subject: D'o you id;entify m'e o:n that picture?
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: 7bit
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>
> <meta http-equiv="content-type" content="text/html; charset=UTF-8">
> <title>D'o you id;entify m'e o:n that picture?</title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <a href="http://LNK.by/XXXXX">http://LNK.by/XXXXX</a>
Walter Goldschmidt
they aren't in my address book. Also not in my sent folder. I'll change my
password. I've got Kaspersky Internet Security on my computer and I've gone
to Kaspersky's web site and downloaded a virus removal tool called
VirutKiller and ran it after disabling System Restore but it didn't find
anything. Also the email address I have listed is not my true address. I'll
also try those 2 programs you mentioned and change my password then I'll let
you know what I find out. Thanks.
Walt
"Magnus" wrote in message news:3cHxo.189$st3...@newsfe18.iad...
Magnus
the from source on a spam system completely apart from you and your account.
To be sure, check your webmail interface sent folder. If you see nothing
unusual here, you're just a victim of a virulent spamming jerk. If that's
the case, changing your password will have no effect and you'll continue to
receive the bouncing emails until the spammer swaps your email address for
another.
At Earthlink I'd get these maybe a few times a month, and figure they were
random. But at your level, I'd want to check that nothing has been
compromised.
"Walter Goldschmidt" <wg...@woh.rr.com> wrote in message
news:ia7mth$dq5$1...@news.eternal-september.org...
N. Miller
> Keep getting these emails, about 20 to 30 a day. They say From:Mail Delivery
> System. Subject:Mail Delivery Failure. Then below I have pasted what they
> say. The also have an attached file which I scanned for a virus and found
> none. The attached file is called ATT00069.dat I've attached that file
> but I don't know if it will come through or not. Appreciate any help on
> this.
The attachment is failing to open in my client. The following header line
from your posted "original message" is interesting:
| Received: from [190.41.121.100] ([190.41.121.100:17547] helo=Devin)
| by cdptpa-oedge04.mail.rr.com (envelope-from <wgolds...@woh.rr.com>)
| (ecelerity 2.2.3.46 r()) with ESMTPA
| id 12/1D-13137-F4627CC4; Tue, 26 Oct 2010 19:04:47 +0000
This is saying that a Road Runner mail server (operated by RR for their
customers) got the email from a host on the 'Telefonica del Peru' network;
probably an ISP customer because there is no rDNS on the IP address (typical
of dynamic hosts in Latin America (LACNIC) and Asia (APNIC).
The problem, that I can see, is that the Hotmail address of the recipient is
no good, or the mailbox is full (unlikely, I think, because Hotmail
mailboxes are pretty large). And this appears to be a Road Runner message
submission server, which is relaying from Peru. So the spammer appears to be
using your email account credentials (Username+Password) to induce the Road
Runner message submission servers to send this spam as you. This will not be
the first time that an ISP account has been compromised by spammers in order
to evade port 25 blocks.
It is unlikely that your computer is compromised. More likely just your Road
Runner email account has been compromised. When you change your account
password, consider using a password at least sixteen characters in length,
and a random mix of upper and lower case alpha characters, numerals, and at
least one "special character" (pound sign (#), caret (^), or whatever, if RR
allows.
This sort of compromise it the target of "phishing" attempts, where an ISP
email account holder is told that the ESP is revamping their email system,
and the user must validate their account by sending the account
Username+Password, or lose that account. I've seen Hotmail and AT&T email
account users asking if such a request is a valid request from those
respective services. I am sure that Road Runner users are not exempt from
such phishing attempts.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
Walter Goldschmidt
malwarebytes antimalware & superantispyware in both regular mode and safe
mode. I found 59 adware's using superantispyware in regular mode and none
when I ran it in safe mode. After running malwarebytes I found 1 malware in
regular mode and none in safe mode. That was on my laptop. On my desktop I
found a lot more with superantispyware in regular mode and a lot less in
safe mode. Also same with malwarebytes. I don't know if 2 computers on same
link can effect each other or not. The laptop has a wireless connection and
the desk top a hard wired. The laptop is used 95% of the time. I do very
little porn searching but hey I'm a man and occasionally I do catch myself
checking the women out. I also do a little movie & music downloading using
BitTorrent. Since the changes last night I haven't received any of those
emails so far today. Give me another day and I'll let you know if I get
anymore. I may have a few questions for you guys too since you seem to be
knowledgeable on this. Thanks.
Walt
"N. Miller" wrote in message news:pqmltcx23d7l$.dlg@msnews.aosake.net...
Walter Goldschmidt
Walt
"Walter Goldschmidt" wrote in message
news:ia96cq$i4r$1...@news.eternal-september.org...
Ildhund
It's only a text file:
================
Arrival-Date: Tue, 26 Oct 2010 19:04:48 +0000
Reporting-MTA: dns; cdptpa-oedge04.mail.rr.com
Last-Attempt-Date: Tue, 26 Oct 2010 19:04:48 +0000
Final-Recipient: rfc822; Webbe...@msn.com
Action: failed
Remote-MTA: dns; mx4.hotmail.com
Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable
Status: 5.0.0
==================
--
Noel
N. Miller
> Also the attached file is a dat file, can you even open them types (dat)?
My client throws an exception error when it tries. Probably doesn't have a
specified handler for the .dat extension. It is a problem on my end, and one
I don't normally encounter, so I don't really feel like trying to find a
solution.
Walter Goldschmidt
improvement. This one had 2 attached files. One is pasted below. Also the
original dat file I included in my original posting is included below. Maybe
I fixed the problem but I don't know if it's because I changed my Road
Runner password or because of the virus scan. I'll post again every day for
next few days to let you know if I get anymore. Thanks.
Walt
This is what the attachment I hac_ked in;to Cla;s said.
I hac*ked int;o Cla;ssmates. Do yo;u see your girlfriend pictures h_ere?
Neil Rolison
To: Waerhg<Wae...@yah.com>;
http://spedr.com/4xyr2 Frank is none but also
Wait and say where is gone. Surely not yet for god help
Mr brass plate and looked out that
This is what attached dat file said.
al-Date: Tue, 26 Oct 2010 19:04:48 +0000
Reporting-MTA: dns; cdptpa-oedge04.mail.rr.com
Last-Attempt-Date: Tue, 26 Oct 2010 19:04:48 +0000
Final-Recipient: rfc822; Webbe...@msn.com
Action: failed
Remote-MTA: dns; mx4.hotmail.com
Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable
Status: 5.0.0
"N. Miller" wrote in message news:rd7nak24...@msnews.aosake.net...
R. C. White
Much furor over nothing, I think.
Someone is sending emails (doesn't matter what the payload is) using your
address. The recipient's address is not working for SOME reason, which need
not concern you. So the addressed server (MSN.com) is "bouncing" the
message back to what it thinks is the sender - that's YOU. And the Mail
Delivery System is simply notifying YOU that it can't deliver that mail.
Often the "failure" message will say that it will keep retrying for 5 days,
or some other period. But your message says it is a "permanent error"
because the mailbox is "unavailable". Not just that there is a glitch
somewhere along the delivery route; the message got as far as msn.com, but
the recipient's address is invalid for some reason. So, the cycle is
complete: Sent mail; can't deliver and retrying won't help; put message in
Bit Bucket (formerly the Dead Letter File when real paper was involved) and
notify Sender; Case Closed! Next!
By the way, you can read that .dat file by right-clicking on it and using
Notepad. But it's not worth the trouble. Here's what it says:
<paste>
Arrival-Date: Tue, 26 Oct 2010 19:04:48 +0000
Reporting-MTA: dns; cdptpa-oedge04.mail.rr.com
Last-Attempt-Date: Tue, 26 Oct 2010 19:04:48 +0000
Final-Recipient: rfc822; Webbe...@msn.com
Action: failed
Remote-MTA: dns; mx4.hotmail.com
Diagnostic-Code: smtp; 550 Requested action not taken: mailbox unavailable
Status: 5.0.0
</paste>
If this was a valid message that you had actually sent, you could try to
track it down. But since you didn't send it anyhow, why bother?
This is one of the most-common nuisances in email. The SPAMMER finds a list
of address in somebody's address book. Since these "friends" are all
connected in some way, there's a good chance that any one of them will open
a message from any other one. So the SPAMMER has a pretty high confidence
that his message will be read if he makes the recipient think that the
message is coming from a friend. So he creates his SPAM message and Sends
it to one of the names, after inserting another of the names into the From
box. At that point, the SPAMMER's job is done. He doesn't even care if the
message gets bounced to "the sender".
Where does the SPAMMER get lists of names? Possibilities are endless, but
all those chain Forwards (from AOLers and others) with addresses of
"Everybody you know" - and everybody each of them knows, ad infinitum - are
prime sources. If only these clueless newbies would just learn to edit out
all the forwarded addresses... :>(
Bottom line: YOUR message has now died its natural death. Delete it and
forget about it.
RC
--
R. C. White, CPA
San Marcos, TX
r...@grandecom.net
Microsoft Windows MVP (2002-9/30/10)
Windows Live Mail Version 2011 (Build 15.4.3502.0922) in Win7 Ultimate x64
SP1 beta
"Walter Goldschmidt" wrote in message
news:ia79it$m9j$1...@news.eternal-september.org...
Magnus
contain routing information. It's unlikely they were part of the original
message. If you're curious, you can open them with Notepad.
"Walter Goldschmidt" <wg...@woh.rr.com> wrote in message
news:iabvrg$sm6$1...@news.eternal-september.org...
Walter Goldschmidt
own. If you read my last post I've included the original dat file at the
bottom of my post. Also I understand about there not being any such email
address and that's why I'm getting these messages. I'm not the one sending
the emails and all I'm concerned about is stopping these irritating emails
from the Mail Delivery System. They are filling up my Inbox.
Walt
"R. C. White" wrote in message
news:bOydnQ_BYpKOHlTR...@posted.grandecom...
N. Miller
> Much furor over nothing, I think.
>
> Someone is sending emails (doesn't matter what the payload is) using your
> address.
Well, except for the fact that the sender appears to be able to log in to
the Road Runner message submission server using the OP's login credentials.
I'd consider that very worrisome. If someone were not just posing as me to
send an email (that has been done to me in the past), but posing as me to
log in to the message submission server which handles my email (I've never
had that happen to me!)
Walter Goldschmidt
password corrected the problem. I don't remember getting any emails asking
me to confirm my account details but it is possible that happened and I just
don't remember. I've been aware of this kind of email asking for account
details for about 1 or 2 months and I no longer click on the link in my
email to go to my online accounts. I go to IE Favorites folder and go to my
sites that way in order to be safe. I'll post the next 2 mornings to let you
know if I get any more. Thanks everybody.
Walt
"N. Miller" wrote in message news:pqmltcx23d7l$.dlg@msnews.aosake.net...
Magnus
"Walter Goldschmidt" <wg...@woh.rr.com> wrote in message
news:iaefsn$u14$1...@news.eternal-september.org...
N. Miller
> In last 24 hours no more returned emails. Probably changing my Road Runner
> password corrected the problem. I don't remember getting any emails asking
> me to confirm my account details but it is possible that happened and I just
> don't remember. I've been aware of this kind of email asking for account
> details for about 1 or 2 months and I no longer click on the link in my
> email to go to my online accounts. I go to IE Favorites folder and go to my
> sites that way in order to be safe. I'll post the next 2 mornings to let you
> know if I get any more. Thanks everybody.
That is good to hear. However, the "phish" may not be the only mechanism to
compromise account details. I don't know how Road Runner works, but the big
ESPs ("Email Service Providers"), such as MSN ("Windows Live Hotmail") and
Yahoo! appear to have had issues with user account details being compromised
by means other than "phishing". Possibly weak passwords, I suppose, which
can be "brute forced".
Walter Goldschmidt
Windows Live Mail.
Walt
"N. Miller" wrote in message news:d9tkk9hgw2uk$.dlg@msnews.aosake.net...
Ildhund
big ESPs ("Email Service Providers"), such as MSN ("Windows Live Hotmail")
Walter Goldschmidt
how did this guy get my Roadrunner email username and password? Was it a web
site I visited or something else.
Walt
"N. Miller" wrote in message news:c7sbir56...@msnews.aosake.net...
Magnus
(where you think your logging into a known site)... stay away from those
p0rn sites ::)
You're luck this showed up as bounced mail. They could have been sending
death threats to govmt officials or accessing illegal sites in YOUR name...
"Walter Goldschmidt" <wg...@woh.rr.com> wrote in message
news:iah77g$fb0$1...@news.eternal-september.org...
...winston
accounts(msn.com).
All accounts are accessible in Msft products using the Pop3 or Http
protocols.
While MSN did reorganize and move Hotmail and Messenger to the Live
platform(completed in 2005/06), they retained the subscription base..
Due to that long term MSN brand name(past and current) many still refer to
all things Live as MSN...though I notice that reference more from across
the pond in these continents(Europe, Asia, AU)
--
...winston
msft mvp mail
"Ildhund" wrote in message news:iagtqr$euj$1...@news.eternal-september.org...
Gary VanderMolen
means nothing. Only the originating IP address is significant, but even there
a bot could have taken over the OP's machine.
Gary VanderMolen, Microsoft MVP (Mail)
------------------------------------------------------
"Magnus" wrote in message news:t8Zyo.3477$wQ1...@newsfe04.iad...