Re: [qmailtoaster] many failure notice - a failed spoof?
On 8/25/2014 11:27 AM, Jim Shupert wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com OK - So I want to take this opportunity to educate on the reading of Mail Headers First, new header entries always go to the TOP, so to trace the path of a message, start at the bottom (of the header). In the above example, the message STARTED with a header of: Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com At which point, your SMTP server collected it and added: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com And HERE is where you'll find how this message is coming in... The end-user connected to you with a PC (or other client device) that had a LOCAL (LAN) IP address of *192.168.249.85* - Is this the LAN IP address range of Mr Blue? If not, someone's logging into your server from another LAN The Public IP address of this client system is *72.189.129.134* (That is, the public IP address of the source of the SMTP connection) - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's logging into your mail server with falsified credentials) The _SMTP AUTH credential provided_ was *mrb...@theppjgroup.com* -- so if someone's been hacked, it's Mr. Blue himself! The remaining headers (moving up) are the internal processing of your QMT: Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Now you could argue at which point any of these lines gets added, but the point in reading a mail header is that you work from the bottom up! So, while others have suggested MrBlue is being spoofed, or that this is back-scatter, I think the proof here is that he may have been HACKED (that is, if the LAN and WAN IPs don't match Mr Blue's environment, someone is impersonating him - so change the password, pronto!), or that he has a MALWARE infection (if those are his addresses). That LAN host -- ending in 249.85 -- likely is the system with the malware, so scan that system (and change the account password as well). I hope this helps... Dan IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] many failure notice - a failed spoof?
Thanks Dan, you pretty much explained in details what I suggested ;-) I agree that this is indeed a hijacked account sending out spam and receiving bounces from those that were not delivered. In addition to Dans suggestions (password change and malware scan on systems) I would recommend checking Blocklist for entries for your host (http://mxtoolbox.com/blacklists.aspx) to get cleared from them (if you landed on one of those). Cheers, Sebastian On 26 Aug 2014, at 16:53, Dan McAllister q...@it4soho.com wrote: On 8/25/2014 11:27 AM, Jim Shupert wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com OK - So I want to take this opportunity to educate on the reading of Mail Headers First, new header entries always go to the TOP, so to trace the path of a message, start at the bottom (of the header). In the above example, the message STARTED with a header of: Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com At which point, your SMTP server collected it and added: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com And HERE is where you'll find how this message is coming in... The end-user connected to you with a PC (or other client device) that had a LOCAL (LAN) IP address of 192.168.249.85 - Is this the LAN IP address range of Mr Blue? If not, someone's logging into your server from another LAN The Public IP address of this client system is 72.189.129.134 (That is, the public IP address of the source of the SMTP connection) - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's logging into your mail server with falsified credentials) The SMTP AUTH credential provided was mrb...@theppjgroup.com -- so if someone's been hacked, it's Mr. Blue himself! The remaining headers (moving up) are the internal processing of your QMT: Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Now you could argue at which point any of these lines gets added, but the point in reading a mail header is that you work from the bottom up! So, while others have suggested MrBlue is being spoofed, or that this is back-scatter, I think the proof here is that he may have been HACKED (that is, if the LAN and WAN IPs don't match Mr Blue's environment, someone is impersonating him - so change the password, pronto!), or that he has a MALWARE infection (if those are his addresses). That LAN host -- ending in 249.85 -- likely is the system with the malware, so scan that system (and change the account password as well). I hope this helps... Dan IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL
Re: [qmailtoaster] many failure notice - a failed spoof?
+2 Very good interpolation.. This is more the correct answer because I have the T-shirt on this one LOL On 08/26/2014 09:53 AM, Dan McAllister wrote: On 8/25/2014 11:27 AM, Jim Shupert wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com OK - So I want to take this opportunity to educate on the reading of Mail Headers First, new header entries always go to the TOP, so to trace the path of a message, start at the bottom (of the header). In the above example, the message STARTED with a header of: Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com At which point, your SMTP server collected it and added: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com And HERE is where you'll find how this message is coming in... The end-user connected to you with a PC (or other client device) that had a LOCAL (LAN) IP address of *192.168.249.85* - Is this the LAN IP address range of Mr Blue? If not, someone's logging into your server from another LAN The Public IP address of this client system is *72.189.129.134* (That is, the public IP address of the source of the SMTP connection) - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's logging into your mail server with falsified credentials) The _SMTP AUTH credential provided_ was *mrb...@theppjgroup.com* -- so if someone's been hacked, it's Mr. Blue himself! The remaining headers (moving up) are the internal processing of your QMT: Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Now you could argue at which point any of these lines gets added, but the point in reading a mail header is that you work from the bottom up! So, while others have suggested MrBlue is being spoofed, or that this is back-scatter, I think the proof here is that he may have been HACKED (that is, if the LAN and WAN IPs don't match Mr Blue's environment, someone is impersonating him - so change the password, pronto!), or that he has a MALWARE infection (if those are his addresses). That LAN host -- ending in 249.85 -- likely is the system with the malware, so scan that system (and change the account password as well). I hope this helps... Dan IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] many failure notice - a failed spoof?
Dan, Thank you for the lesson on mail headers. I very much need to know more about that sort of thing in order to do the kind of forensics of these sort of problems. 1st let me say that if I look at a legit MrBlue email it says in the header only and always mrb...@theppjgroup.com so when we see (mrb...@theppjgroup.com@72.189.129.134) that num 72.189.129.134 is alien to me so woyuld you say that mrBlue has been hacked? thanks again Let me see if I have an understanding of your statement. On 8/26/2014 10:53 AM, Dan McAllister wrote: On 8/25/2014 11:27 AM, Jim Shupert wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com OK - So I want to take this opportunity to educate on the reading of Mail Headers First, new header entries always go to the TOP, so to trace the path of a message, start at the bottom (of the header). In the above example, the message STARTED with a header of: Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com At which point, your SMTP server collected it and added: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com And HERE is where you'll find how this message is coming in... The end-user connected to you with a PC (or other client device) that had a LOCAL (LAN) IP address of *192.168.249.85* - Is this the LAN IP address range of Mr Blue? If not, someone's logging into your server from another LAN The Public IP address of this client system is *72.189.129.134* (That is, the public IP address of the source of the SMTP connection) - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's logging into your mail server with falsified credentials) The _SMTP AUTH credential provided_ was *mrb...@theppjgroup.com* -- so if someone's been hacked, it's Mr. Blue himself! The remaining headers (moving up) are the internal processing of your QMT: Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Now you could argue at which point any of these lines gets added, but the point in reading a mail header is that you work from the bottom up! So, while others have suggested MrBlue is being spoofed, or that this is back-scatter, I think the proof here is that he may have been HACKED (that is, if the LAN and WAN IPs don't match Mr Blue's environment, someone is impersonating him - so change the password, pronto!), or that he has a MALWARE infection (if those are his addresses). That LAN host -- ending in 249.85 -- likely is the system with the malware, so scan that system (and change the account password as well). I hope this helps... Dan IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL
Re: [qmailtoaster] many failure notice - a failed spoof?
Unless Mrblue is on a road trip somewhere accessing his mail... Then yes. I would do a nslookup 72.189.129.134 and see who it belongs to. mainly what country it is in. On 8/26/2014 1:51 PM, Jim Shupert wrote: Dan, Thank you for the lesson on mail headers. I very much need to know more about that sort of thing in order to do the kind of forensics of these sort of problems. 1st let me say that if I look at a legit MrBlue email it says in the header only and always mrb...@theppjgroup.com so when we see (mrb...@theppjgroup.com@72.189.129.134) that num 72.189.129.134 is alien to me so woyuld you say that mrBlue has been hacked? thanks again Let me see if I have an understanding of your statement. On 8/26/2014 10:53 AM, Dan McAllister wrote: On 8/25/2014 11:27 AM, Jim Shupert wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com OK - So I want to take this opportunity to educate on the reading of Mail Headers First, new header entries always go to the TOP, so to trace the path of a message, start at the bottom (of the header). In the above example, the message STARTED with a header of: Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com At which point, your SMTP server collected it and added: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com And HERE is where you'll find how this message is coming in... The end-user connected to you with a PC (or other client device) that had a LOCAL (LAN) IP address of *192.168.249.85* - Is this the LAN IP address range of Mr Blue? If not, someone's logging into your server from another LAN The Public IP address of this client system is *72.189.129.134* (That is, the public IP address of the source of the SMTP connection) - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's logging into your mail server with falsified credentials) The _SMTP AUTH credential provided_ was *mrb...@theppjgroup.com* -- so if someone's been hacked, it's Mr. Blue himself! The remaining headers (moving up) are the internal processing of your QMT: Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Now you could argue at which point any of these lines gets added, but the point in reading a mail header is that you work from the bottom up! So, while others have suggested MrBlue is being spoofed, or that this is back-scatter, I think the proof here is that he may have been HACKED (that is, if the LAN and WAN IPs don't match Mr Blue's environment, someone is impersonating him - so change the password, pronto!), or that he has a MALWARE infection (if those are his addresses). That LAN host -- ending in 249.85
Re: [qmailtoaster] many failure notice - a failed spoof?
Did you a solid... Looks like hes in florida and its a Time warner cable ip Results from DNSstuff.com Origin AS Data RIR Data *No Data Found!* *Reverse* 72-189-129-134.res.bhn.net. *Reverse-verified* No *Country Code* US *Country* United States *Region*North America *Population*278058881 *Top-level Domain* US *IPv4 Ranges* 40242 *IPv6 Ranges* 3202 *Currency* US Dollar *Currency Code* USD *IP Range - Start* 72.176.0.0 *IP Range - End*72.191.255.255 *Registrar* ARIN *Allocation date* Nov 21, 2005 On 8/26/2014 1:51 PM, Jim Shupert wrote: Dan, Thank you for the lesson on mail headers. I very much need to know more about that sort of thing in order to do the kind of forensics of these sort of problems. 1st let me say that if I look at a legit MrBlue email it says in the header only and always mrb...@theppjgroup.com so when we see (mrb...@theppjgroup.com@72.189.129.134) that num 72.189.129.134 is alien to me so woyuld you say that mrBlue has been hacked? thanks again Let me see if I have an understanding of your statement. On 8/26/2014 10:53 AM, Dan McAllister wrote: On 8/25/2014 11:27 AM, Jim Shupert wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com OK - So I want to take this opportunity to educate on the reading of Mail Headers First, new header entries always go to the TOP, so to trace the path of a message, start at the bottom (of the header). In the above example, the message STARTED with a header of: Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com At which point, your SMTP server collected it and added: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com And HERE is where you'll find how this message is coming in... The end-user connected to you with a PC (or other client device) that had a LOCAL (LAN) IP address of *192.168.249.85* - Is this the LAN IP address range of Mr Blue? If not, someone's logging into your server from another LAN The Public IP address of this client system is *72.189.129.134* (That is, the public IP address of the source of the SMTP connection) - Is this the WAN IP address of Mr Blue's office? Again, if not, someone's logging into your mail server with falsified credentials) The _SMTP AUTH credential provided_ was *mrb...@theppjgroup.com* -- so if someone's been hacked, it's Mr. Blue himself! The remaining headers (moving up) are the internal processing of your QMT: Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Now you could argue at which point any of these lines gets added, but the point in reading a mail
[qmailtoaster] many failure notice - a failed spoof?
friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com --===0847007466868061251== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit KL; GATES Final notice Hereby you are notified that you have [unpaid utility bills](http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke/index .p hp?service_id=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us=) and your debt amounts to $45 for August 21, 2014. If you do not fulfill your debt-service obligations within three days in accordance with the applicable legislation, we will have to file actions with the court and apply enforcement options - in this case you can be evicted from the occupied territory (property rights termination). We are asking you to pay the arrears as soon as possible! [ See further details here.](http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke /index.php?info=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us=) Copyright (c) 2014 | All right reserved --===0847007466868061251== Content-Type: text/html; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Format: Flowed html body table border=0 width=700 height=auto style=border-collapse: collapse;font-family:'Arial',sans-serif;color:#33;font-size:12px;backgro und:#fff;height:auto; font-weight: 100; font-size: 15px; text-align: left; margin:0; padding:0; tr heigh=40th p style=color:#51626f; font-size:30px;margin:5px 0 15px 30px;KL GATES/p /th /tr tr heigh=5th style=background:#667582;height:5px; /th /tr tr heigh=2th style=background:#fff;height:2px; /th /tr tr heigh=5th style=background:#c43249;height:5px; /th /tr tr th p style=color:#822433;font-size:16px;font-weight:bold;margin:10px 0 0 7px;Final notice/p p style=font-size:14px;margin:10px 0 15px 7px;font-weight: normal; Hereby you are notified that you have a href=http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke/index. php?service_id=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us=unpaid utility bills/a and your debt amounts to $45 for August 21, 2014.br br If you do not fulfill your debt-service obligations within three days in accordance with the applicable legislation, we will have to file actions with the court and apply enforcement options - in this case you can be evicted from the occupied territory (property rights termination).br br We are asking you to pay the arrears as soon as possible! a href=http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke/index. php?info=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us= See further details here./a /p /th /tr tr heigh=5th style=background:#667582;height:5px; /th /tr tr heigh=2th style=background:#fff;height:2px; /th /tr tr heigh=5th style=background:#c43249;height:5px; /th /tr tr thp style=font-size:14px;margin:10px auto;text-align:center;Copyright (c) 2014 | All right reserved/p/th /tr /table /body /html --===0847007466868061251==--
Re: [qmailtoaster] many failure notice - a failed spoof?
It looks more like an authenticated mail from your server from a hijacked account. Check you servers logs for indications what account has been sending a lot of mails lately and change that accounts password. Sent from my iPhone On 25 Aug 2014, at 17:27, Jim Shupert jshup...@pps-inc.com wrote: friends, I have one user [ MrBlue } who is a valid user on my domain of theppjgroup.com It seems MrBlue has been getting overloaded with failure notices.. I *Think that someone is sending mail spoofing MrBlue -- but they do not have the password -- so it fails and My ( actual ) MrBlue then gets a a failure notice. well, my mr blue is red with rage. I wonder what i can do to relieve some of the pain? below please find one of the failure notice Thanks -Original Message- From: mailer-dae...@mailhost.theppjgroup.com [mailto:mailer-dae...@mailhost.theppjgroup.com] Sent: Friday, August 22, 2014 6:49 AM To: mrb...@theppjgroup.com Subject: failure notice Hi. This is the qmail-send program at mailhost.theppjgroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ca...@hotmail.com: User and password not set, continuing without authentication. 65.54.188.126 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.54.188.126. --- Below this line is a copy of the message. Return-Path: mrb...@theppjgroup.com Received: (qmail 8984 invoked by uid 89); 22 Aug 2014 10:48:53 - Received: by simscan 1.3.1 ppid: 8975, pid: 8980, t: 0.3711s scanners: attach: 1.3.1 clamav: 0.95.2/m: Received: from unknown (HELO ?192.168.249.85?) (mrb...@theppjgroup.com@72.189.129.134) by mailhost.theppjgroup.com with ESMTPA; 22 Aug 2014 10:48:53 - Content-Type: multipart/alternative; boundary0847007466868061251== MIME-Version: 1.0 Message-ID: 53f7202f.2848...@theppjgroup.com Date: Fri, 22 Aug 2014 13:49:19 +0300 From: KL Gates international mrb...@theppjgroup.com Subject: Urgent indebtedness notification To: ca...@hotmail.com --===0847007466868061251== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit KL; GATES Final notice Hereby you are notified that you have [unpaid utility bills](http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke/index .p hp?service_id=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us=) and your debt amounts to $45 for August 21, 2014. If you do not fulfill your debt-service obligations within three days in accordance with the applicable legislation, we will have to file actions with the court and apply enforcement options - in this case you can be evicted from the occupied territory (property rights termination). We are asking you to pay the arrears as soon as possible! [ See further details here.](http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke /index.php?info=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us=) Copyright (c) 2014 | All right reserved --===0847007466868061251== Content-Type: text/html; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Format: Flowed html body table border=0 width=700 height=auto style=border-collapse: collapse;font-family:'Arial',sans-serif;color:#33;font-size:12px;backgro und:#fff;height:auto; font-weight: 100; font-size: 15px; text-align: left; margin:0; padding:0; tr heigh=40th p style=color:#51626f; font-size:30px;margin:5px 0 15px 30px;KL GATES/p /th /tr tr heigh=5th style=background:#667582;height:5px; /th /tr tr heigh=2th style=background:#fff;height:2px; /th /tr tr heigh=5th style=background:#c43249;height:5px; /th /tr tr th p style=color:#822433;font-size:16px;font-weight:bold;margin:10px 0 0 7px;Final notice/p p style=font-size:14px;margin:10px 0 15px 7px;font-weight: normal; Hereby you are notified that you have a href=http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke/index. php?service_id=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us=unpaid utility bills/a and your debt amounts to $45 for August 21, 2014.br br If you do not fulfill your debt-service obligations within three days in accordance with the applicable legislation, we will have to file actions with the court and apply enforcement options - in this case you can be evicted from the occupied territory (property rights termination).br br We are asking you to pay the arrears as soon as possible! a href=http://ideatoappjter.com/wp-content/uploads/wysija/themes/smoke/index. php?info=VfDPHxJ28eXZLRMuNsoEI9bLCvd7sHVU0kyJPvAO3Us= See further details here./a /p /th /tr tr heigh=5th style=background:#667582;height:5px; /th /tr tr heigh=2th style=background:#fff;height:2px; /th /tr tr heigh=5th style=background:#c43249;height:5px; /th /tr
