Apparent Mail Abuse Using My Account

[scutchen]

I've received over 140 emails like this:

 

From: MAILER-DAEMON@linux-ww1.ktc.com

Subject: failure notice

Date: December 2, 2005 6:22:55 PM CST

To: webmaster@pearlandjrs.com

Status: RO

Return-Path: <>

Received: from server88.tchmachines.com ([67.15.82.11]) by mx-pinchot.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1eIkxu3in3Nl34d0 for <sscutchen@earthlink.net>; Fri, 2 Dec 2005 18:42:04 -0500 (EST)

Received: from notini.ktc.com ([207.71.36.52] helo=linux-ww1.ktc.com) by server88.tchmachines.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1EiKWB-0007Oc-Fh for webmaster@pearlandjrs.com; Fri, 02 Dec 2005 18:40:44 -0500

Received: (qmail 17242 invoked for bounce); 3 Dec 2005 00:22:55 -0000

X-Antiabuse: This header was added to track abuse, please include it with any abuse report

X-Antiabuse: Primary Hostname - server88.tchmachines.com

X-Antiabuse: Original Domain - pearlandjrs.com

X-Antiabuse: Originator/Caller UID/GID - [0 0] / [47 12]

X-Antiabuse: Sender Address Domain -

X-Source:

X-Source-Args:

X-Source-Dir:

Message-Id: <200512021842.1eIkxu3in3Nl34d0@mx-pinchot.atl.sa.earthlink.net>

X-Elnk-Av: 0

 

 

Hi. This is the qmail-send program at linux-ww1.ktc.com.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

 

<catch_all@hebuttfdn.org>:

Sorry, no mailbox here by that name. vpopmail (#5.1.1)

 

--- Below this line is a copy of the message.

 

Return-Path: <webmaster@pearlandjrs.com>

Received: (qmail 16973 invoked by uid 108); 3 Dec 2005 00:22:55 -0000

Delivered-To: is.mathews@llyc.org

Received: (qmail 16594 invoked by uid 108); 3 Dec 2005 00:22:52 -0000

Received: from unknown (HELO wmlcwgcwe.com) (67.10.129.158)

by 0 with SMTP; 3 Dec 2005 00:22:52 -0000

From: webmaster@pearlandjrs.com

To: listening@llyc.org

Date: Fri, 02 Dec 2005 23:28:31 GMT

Subject: Registration Confirmation

Importance: Normal

X-Priority: 3 (Normal)

Message-ID: <c5a6ade1604a98b1cd@pearlandjrs.com>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="====fb93f9a85069db6c9ab36ad9"

Content-Transfer-Encoding: 7bit

 

This is a multi-part message in MIME format.

 

--====fb93f9a85069db6c9ab36ad9

 

Account and Password Information are attached!

--====fb93f9a85069db6c9ab36ad9

Content-Type: application/octet-stream; name=reg_pass-data.zip

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="reg_pass-data.zip"

 

UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZXhlTVqQ

 

then more of these lines in what appears to be an enclosed virus or other file.

 

Has mail from my account been hijacked? I am not running any mail stuff that I installed. Just stock stuff.

[TCH-Andy]

Hi,

 

From the headers this looks like a standard virus, not sent from your machine

 

If you look at the mail that was supposedly sent from your account;

 

Return-Path: <webmaster@pearlandjrs.com>

Received: (qmail 16973 invoked by uid 108); 3 Dec 2005 00:22:55 -0000

Delivered-To: is.mathews@llyc.org

Received: (qmail 16594 invoked by uid 108); 3 Dec 2005 00:22:52 -0000

Received: from unknown (HELO wmlcwgcwe.com) (67.10.129.158)

by 0 with SMTP; 3 Dec 2005 00:22:52 -0000

From: webmaster@pearlandjrs.com

 

and look at the IP address, it is not from the server here, but from a computer in Texas somewhere.

[scutchen]

Hi,

 

From the headers this looks like a standard virus, not sent from your machine

 

If you look at the mail that was supposedly sent from your account;

and look at the IP address, it is not from the server here, but from a computer in Texas somewhere.

 

OK. That's why I included full headers.

 

I did not have this activity on my other Total Choice account. So I'll just do the big delete and move on.

 

Thanks.

[Poppy]

Hi! This has also been happening to me for the last week. I have received hundreds of emails "returned" to me from apparent spam blockers. These look to be sent out by several different ficticious email accounts at my domain name. I don't know how to read headers, so here is one:

 

Return-path: <>

Envelope-to: fxxvz@poppydavis.com

Delivery-date: Sat, 06 May 2006 05:26:46 -0400

Received: from [207.69.200.46] (helo=zeverly.mail.atl.earthlink.net)

by server317.tchmachines.com with esmtps (TLSv1:AES256-SHA:256)

(Exim 4.52)

id 1FcJ3m-0001Pa-BC

for fxxvz@poppydavis.com; Sat, 06 May 2006 05:26:46 -0400

Received: from exim by zeverly.mail.atl.earthlink.net with local (Exim 3.36 #4)

id 1FcJ3l-0003Jw-00

for fxxvz@poppydavis.com; Sat, 06 May 2006 05:26:45 -0400

X-Failed-Recipients: gerhardlauck@email.com

From: Mail Delivery System <Mailer-Daemon@zeverly.mail.atl.earthlink.net>

To: fxxvz@poppydavis.com

Subject: Mail delivery failed: returning message to sender

Message-Id: <E1FcJ3l-0003Jw-00@zeverly.mail.atl.earthlink.net>

Date: Sat, 06 May 2006 05:26:45 -0400

 

Here is the most disturbing one. I received this email this morning from someone telling me to stop spamming them. Here is the header & message:

 

Return-path: <bcbbulldogs@alltel.net>

Envelope-to: qmdehf@poppydavis.com

Delivery-date: Sat, 06 May 2006 13:17:56 -0400

Received: from [166.102.165.170] (helo=ispmxmta09-srv.alltel.net)

by server317.tchmachines.com with esmtp (Exim 4.52)

id 1FcQPj-0001H8-Tn

for qmdehf@poppydavis.com; Sat, 06 May 2006 13:17:56 -0400

Received: from ispmxaamta04-gx.alltel.net ([67.140.135.203])

by ispmxmta09-srv.alltel.net with ESMTP

id <20060506171755.ZQUI23942.ispmxmta09-srv.alltel.net@ispmxaamta04-gx.alltel.net>

for <qmdehf@poppydavis.com>; Sat, 6 May 2006 12:17:55 -0500

Received: from yourn3ty7athd5 ([67.140.135.203])

by ispmxaamta04-gx.alltel.net with SMTP

id <20060506171754.NINK21950.ispmxaamta04-gx.alltel.net@yourn3ty7athd5>

for <qmdehf@poppydavis.com>; Sat, 6 May 2006 12:17:54 -0500

Message-ID: <010501c67131$004fe510$01fea8c0@yourn3ty7athd5>

From: "BCBBULLDOGS" <bcbbulldogs@alltel.net>

To: "Harriot Olsen" <qmdehf@poppydavis.com>

References: <001301c66921$8e32f858$8561c418@sht>

Subject: Re: pave

Date: Sat, 6 May 2006 13:17:49 -0400

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0101_01C6710F.7909EEA0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

 

STOP EMAILING US RETARD.. HARRIOT WHATEVER THE HECK UR NAME IS GET A LIFE..

----- Original Message -----

From: Harriot Olsen

To: bcbbulldogs@alltel.net

Sent: Wednesday, April 26, 2006 7:02 AM

Subject: pave

 

 

Is there ANYTHING I can do to stop this???

 

Many thanks in advance!

[TCH-Andy]

Hi Poppy, welcome to the forum

 

They are spoofed email addresses - not sent from your account.

 

I'd suggest setting your default address in :fail: (you do this in the mail section in cpanel), and then setting up accounts, or forwards for any email addresses you really want.

[Poppy]

Thanks for the quick response! I suspected as much. I will change my account as you suggested.

[TCH-Thomas]

Welcome to the forum, Poppy.

[TCH-Bruce]

Welcome to the forums Poppy

[TCH-Don]

Welcome to the forum, Poppy

[boxturt]

scutchen - I recommend using something other than webmaster@ in your address.

 

too easy for the bad guys

[TCH-JimE]

Welcome to the forums Poppy!

 

JimE

[toddcurry]

Poppy, the popular name for this is a Joe job. It has become rampant on my accounts recently, too -- for no apparent reason.

[FireRandySanders]

I'd suggest setting your default address in :fail: (you do this in the mail section in cpanel), and then setting up accounts, or forwards for any email addresses you really want.

 

how do you do this because I am averaging a TON of bounces per day in the same manner.....

 

Thanks!

[TCH-Don]

In cpanel, click on Mail

click on default address

click on set default address

put

:fail:

in the to: box

and click on change.

[stevevan]

Note that there are colons (":") on each side of the word "fail". Some people forget one or both of them.

Edited May 14, 2006 by stevevan

[FireRandySanders]

Appreciate the fast reply! That was a piece of cake.

[madmblue]

So, if I change this in my default email, what exactly happens? I still would like to get my normal mail, but not this returned spam stuff. I'm also getting a lot of this return mail spam the last few days, to all sorts of different addresses at my domain.

 

If I make these changes, will it affect my "real" non-spam mail?

 

Thanks

 

 

In cpanel, click on Mail

click on default address

click on set default address

put

:fail:

in the to: box

and click on change.

[TCH-Don]

What will happen is you will no longer get email sent to any random address ( catchall )

You will only get email for accounts you set up.

 

plus you can set forwards to go to your normal email accounts.

Forwards are not email account's just an alias

that will forward to the account you select when you set up the forward.

 

Forwards are handy for those web site sign ups.

I use sitename@my_email so I can delete the forward if it gets spammed.

[madmblue]

Ah, I understand now--I just won't get the bounce notifications. I thought there might be a way to keep the spammers from using my domain name in their emails. The use of my domain is still going on, I just won't be bothered by it!!

 

Lordy, ANOTHER reason to hate spammers!

 

 

 

What will happen is you will no longer get email sent to any random address ( catchall )

You will only get email for accounts you set up.

 

plus you can set forwards to go to your normal email accounts.

Forwards are not email account's just an alias

that will forward to the account you select when you set up the forward.

 

Forwards are handy for those web site sign ups.

I use sitename@my_email so I can delete the forward if it gets spammed.