• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

A flood of bounced emails from 2 accounts - spambot activity or trojan?

P

paulney

Diamond Member
Hi everyone!

I have 3 e-mail accounts under the same domain name.
Let's say:
a@<MYDOMAIN>.com, b@<MYDOMAIN>.com, c@<MYDOMAIN>.com

I use all of them as POP. The accounts are used from 4 different computers, all of which are under my control. All of the computers have access to all of the email accounts.

Recently 2 of these e-mail accounts started to receive an abnormal quantity of bounced spam e-mails. A typical e-mail has some spam content (eCard and others), recipient's email address which is no longer valid, and the originating e-mail: a@<MYDOMAIN>.com, b@<MYDOMAIN>.com

Should I be worried that there's a trojan on one of the computers that uses these e-mail addresses, or did these email addresses get harvested by a spambot, and now I get all these bounces?

Quick review of headers shows this:

From - Tue Mar 22 19:15:50 2011
X-Account-Key: account3
Return-path: <>
Envelope-to: jobs@<MYDOMAIN>.com
Delivery-date: Tue, 22 Mar 2011 21:09:12 -0500
Received: from server.precision.co.il ([212.150.112.77]:3631 helo=mail.precision.co.il)
by gator324.hostgator.com with esmtps (SSLv3:AES256-SHA:256)
(Exim 4.69)
id 1Q2DVX-00069V-Bb
for jobs@<MYDOMAIN>.com; Tue, 22 Mar 2011 21:09:12 -0500
Received: from mail.precision.co.il
by mail.precision.co.il (********************************************************) with SMTP id Y5I64736
for <jobs@<MYDOMAIN>.com>; Wed, 23 Mar 2011 04:09:07 +0200
Date: Wed, 23 Mar 2011 04:09:07 +0200
From: Mail Delivery Subsystem <MAILER-DAEMON@feldstein.co.il>
To: <jobs@<MYDOMAIN>.com>
Message-Id: <1047994659@mail.precision.co.il>
Subject: Returned mail: response error
Content-Type: multipart/report; report-type=delivery-status; boundary="104799465920110323040906CFE5@mail.precision.co.il"

--104799465920110323040906CFE5@mail.precision.co.il

The original message was received at Wed, 23 Mar 2011 04:09:07 +0200

----- The following addresses had permanent fatal errors -----
<-48@yahoo.com>


----

Thanks!
 
Chances are very good that this is just Backscatter from someone spoofing their spam to look like it's coming from your email accounts.

If you have access to your SMTP server, you could check the logs on it to verify that your accounts aren't actually sending the spam messages.
 
Yep, I second the previous response.

The "return" address in email is just a text field in the header. I can write an email with a "return" address of "obama@whitehouse.gov" if I want to. If the recipient is bad, Mr Obama (or his aides) will get that bounce message.

It's just fundamentally how email works and it's why it shouldn't be treated as a trusted system for confidential or critical data.
 
If you want to verify this, follow the above advice... check your SMTP logs.

More likely, some OTHER user, who has recieved mails from those two accounts, or might have them in his address list, has been compromised, and the virus is using random selections out of that person's address book as the "from" address in SPAM messages.

Just another thought..
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top