[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: OT - has my email domain been hijacked?



> -----Original Message-----
> From: fedora-list-bounces redhat com 
> [mailto:fedora-list-bounces redhat com] On Behalf Of 
> kevin kempter dataintellect com
> Sent: Wednesday, September 14, 2005 8:40 PM
> To: fedora-list redhat com
> Subject: OT - has my email domain been hijacked?
> 
> Returned mail: User unknown
> Hi List;
> 
> I keep getting emails similar to the text below. I/We own the 
> domain dataintellect.com and we have email addresses setup 
> however I always see a bogus dataintellect.com email address 
> as the sender.
> 
> -or is this simply a random spam email?
> 
> Thanks in advance for any advice...
> 
> 
> ================================================
> 
> From: 
> Mail Delivery Subsystem <MAILER-DAEMON aol com>
>   To: 
> carina_x dataintellect com
>   Date: 
> Today 13:31:26
>    
>   Spam Status: Spamassassin 0% probability of being spam.
> 
> Full report:
> No, score=0.0 required=5.0 tests=AWL,BAYES_50 autolearn=no  
> version=3.0.4 The original message was received at Wed, 14 
> Sep 2005 15:31:23 -0400 (EDT) from 
> client-201.230.112.161.speedy.net.pe [201.230.112.161]
> 
> 
> *** ATTENTION ***
> 
> Your e-mail is being returned to you because there was a 
> problem with its delivery.  The address which was 
> undeliverable is listed in the section
> labeled: "----- The following addresses had permanent fatal 
> errors -----".
> 
> The reason your mail is being returned to you is listed in the section
> labeled: "----- Transcript of Session Follows -----".
> 
> The line beginning with "<<<" describes the specific reason 
> your e-mail could not be delivered.  The next line contains a 
> second error message which is a general translation for other 
> e-mail servers.
> 
> Please direct further questions regarding this message to 
> your e-mail administrator.
> 
> --AOL Postmaster
> 
> 
> 
>    ----- The following addresses had permanent fatal errors 
> ----- <acardi cs com> <adorablealicia cs com> 
> <aclaudet cs com> <acarter5 cs com> <acrader cs com>
> 
>    ----- Transcript of session follows ----- ... while 
> talking to air-yg01.mail.aol.com.:
> >>> RCPT To:<acrader cs com>
> <<< 550 MAILBOX NOT FOUND
> 550 <acrader cs com>... User unknown
> >>> RCPT To:<acarter5 cs com>
> <<< 550 MAILBOX NOT FOUND
> 550 <acarter5 cs com>... User unknown
> >>> RCPT To:<aclaudet cs com>
> <<< 550 MAILBOX NOT FOUND
> 550 <aclaudet cs com>... User unknown
> >>> RCPT To:<adorablealicia cs com>
> <<< 550 MAILBOX NOT FOUND
> 550 <adorablealicia cs com>... User unknown
> >>> RCPT To:<acardi cs com>
> <<< 550 MAILBOX NOT FOUND
> 550 <acardi cs com>... User unknown
> unnamed
> 
> Received: from  client-201.230.112.161.speedy.net.pe
> (client-201.230.112.161.speedy.net.pe [201.230.112.161]) by 
> rly-yg02.mx.aol.com (v107.10) with ESMTP id 
> MAILRELAYINYG23-26f43287a8232f; Wed, 14 Sep 2005 15:31:21 -0400
> Received: from mail.strawberrysampler.com ([64.118.71.80]) by 
> 201.230.112.161 with ESMTP id 4868741;
>          Wed, 14 Sep 2005 19:21:59 -0100
> Received: (qmail 73986 invoked by uid 5164); Date: Wed, 14 
> Sep 2005 19:21:59 -0100
> Date: Wed, 14 Sep 2005 19:21:59 -0100
> Message-ID: <20050914 68664 carina_x dataintellect com>
> From: "Men of Focus" <carina_x dataintellect com>
> Sender: carina_x dataintellect com
> To: acardi cs com, adorablealicia cs com, aclaudet cs com, 
> acarter5 cs com,
>         acrader cs com
> X-Responder-ID: 14
> Subject: Living without concerns!
> Content-Type: text/html; charset="UTF-8"
> X-AOL-IP: 201.230.112.161
> X-AOL-SCOLL-SCORE: 1:2:306687321:10737418
> X-AOL-SCOLL-URL_COUNT: 3
> 


That appears to be a SPAMMER who is faking a user ID at your domain in the
from address.
The dumb mail server of some of the recipients hasn't worked out that the
headers are forged, so it is returning the 'unknown address error' back to
you instead of the source.
What it should do is look at the headers to see that it is faked, and just
bin it without doing nothing.

It appears to be from:


201.230.112.161
client-201.230.112.161.speedy.net.pe
Host reachable, 488 ms. average

201.230.112.128 - 201.230.112.255

PE-TDPERX3-LACNIC
Av. San Felipe 1144 Surquillo, 1144, edi A
34 - Lima -
Peru
+51 1 210-6771 []

Gestion Dir. IP Telefonica del Peru
gestionip TELEFONICA NET PE
Calle San Felipe 1144, 1144,
LI34 - Lima - LI
Peru
phone: +51 1 2106771 []

PE-PETD9-LACNIC
Created: 17-Aug-2005
Updated: 17-Aug-2005
Source: whois.lacnic.net

So I would forward on to them:

That is unless of course your server is acting like an open relay (which it
is not).

Regards

Chris


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]