On 8/25/2014 11:27 AM, Jim Shupert wrote:
friends,
I have one user [ MrBlue } who is a valid user on my domain of
theppjgroup.com
It seems MrBlue has been getting overloaded with failure notices..
I *Think
that someone is sending mail spoofing MrBlue -- but they do not have
the password
Thanks Dan, you pretty much explained in details what I suggested ;-)
I agree that this is indeed a hijacked account sending out spam and receiving
bounces from those that were not delivered. In addition to Dans suggestions
(password change and malware scan on systems) I would recommend
+1
thats what I see too
On 08/25/2014 10:56 AM, Eric Shubert wrote:
This looks like backscatter to me. Do you have an SPF (DNS TXT) record
defined for that domain? That should help to eliminate backscatter.
-
To
+2
Very good interpolation..
This is more the correct answer because I have the T-shirt on this one LOL
On 08/26/2014 09:53 AM, Dan McAllister wrote:
On 8/25/2014 11:27 AM, Jim Shupert wrote:
friends,
I have one user [ MrBlue } who is a valid user on my domain of
theppjgroup.com
It seems
Dan,
Thank you for the lesson on mail headers.
I very much need to know more about that sort of thing in order to do
the kind of forensics of these sort of problems.
1st let me say that if I look at a legit MrBlue email
it says in the header only and always
mrb...@theppjgroup.com
so when
Unless Mrblue is on a road trip somewhere accessing his mail... Then yes.
I would do a nslookup 72.189.129.134 and see who it belongs to.
mainly what country it is in.
On 8/26/2014 1:51 PM, Jim Shupert wrote:
Dan,
Thank you for the lesson on mail headers.
I very much need to know more about
Did you a solid...
Looks like hes in florida and its a Time warner cable ip
Results from DNSstuff.com
Origin AS Data RIR Data
*No Data Found!*
*Reverse* 72-189-129-134.res.bhn.net.
*Reverse-verified* No
*Country Code* US
*Country* United States
*Region*