RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused...
Sure thing, Marc. Posting here is a public resource! Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Tuesday, July 12, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... THANK YOU! I am going to forward this to Road Runner support (with your permission). I kept telling them that this was something going on THEIR network and they kept telling me no. I feel a little less like I am going crazy - Thanks- Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 12, 2005 11:35 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Not all viruses use their own SMTP engine; this was likely one of the recent MyTob variants that tries to use the SMTP server of the current user. The virus can do this with some success because many ISPs use routing or firewalls to allow their users to use their servers as an open relay, because a) that buys them close relay status to the Internet, and b) it's easier than authentication. Also, many ISPs don't do outbound virus scanning on the basis of "we don't want a false positive to even possibly interfere with our customers' communications". Here's a writeup on one of the recent viruses that uses the ISP's mail server: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43250 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Tuesday, July 12, 2005 7:43 AM To: Declude.JunkMail@declude.com Subject: RE:RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Thanks for the explanation. I figured that this is a home user with and infected PC claiming to be prudentialrand.com but I guess where I am confused is that I thought most of the current viruses have their own SMTP engine and didn't use the ISP's mail server. So I didn't expect the ISP mail server to be involved. When I reported this to Road Runner, they said it had nothing to do with them or their network so I thought I was way off the mark. But it is one their users infected machine sending through their SMTP. Um, right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Robertson Sent: Tuesday, July 12, 2005 10:00 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Marc Catuogno > Sent: Monday, July 11, 2005 11:12 PM > To: Declude.JunkMail@declude.com > Subject: SV [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > > > > Please bear with me. I've been getting bounces that I don't > understand, and I do feel stupid. If any one has the time or patience > to clear help me this up it would be appreciated: > > If a virus forges my e-mail address as the from and attempts to send > it to a non-existent user on my domain - wouldn't the bounce message > simply be coming from my domain? It looks like other servers are > answering for prudentialrand.com - am I nuts? Highly confused? > Screwed? Unless I'm off the mark, this is backscatter mail. It is common for virus-infected or otherwise spamming computers to claim to be something they are not. What appears to be happening in your case is that an infected computer (claiming to be prudentialrand.com) sends out a message to its ISP's mail server. The ISP's mail server looks up the MX and sends the message to your mail server. As soon as your server receives the RCPT TO information, it rejects the message because the recipient doesn't exist. Since your server rejected the message before actually accepting it (as it should), it is up to the sending server to send the bounce message. Since the original forged message has one of your addresses as the sender, the sending server delivers a bounce there. > > I see lines like the following in non deliverable messages: > > Received: from prudentialrand.com (cpe-68-174-20-197.si.res.rr.com > [68.174.20.197]) --- the spamming computer claiming to be you > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) with ESMTP id > j6BMlhGi015287 --- their RoadRunner mail server, most likely > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > > Received: from prudentialrand.com (ipn36373-b01578.cidr.lightship.net > [216.204.209.74]) > by spirit.lights
RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused...
THANK YOU! I am going to forward this to Road Runner support (with your permission). I kept telling them that this was something going on THEIR network and they kept telling me no. I feel a little less like I am going crazy - Thanks- Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 12, 2005 11:35 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Not all viruses use their own SMTP engine; this was likely one of the recent MyTob variants that tries to use the SMTP server of the current user. The virus can do this with some success because many ISPs use routing or firewalls to allow their users to use their servers as an open relay, because a) that buys them close relay status to the Internet, and b) it's easier than authentication. Also, many ISPs don't do outbound virus scanning on the basis of "we don't want a false positive to even possibly interfere with our customers' communications". Here's a writeup on one of the recent viruses that uses the ISP's mail server: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43250 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Tuesday, July 12, 2005 7:43 AM To: Declude.JunkMail@declude.com Subject: RE:RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Thanks for the explanation. I figured that this is a home user with and infected PC claiming to be prudentialrand.com but I guess where I am confused is that I thought most of the current viruses have their own SMTP engine and didn't use the ISP's mail server. So I didn't expect the ISP mail server to be involved. When I reported this to Road Runner, they said it had nothing to do with them or their network so I thought I was way off the mark. But it is one their users infected machine sending through their SMTP. Um, right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Robertson Sent: Tuesday, July 12, 2005 10:00 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Marc Catuogno > Sent: Monday, July 11, 2005 11:12 PM > To: Declude.JunkMail@declude.com > Subject: SV [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > > > > Please bear with me. I've been getting bounces that I don't > understand, and I do feel stupid. If any one has the time or patience > to clear help me this up it would be appreciated: > > If a virus forges my e-mail address as the from and attempts to send > it to a non-existent user on my domain - wouldn't the bounce message > simply be coming from my domain? It looks like other servers are > answering for prudentialrand.com - am I nuts? Highly confused? > Screwed? Unless I'm off the mark, this is backscatter mail. It is common for virus-infected or otherwise spamming computers to claim to be something they are not. What appears to be happening in your case is that an infected computer (claiming to be prudentialrand.com) sends out a message to its ISP's mail server. The ISP's mail server looks up the MX and sends the message to your mail server. As soon as your server receives the RCPT TO information, it rejects the message because the recipient doesn't exist. Since your server rejected the message before actually accepting it (as it should), it is up to the sending server to send the bounce message. Since the original forged message has one of your addresses as the sender, the sending server delivers a bounce there. > > I see lines like the following in non deliverable messages: > > Received: from prudentialrand.com (cpe-68-174-20-197.si.res.rr.com > [68.174.20.197]) --- the spamming computer claiming to be you > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) with ESMTP id > j6BMlhGi015287 --- their RoadRunner mail server, most likely > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > > Received: from prudentialrand.com (ipn36373-b01578.cidr.lightship.net > [216.204.209.74]) > by spirit.lightshipmail.net (Postfix) with ESMTP id DD5571D5A6D > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > FULL HEADERS BELOW: > > MESSAGE 1: > > Received: from spirit.lightshipmail.net [216.204.0.205] by --- ISP's mail serve
RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused...
Not all viruses use their own SMTP engine; this was likely one of the recent MyTob variants that tries to use the SMTP server of the current user. The virus can do this with some success because many ISPs use routing or firewalls to allow their users to use their servers as an open relay, because a) that buys them close relay status to the Internet, and b) it's easier than authentication. Also, many ISPs don't do outbound virus scanning on the basis of "we don't want a false positive to even possibly interfere with our customers' communications". Here's a writeup on one of the recent viruses that uses the ISP's mail server: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43250 Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Tuesday, July 12, 2005 7:43 AM To: Declude.JunkMail@declude.com Subject: RE:RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Thanks for the explanation. I figured that this is a home user with and infected PC claiming to be prudentialrand.com but I guess where I am confused is that I thought most of the current viruses have their own SMTP engine and didn't use the ISP's mail server. So I didn't expect the ISP mail server to be involved. When I reported this to Road Runner, they said it had nothing to do with them or their network so I thought I was way off the mark. But it is one their users infected machine sending through their SMTP. Um, right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Robertson Sent: Tuesday, July 12, 2005 10:00 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Marc Catuogno > Sent: Monday, July 11, 2005 11:12 PM > To: Declude.JunkMail@declude.com > Subject: SV [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > > > > Please bear with me. I've been getting bounces that I don't > understand, and I do feel stupid. If any one has the time or patience > to clear help me this up it would be appreciated: > > If a virus forges my e-mail address as the from and attempts to send > it to a non-existent user on my domain - wouldn't the bounce message > simply be coming from my domain? It looks like other servers are > answering for prudentialrand.com - am I nuts? Highly confused? > Screwed? Unless I'm off the mark, this is backscatter mail. It is common for virus-infected or otherwise spamming computers to claim to be something they are not. What appears to be happening in your case is that an infected computer (claiming to be prudentialrand.com) sends out a message to its ISP's mail server. The ISP's mail server looks up the MX and sends the message to your mail server. As soon as your server receives the RCPT TO information, it rejects the message because the recipient doesn't exist. Since your server rejected the message before actually accepting it (as it should), it is up to the sending server to send the bounce message. Since the original forged message has one of your addresses as the sender, the sending server delivers a bounce there. > > I see lines like the following in non deliverable messages: > > Received: from prudentialrand.com (cpe-68-174-20-197.si.res.rr.com > [68.174.20.197]) --- the spamming computer claiming to be you > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) with ESMTP id > j6BMlhGi015287 --- their RoadRunner mail server, most likely > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > > Received: from prudentialrand.com (ipn36373-b01578.cidr.lightship.net > [216.204.209.74]) > by spirit.lightshipmail.net (Postfix) with ESMTP id DD5571D5A6D > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > FULL HEADERS BELOW: > > MESSAGE 1: > > Received: from spirit.lightshipmail.net [216.204.0.205] by --- ISP's mail server again > mail.prudentialrand.com with ESMTP > (SMTPD32-8.05) id A70D12200C6; Mon, 11 Jul 2005 21:04:13 -0400 > Received: by spirit.lightshipmail.net (Postfix) --- their mail server is running Postfix, which generated the bounce to you > id 0B4BE1D5BBC; Mon, 11 Jul 2005 20:58:12 -0400 (EDT) > Date: Mon, 11 Jul 2005 20:58:12 -0400 (EDT) > From: [EMAIL PROTECTED] (Mail Delivery System) > Subject: Undelivered Mail Returned to Sender > To: [EMAIL PROTECTED] > MIME-Version: 1.0 > Co
RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused...
> -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Marc Catuogno > Sent: Monday, July 11, 2005 11:12 PM > To: Declude.JunkMail@declude.com > Subject: SV [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > > > > Please bear with me. I've been getting bounces that I don't understand, > and > I do feel stupid. If any one has the time or patience to clear help me > this > up it would be appreciated: > > If a virus forges my e-mail address as the from and attempts to send it to > a > non-existent user on my domain - wouldn't the bounce message simply be > coming from my domain? It looks like other servers are answering for > prudentialrand.com - am I nuts? Highly confused? Screwed? Unless I'm off the mark, this is backscatter mail. It is common for virus-infected or otherwise spamming computers to claim to be something they are not. What appears to be happening in your case is that an infected computer (claiming to be prudentialrand.com) sends out a message to its ISP's mail server. The ISP's mail server looks up the MX and sends the message to your mail server. As soon as your server receives the RCPT TO information, it rejects the message because the recipient doesn't exist. Since your server rejected the message before actually accepting it (as it should), it is up to the sending server to send the bounce message. Since the original forged message has one of your addresses as the sender, the sending server delivers a bounce there. > > I see lines like the following in non deliverable messages: > > Received: from prudentialrand.com (cpe-68-174-20-197.si.res.rr.com > [68.174.20.197]) --- the spamming computer claiming to be you > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) with ESMTP id > j6BMlhGi015287 --- their RoadRunner mail server, most likely > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > > Received: from prudentialrand.com (ipn36373-b01578.cidr.lightship.net > [216.204.209.74]) > by spirit.lightshipmail.net (Postfix) with ESMTP id DD5571D5A6D > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > FULL HEADERS BELOW: > > MESSAGE 1: > > Received: from spirit.lightshipmail.net [216.204.0.205] by --- ISP's mail server again > mail.prudentialrand.com with ESMTP > (SMTPD32-8.05) id A70D12200C6; Mon, 11 Jul 2005 21:04:13 -0400 > Received: by spirit.lightshipmail.net (Postfix) --- their mail server is running Postfix, which generated the bounce to you > id 0B4BE1D5BBC; Mon, 11 Jul 2005 20:58:12 -0400 (EDT) > Date: Mon, 11 Jul 2005 20:58:12 -0400 (EDT) > From: [EMAIL PROTECTED] (Mail Delivery System) > Subject: Undelivered Mail Returned to Sender > To: [EMAIL PROTECTED] > MIME-Version: 1.0 > Content-Type: multipart/report; report-type=delivery-status; > boundary="DD5571D5A6D.1121129892/spirit.lightshipmail.net" > Message-Id: <[EMAIL PROTECTED]> > X-IMAIL-SPAM-VALFROM: (19005638) > X-Declude-Sender: <> [216.204.0.205] > X-Declude-Spoolname: D170d012200c613e1.SMD > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for > spam. > X-Spam-Tests-Failed: None [0] > X-Country-Chain: > X-Note: This E-mail was sent from ([216.204.0.205]). > > This is a MIME-encapsulated message. > > --DD5571D5A6D.1121129892/spirit.lightshipmail.net > Content-Description: Notification > Content-Type: text/plain > > This is the Postfix program at host spirit.lightshipmail.net. > > I'm sorry to have to inform you that your message could not be > be delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > > The Postfix program > > <[EMAIL PROTECTED]>: host mail.prudentialrand.com[64.63.165.172] > said: > 550 unknown user <[EMAIL PROTECTED]> (in reply to RCPT TO > command) This is the error your mail server replied with when spirit.lightshipmail.net tried to send the message, so spirit.lightshipmail.net is required to send the bounce. > > --DD5571D5A6D.1121129892/spirit.lightshipmail.net > Content-Description: Delivery report > Content-Type: message/delivery-status > > Reporting-MTA: dns; spirit.lightshipmail.net > X-Postfix-Queue-ID: DD5571D5A6D > X-Postfix-Sender: rfc822; [EMAIL PROTECTED] > Arrival-Date: Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > > Final-Recipient: rfc822; [EMAIL PROTECTED] > Action: failed > Status: 5.0.0 > Diagnostic-Code: X-Postfix; host mail.prudentialrand.com[64.63.165.172] > said: > 550 unknown user <[EMAIL PROTECTED]> (in reply to RCPT TO > command) > > --DD5571D5A6D.1121129892/spirit.lightshipmail.net > Content-Description: Undelivered Message > Content-Type: message/rfc822 > > Rec