Jump to content

How Do I Stop This?


Recommended Posts

I've gotten about 40 emails like this since yesterday. How do I stop it?

 

 

Message from yahoo.co.kr.

Unable to deliver message to the following address(es).

 

<pak2721@yahoo.co.kr>:

Sorry your message to pak2721@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2744@yahoo.co.kr>:

Sorry your message to pak2744@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2747@yahoo.co.kr>:

Sorry your message to pak2747@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2759@yahoo.co.kr>:

Sorry your message to pak2759@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2814@yahoo.co.kr>:

Sorry your message to pak2814@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2820@yahoo.co.kr>:

Sorry your message to pak2820@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak282@yahoo.co.kr>:

Sorry your message to pak282@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2882@yahoo.co.kr>:

Sorry your message to pak2882@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

<pak2883@yahoo.co.kr>:

Sorry your message to pak2883@yahoo.co.kr cannot be delivered. This account has been disabled or discontinued [#102].

 

--- Original message follows.

 

X-YahooFilteredBulk: 66.233.17.173

Return-Path: <kkkppplkxcxx@depco-pump.com>

Received: from 66.233.17.173 (HELO 202.43.207.76) (66.233.17.173)

by mta113.mail.krn.yahoo.com with SMTP; Wed, 18 Feb 2004 03:26:09 +0900

Received: from [211.246.34.154]

by 202.43.207.76 with ESMTP id <907921-46624>;

Tue, 17 Feb 2004 15:22:13 -0300

Message-ID: <43v42ln5$gqcl$173i$v@y8bud>

From: "°ø¥õ±¹" <kkkppplkxcxx@depco-pump.com>

Reply-To: "°ø¥õ±¹" <kkkppplkxcxx@depco-pump.com>

To: pak271@yahoo.co.kr

Subject: ÈIJö¹Ì³à¸¦ Á¤¸» ²ÇÂ¥·Î Áñ±â¼¼¿ä ~~ !!! wuqfcsysql

Date: Tue, 17 Feb 04 15:22:13 GMT

X-Mailer: Microsoft Outlook Express 6.00.2800.1158

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="1163_F959_9..9A9_E"

X-Priority: 3

X-MSMail-Priority: Normal

 

 

--1163_F959_9..9A9_E

Content-Type: text/html;

Content-Transfer-Encoding: quoted-printable

 

<html>

 

<head>

<meta http-equiv=3D"content-type" content=3D"text/html; charset=3Deuc-kr">=

 

<title>...,,,</title>

<meta name=3D"generator" content=3D"N0">

</head>

 

<body bgcolor=3D"white" text=3D"black" link=3D"blue" vlink=3D"purple" alin=

k=3D"red">

<p><a href=3D"http://sexsokbo.com/power.html?cid=3Dmodu" target=3D"_blank"=

><img src=3D"http://sexsokbo.com/~sexsokbo/xman2/newnew.gif" width=3D"350"=

height=3D"300" border=3D"0"></a></p>

<p style=3D"line-height:100%; margin-top:0; margin-bottom:0;"><a href=3D"h=

ttp://sexsokbo.com/power.html?cid=3Dmodu" target=3D"_blank"><b><font color=

=3D"red"><span style=3D"font-size:20pt;">=3D=3D>click</span></font></b>=

</a></p>

</body>

 

</html>

mjcpss oahsli njcia

pqxbn

 

ke bs flafckveitm vx p dgz

khlsllrs

c desguul

 

--1163_F959_9..9A9_E--

 

*** MESSAGE TRUNCATED ***

Link to post
Share on other sites

I hate to tell you this, but it would VERY likely seem that you have a virus.

go to h*ttp://housecall.trendmicro.com/housecall/start_corp.asp (remove the *) on a boradband connection and perform a free online virus scan.

If it finds nothing, then let us know in here and I will make a program available to you to help track down the virus or malware on your system.

 

I have resolved all of those IP addresses and one of them comes back to a cox.net IP do you use Cox at all?

Edited by TCH-Glenn
Link to post
Share on other sites

It could be someone else, too, with a virus, spoofing his domain name, in which case setting your default address to :blackhole: will delete any mail that arrives for a user that doesn't exist (since you are getting bounces back to "from" addresses that are faked).

 

But definitely make sure you aren't the one who's infected.

Link to post
Share on other sites

We are 98% sure we are not infected at my workplace but we still are getting about 30 of these per hour... enough to effect our performance. I'd like to hear any solutions anyone has on the exchange server level if you have them - PM me please.

Link to post
Share on other sites

It's been years since I've worked on exchange. The main thing to look for is if there's a way to discard double bounces, or better... to just not accept mail that is addressed to an invalid user. (not really a solution, just an area to look, hence I'm not PM'ing you).

Link to post
Share on other sites

I'm very careful about keeping my AV up to date. I'm using Symantec Corporate 8.1 and it's auto-updated daily at login time. I run a full computer scan every Thursday.

 

Anyway... the Trend Micro scan found nothing. I even had it scan the network drives I have access to. (over 107,000 files total)

 

I have no ties to Cox.

 

The depco-pump domain is just forwarded to depcopump.

Any email to anyone@depco-pump is forwarded to our old depco@gte.net account on my PC. That's why the reply-to "garbage"@depco-pump is showing up on my PC.

There is no outbound email from depco-pump.

 

I don't want to get banned somewhere as a spammer. YouknowwhatImean?

Link to post
Share on other sites
I don't want to get banned somewhere as a spammer. YouknowwhatImean?

You won't. This type of problem is so rampant, that people are smart enough today to completely ignore the "From:" address when setting up bans (and instead banning based on where the email truly originated from).

Link to post
Share on other sites

I am headed home now and have much better tools on my home PC. I will look into those IPs there.

I will also try to give some pointers on Exchange server then as well.

 

Now that I see the routes it is taking a little better, it does look like a spoofed address.

 

-GG

Link to post
Share on other sites

During the night last night I received another dozen failure notice emails (each containing many rejected addresses).

 

I've disabled the email forwarding on that domian. I'll wait a few days and enable it again.

 

Thanks for everyone's help!

Link to post
Share on other sites

There are a couple of problems with just stopping the forwarding, though.

If some admin at one of the mailservers is not in the mood to deal, then he could add the IP of your domain's server to a blocklist. Doing this can get your account suspended by TCH due to the zero tolerance SPAM policy.

I traced out the address I was talking about yesterday and it turns out to go to a Korean IP address registered as a DHCP one with APNIC (Asia-Pacific NIC). So I can go no further unless I catch it online. However, that would be unlikely to be the same person.

PM me with another of the messages so I can compare headers and such.

 

Your best course of action is to go to www.apnic.net/info/faq/abuse/index.html and report the abuse properly.

 

I know, it is a pain to have to do this yourself, but that is the only way to insure you are taking the steps to properly protect yourself and TCH.

 

-GG

Link to post
Share on other sites
  • 2 weeks later...

Hi, I'm having the same problems Depco has... lots and lots of bounced mail which I didn't send. At first I tracked the senders and emailed their ISP, but now I get hundreds of bounced emails a day. Just a moment ago, I finished checking my email and there's 270+ bounced emails :rolleyes: Do I have to report each one to APNIC? And what about those emails sent from other places, like Europe or the USA? Do I need to keep emailing the "abuse" emails of all those ISP's?? I don't want my domain to be in any blacklist, and if hotmail or yahoo block my domain, my email would be, for all practical porpuses, killed ;)

 

Thanks in advance!

 

*And sorry, I know my english is far from perfect... I could explain it all better in spanish, though :)

Link to post
Share on other sites

There is something going on here and we need to get to the bottom of it.

 

Firstly, are you getting these bounced back from your TCH-hosted email? Just checking to keep your account from getting suspended.

 

Next, have you recently performed a virus scan with an up-to-date virus scanning tool? use the Trend Micro one I listed above if you are on a high-speed connection.

 

If you or Depco are still having these issues, please send me a private message and I will provide you with a file to check your local machines for problems.

 

-GG

Link to post
Share on other sites

Well, the emails I get bounced back are all from my domain, different usernames but they all are @jlgh.com :) I have done a full virus scan with Norton 2004 every 2-3 days, and both Norton and Trend-Micro show my PC clean. I've used "The Cleaner" and some other anti-trojan software, and they have found nothing. Btw, I have two other websites hosted at TCH, but I've had no problems at all with both of them. I'll send you a PM, thanks!

Link to post
Share on other sites
  • 6 months later...

This is an old thread but it brings up some questions:

 

1. If I were having this problem on a TCH-hosted domain (being hijacked and thus, me getting bounces to made-up emailaddresses@**** used by spammers) -- it isn't clear if this is enough to get an account suspended. It shouldn't be, since the TCH-hosted domain is a victim, not a perp.

 

2. Does TCH expect us to report abuse to dozens or hundreds of different emails, ip addresses, compromised mail relays, in order to keep from being suspended? This would be unfair to those who are hijacked like this.

 

3. What is TCH's level of awaress of sender-authentication schemes such as SDF? (sdf.pobox.com). My domains have implemented their DNS TXT records, which ought to indicate a serious attempt on my part to reduce the risk of my domain being framed as a spammer's domain.

 

The point is, to what extent must the victim go out of their way and spend time responding to this sort of thing to please TCH? Or put another way, at what point does TCH agree that the victim IS a victim (and has no virii) and consider the account in good standing and keep it active?

 

Also, what exactly is the mechanism by which suspension occurs? Some automated process, or is a human involved? In other words, how much opportunity does a TCH-hosted domain account holder have to alert TCH before TCH takes any adverse action on the account?

 

Some of this may be in the TOS or AUP but a reiteration in plain English here would be helpful. If any of it is in plain English in those two documents just let me know -- I don't have time to read them at the moment but have recently been a victim of this same problem and want to know the full scoop on response requirements, etc.

Link to post
Share on other sites
1. If I were having this problem on a TCH-hosted domain (being hijacked and thus, me getting bounces to made-up emailaddresses@**** used by spammers) -- it isn't clear if this is enough to get an account suspended. It shouldn't be, since the TCH-hosted domain is a victim, not a perp.

You would only be suspended if your actual account at TCH was sending the spam, or your website hosted at TCH was being advertised in spam being sent from elsewhere (advertised, not just forged).

 

We can easily detect whether it's your account sending spam, or someone else forging your account and sending it from somewhere else (typically called a "joe-job"). We don't suspend people for joe-jobs (we'd have to suspend the majority of our customers if that were the case). We also know the various email technologies and spam fighting technologies rather well.

 

Basically there's only two reasons you should ever be suspended for spam:

  1. You are actually spamming or involved with spamming
  2. Someone compromised your account or is abusing a script you have installed and is spamming

Those are the only two cases that the customer is directly responsible for managing. Anything beyond that is up to the customer (such as using technologies like SPF, reporting abuses, etc...). In all cases that an account would have to be suspended, the email address listed in your cPanel will be sent a notice (this is one of the reasons it's important, if not critical, that you use an email address that does not belong to that account... if you're suspended, you can't read your account's email).

 

Becareful with SPF, though. TCH currently does NOT have SPF records defined which could cause you problems if you have SPF defined for your domain and you use TCH servers to send email (unless you are on a dedicated server).

Edited by TCH-MikeJ
Link to post
Share on other sites
Also, what exactly is the mechanism by which suspension occurs? Some automated process, or is a human involved? In other words, how much opportunity does a TCH-hosted domain account holder have to alert TCH before TCH takes any adverse action on the account?

Forgot to mention, outside of bandwidth usage (which you get a warning at 80% automatically), all suspensions are done manually.

 

How much warning you get is dependant on the issue. If your account is directly spamming (we can easily tell if it is), you will get no warning, just an alert that your account was suspended to the email address in your control panel. This has to be done this way to protect everyone else on the server (as well as other TCH servers) from being blocked by spam blockers.

 

If it's another problem that's not significantly damaging at the time, we try to give some notice first. It's handled on a case-by-case basis.

Link to post
Share on other sites

Thanks for the replies, Mike. So...my impression of SPF configuration is that it happens at the DNS level, where the legitimate mail servers allowed to send mail from a domain are defined in a TXT record. That's what I've done. From what you said it sounds like there may be some reason why that is not sufficient. (?)

 

Other question I forgot: So if you're a reseller and somebody you're hosting starts sending spam, what gets suspended? *their* domain, or the reseller domain? Since it happens quickly it would be good to know in advance at what level the suspension occurs: The guilty domain, or everything hosted by that reseller account. (?)

 

Thanks again for the in-depth responses. Thumbs Up

Link to post
Share on other sites
From what you said it sounds like there may be some reason why that is not sufficient.

 

I believe, but could be wrong, that it is because the mail server really isnt ****** but everyone that has an account shares a bigger server so it authenticates against that larger server. Like I said, I may be wrong though, I am still learning about this myself.

 

I do not have enough information to provide an answer for the rest of the questions so staff will be along to confirm or deny my answer and provide the rest of the answers.

Link to post
Share on other sites
Other question I forgot: So if you're a reseller and somebody you're hosting starts sending spam, what gets suspended? *their* domain, or the reseller domain?

Bans for spamming are done on a account basis, not per domain. The entire reseller account would be suspended. Ultimately, you are responsible for your resold resource usage.

Link to post
Share on other sites

It is called a Joe Job when someone spams using your email address

so you end up getting the boat loads of bounced from bad addresses.

Unfortunately there is not really much you can do unless you go deep

enough into the bounces to find the source of the messages and sue.

(Or so I would imagine, never had a Joe Job that lasted too long tho.)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...