This guy is known to us as the "info@" spammer. He's been spamming from a few botnets as well as compromised mta's and webhosts for a while now with various mail campaigns. He normally spoofs "i...@live.com" but we've seen him switch to other respectable domains as well in order to avoid some of our rules. The reason you're getting the DSN but don't see any DSN headers is that he's using a RFC 3461 DSN request as part of the rcpt to: during the SMTP transaction, and so our mailserver quite helpfully sends out the DSN to his spoofed mail from, it's not being generated via a traditional client based return receipt. We're working on some changes to try and stomp on the DSN's when we see him attempting to go to town and should hopefully have something in production soon.
PAUL ROCK Senior Programmer/Analyst | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 44900 Prentice Dr. | Dulles, VA | 20166-9305 On May 11, 2014, at 11:19 PM, Franck Martin via dmarc-discuss <dmarc-discuss@dmarc.org> wrote: > Not exactly, the failure reports are not supposed to go back to the (fake) > sender but to the email specific by the ruf. This seems a delivery > notification, so besides a bug at AOL, I would think that the fake email > contains a delivery receipt header... Which AOL would honor... > > I did not see such read receipt header in the original email, but it could > have been removed as part of the notification. > > Printed on recycled paper! > >> On May 11, 2014, at 20:15, "Roland Turner via dmarc-discuss" >> <dmarc-discuss@dmarc.org> wrote: >> >> You have p=none and ruf= turned on, AOL's doing exactly what you've >> requested. >> >> - Roland >> >> >>> On 05/12/2014 10:25 AM, Scott Kitterman via dmarc-discuss wrote: >>> Over the last few days I've gotten a number of bounces like this, all from >>> AOL: >>> >>> Return-Path: <> >>> Received: from imb-d04.mx.aol.com (imb-d04.mx.aol.com [205.188.128.65]) >>> by qs3710.pair.com (Postfix) with ESMTPS id 51A76125427 >>> for <i...@kitterman.com>; Sun, 11 May 2014 13:05:39 -0400 (EDT) >>> Received: from mtaig-mca02.mx.aol.com (mtaig-mca02.mx.aol.com >>> [172.26.221.66]) >>> (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) >>> (No client certificate requested) >>> by imb-d04.mx.aol.com (AOL Mail Bouncer) with ESMTPS id 12B0E38000AA >>> for <i...@kitterman.com>; Sun, 11 May 2014 13:05:39 -0400 (EDT) >>> Received: by mtaig-mca02.mx.aol.com (Internet Inbound) >>> id 0400770000087; Sun, 11 May 2014 13:05:39 -0400 (EDT) >>> Date: Sun, 11 May 2014 13:05:39 -0400 (EDT) >>> From: mailer-dae...@aol.com (Mail Delivery System) >>> Subject: Successful Mail Delivery Report >>> To: i...@kitterman.com >>> Auto-Submitted: auto-replied >>> MIME-Version: 1.0 >>> Content-Type: multipart/report; report-type=delivery-status; >>> boundary="8C34370000094.1399827939/mtaig-mca02.mx.aol.com" >>> Message-Id: <20140511170539.0400770000...@mtaig-mca02.mx.aol.com> >>> >>> This is a MIME-encapsulated message. >>> >>> --8C34370000094.1399827939/mtaig-mca02.mx.aol.com >>> Content-Description: Notification >>> Content-Type: text/plain; charset=us-ascii >>> >>> Your message was successfully delivered to the destination(s) >>> listed below. If the message was delivered to mailbox you will >>> receive no further notifications. Otherwise you may still receive >>> notifications of mail delivery errors from other systems. >>> >>> Please direct further questions regarding this message to your e-mail >>> administrator. >>> >>> --AOL Postmaster >>> >>> >>> <erica.bbr...@aim.com>: alias expanded >>> >>> --8C34370000094.1399827939/mtaig-mca02.mx.aol.com >>> Content-Description: Delivery report >>> Content-Type: message/delivery-status >>> >>> Reporting-MTA: dns; mtaig-mca02.mx.aol.com >>> X-Internet-Inbound-Queue-ID: 8C34370000094 >>> X-Internet-Inbound-Sender: rfc822; i...@kitterman.com >>> Arrival-Date: Sun, 11 May 2014 13:05:38 -0400 (EDT) >>> >>> Final-Recipient: rfc822; erica.bbr...@aim.com >>> Original-Recipient: rfc822;erica.bbr...@aim.com >>> Action: expanded >>> Status: 2.0.0 >>> Diagnostic-Code: X-Internet-Inbound; alias expanded >>> >>> --8C34370000094.1399827939/mtaig-mca02.mx.aol.com >>> Content-Description: Message Headers >>> Content-Type: text/rfc822-headers >>> >>> Return-Path: <i...@kitterman.com> >>> Received: from are-financed-errors.oilbrooklyn.com (safety-good- >>> sparkprovo.oilbrooklyn.com [199.175.55.32]) >>> by mtaig-mca02.mx.aol.com (Internet Inbound) with ESMTP id 8C34370000094 >>> for <erica.bbr...@aim.com>; Sun, 11 May 2014 13:05:38 -0400 (EDT) >>> Date: Sun, 11 May 2014 06:30:50 CDT >>> Mime-Version: 1.0 >>> X-MSGID:1 >>> Content-Type: text/html >>> From: Loan Department. <i...@kitterman.com> >>> To: erica.bbr...@aim.com >>> Subject: RE:Congratulations erica.bbrown $9500 Available For You! >>> x-aol-global-disposition: S >>> X-AOL-SCOLL-DMARC: mtaig-mca02.mx.aol.com ; domain : kitterman.com ; policy >>> : >>> none ; result : F >>> Authentication-Results: mx.aol.com; >>> spf=fail (aol.com: the domain kitterman.com reports that 199.175.55.32 is >>> explicitly not authorized to send mail using it's domain name.) >>> smtp.mailfrom=kitterman.com; >>> dmarc=fail (aol.com: the domain kitterman.com reports that Neither SPF nor >>> DKIM align.) header.from=kitterman.com; >>> X-AOL-REROUTE: YES >>> x-aol-sid: 3039ac1add42536fade22f5e >>> X-AOL-IP: 199.175.55.32 >>> X-AOL-SPF: domain : kitterman.com SPF : fail >>> >>> --8C34370000094.1399827939/mtaig-mca02.mx.aol.com-- >>> >>> Dear AOL: please stop. This is brain dead. In case anyone is wondering, no >>> one from i...@kitterman.com sent erica.bbrown any mail telling here we had >>> $9500 available for her. >>> >>> I don't know for sure if this is related to DMARC or not, but the timing >>> seems >>> to be roughly in line with their rollout of DMARC p=reject. >>> >>> I have more if anyone wants to see them. >>> >>> Scott K >>> _______________________________________________ >>> dmarc-discuss mailing list >>> dmarc-discuss@dmarc.org >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means you agree to the DMARC Note Well >>> terms (http://www.dmarc.org/note_well.html) >> >> >> -- >> Roland Turner | Director, Labs >> TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693 >> Mobile: +65 96700022 | Skype: roland.turner >> roland.tur...@trustsphere.com | http://www.trustsphere.com/ >> >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
