THANK YOU! I am going to forward this to Road Runner support (with your permission). I kept telling them that this was something going on THEIR network and they kept telling me no.
I feel a little less like I am going crazy - Thanks- Marc -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 12, 2005 11:35 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Not all viruses use their own SMTP engine; this was likely one of the recent MyTob variants that tries to use the SMTP server of the current user. The virus can do this with some success because many ISPs use routing or firewalls to allow their users to use their servers as an open relay, because a) that buys them close relay status to the Internet, and b) it's easier than authentication. Also, many ISPs don't do outbound virus scanning on the basis of "we don't want a false positive to even possibly interfere with our customers' communications". Here's a writeup on one of the recent viruses that uses the ISP's mail server: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43250 Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Tuesday, July 12, 2005 7:43 AM To: Declude.JunkMail@declude.com Subject: RE:RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... Thanks for the explanation. I figured that this is a home user with and infected PC claiming to be prudentialrand.com but I guess where I am confused is that I thought most of the current viruses have their own SMTP engine and didn't use the ISP's mail server. So I didn't expect the ISP mail server to be involved. When I reported this to Road Runner, they said it had nothing to do with them or their network so I thought I was way off the mark. But it is one their users infected machine sending through their SMTP. Um, right? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Robertson Sent: Tuesday, July 12, 2005 10:00 AM To: Declude.JunkMail@declude.com Subject: [OVER DELETE]RE: [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Marc Catuogno > Sent: Monday, July 11, 2005 11:12 PM > To: Declude.JunkMail@declude.com > Subject: SV [Declude.JunkMail] Bounced viruses or e-mail I'm confused... > > > > Please bear with me. I've been getting bounces that I don't > understand, and I do feel stupid. If any one has the time or patience > to clear help me this up it would be appreciated: > > If a virus forges my e-mail address as the from and attempts to send > it to a non-existent user on my domain - wouldn't the bounce message > simply be coming from my domain? It looks like other servers are > answering for prudentialrand.com - am I nuts? Highly confused? > Screwed? Unless I'm off the mark, this is backscatter mail. It is common for virus-infected or otherwise spamming computers to claim to be something they are not. What appears to be happening in your case is that an infected computer (claiming to be prudentialrand.com) sends out a message to its ISP's mail server. The ISP's mail server looks up the MX and sends the message to your mail server. As soon as your server receives the RCPT TO information, it rejects the message because the recipient doesn't exist. Since your server rejected the message before actually accepting it (as it should), it is up to the sending server to send the bounce message. Since the original forged message has one of your addresses as the sender, the sending server delivers a bounce there. > > I see lines like the following in non deliverable messages: > > Received: from prudentialrand.com (cpe-68-174-20-197.si.res.rr.com > [68.174.20.197]) --- the spamming computer claiming to be you > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) with ESMTP id > j6BMlhGi015287 --- their RoadRunner mail server, most likely > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > > Received: from prudentialrand.com (ipn36373-b01578.cidr.lightship.net > [216.204.209.74]) > by spirit.lightshipmail.net (Postfix) with ESMTP id DD5571D5A6D > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > FULL HEADERS BELOW: > > MESSAGE 1: > > Received: from spirit.lightshipmail.net [216.204.0.205] by --- ISP's mail server again > mail.prudentialrand.com with ESMTP > (SMTPD32-8.05) id A70D12200C6; Mon, 11 Jul 2005 21:04:13 -0400 > Received: by spirit.lightshipmail.net (Postfix) --- their mail server is running Postfix, which generated the bounce to you > id 0B4BE1D5BBC; Mon, 11 Jul 2005 20:58:12 -0400 (EDT) > Date: Mon, 11 Jul 2005 20:58:12 -0400 (EDT) > From: [EMAIL PROTECTED] (Mail Delivery System) > Subject: Undelivered Mail Returned to Sender > To: [EMAIL PROTECTED] > MIME-Version: 1.0 > Content-Type: multipart/report; report-type=delivery-status; > boundary="DD5571D5A6D.1121129892/spirit.lightshipmail.net" > Message-Id: <[EMAIL PROTECTED]> > X-IMAIL-SPAM-VALFROM: (19005638) > X-Declude-Sender: <> [216.204.0.205] > X-Declude-Spoolname: D170d012200c613e1.SMD > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) > for spam. > X-Spam-Tests-Failed: None [0] > X-Country-Chain: > X-Note: This E-mail was sent from ([216.204.0.205]). > > This is a MIME-encapsulated message. > > --DD5571D5A6D.1121129892/spirit.lightshipmail.net > Content-Description: Notification > Content-Type: text/plain > > This is the Postfix program at host spirit.lightshipmail.net. > > I'm sorry to have to inform you that your message could not be be > delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to <postmaster> > > If you do so, please include this problem report. You can delete your > own text from the attached returned message. > > The Postfix program > > <[EMAIL PROTECTED]>: host mail.prudentialrand.com[64.63.165.172] > said: > 550 unknown user <[EMAIL PROTECTED]> (in reply to RCPT TO > command) This is the error your mail server replied with when spirit.lightshipmail.net tried to send the message, so spirit.lightshipmail.net is required to send the bounce. > > --DD5571D5A6D.1121129892/spirit.lightshipmail.net > Content-Description: Delivery report > Content-Type: message/delivery-status > > Reporting-MTA: dns; spirit.lightshipmail.net > X-Postfix-Queue-ID: DD5571D5A6D > X-Postfix-Sender: rfc822; [EMAIL PROTECTED] > Arrival-Date: Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > > Final-Recipient: rfc822; [EMAIL PROTECTED] > Action: failed > Status: 5.0.0 > Diagnostic-Code: X-Postfix; host > mail.prudentialrand.com[64.63.165.172] > said: > 550 unknown user <[EMAIL PROTECTED]> (in reply to RCPT TO > command) > > --DD5571D5A6D.1121129892/spirit.lightshipmail.net > Content-Description: Undelivered Message > Content-Type: message/rfc822 > > Received: from prudentialrand.com (ipn36373-b01578.cidr.lightship.net > [216.204.209.74]) > by spirit.lightshipmail.net (Postfix) with ESMTP id DD5571D5A6D > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 20:58:09 -0400 (EDT) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: lnsuh > Date: Mon, 11 Jul 2005 20:58:37 -0400 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0001_F70A1BAE.73E16A2C" > X-Priority: 3 > X-MSMail-Priority: Normal > Message-Id: [EMAIL PROTECTED] > > > MESSAGE 2: > Headers: > Received: from SMTP32-FWD by mail.prudentialrand.com > (SMTP32) id A047001F2; Mon, 11 Jul 2005 18:57:02 -0400 > Received: from ms-smtp-03.rdc-nyc.rr.com [24.29.109.7] by > mail.prudentialrand.com with ESMTP > (SMTPD32-8.05) id A7E973D0088; Mon, 11 Jul 2005 18:51:21 -0400 > Received: from localhost (localhost) > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) id j6BMlmGi015336; > Mon, 11 Jul 2005 18:47:48 -0400 (EDT) > Date: Mon, 11 Jul 2005 18:47:48 -0400 (EDT) > From: Mail Delivery Subsystem > <[EMAIL PROTECTED]> > Message-Id: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/report; report-type=delivery-status; > boundary="j6BMlmGi015336.1121122068/ms-smtp-03.rdc-nyc.rr.com" > Subject: [OVER DELETE]Returned mail: see transcript for details > Auto-Submitted: auto-generated (failure) > X-IMAIL-SPAM-VALFROM: (121438344) > X-RBL-Warning: ANTI-AV: Message failed ANTI-AV test (line 167, weight > 7) > X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 153, > weight > 4) > X-RBL-Warning: ANTI-GIBBERISH: Message failed ANTI-GIBBERISH test > (line 127, weight -4) > X-RBL-Warning: Y!DIRECTED: Message failed Y!DIRECTED test (line 229, > weight > 11) > X-RBL-Warning: ANTI-Y!DIRECTED: Message failed ANTI-Y!DIRECTED test > (line 60, weight -11) > X-RBL-Warning: FILTER: Message failed FILTER test (line 389, weight > 33) > X-RBL-Warning: WEIGHT10: Weight of 40 reaches or exceeds the limit of 10. > X-RBL-Warning: WEIGHT25: Weight of 40 reaches or exceeds the limit of 25. > X-RBL-Warning: WEIGHT40: Weight of 40 reaches or exceeds the limit of 40. > X-Declude-Sender: <> [24.29.109.7] > X-Declude-Spoolname: Df7e9073d00886e57.SMD > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) > for spam. > X-Spam-Tests-Failed: ANTI-AV, GIBBERISH, ANTI-GIBBERISH, Y!DIRECTED, > ANTI-Y!DIRECTED, FILTER, WEIGHT10, WEIGHT15, WEIGHT20, WEIGHT25, > WEIGHT30, WEIGHT40, CATCHALLMAILS [40] > X-Country-Chain: > X-Note: This E-mail was sent from ms-smtp-03-smtplb.rdc-nyc.rr.com > ([24.29.109.7]). > X-RCPT-TO: [EMAIL PROTECTED]> > Status: U > X-UIDL: 410406848 > > > BODY: > The original message was received at Mon, 11 Jul 2005 18:47:44 -0400 > (EDT) from cpe-68-174-20-197.si.res.rr.com [68.174.20.197] > > ----- The following addresses had permanent fatal errors ----- > <[EMAIL PROTECTED]> > (reason: 550 unknown user <[EMAIL PROTECTED]>) > > ----- Transcript of session follows ----- ... while talking to > mail.prudentialrand.com.: > >>> RCPT To:<[EMAIL PROTECTED]> > <<< 550 unknown user <[EMAIL PROTECTED]> 550 5.1.1 > <[EMAIL PROTECTED]>... User unknown > > Attachment 1 > > Reporting-MTA: dns; ms-smtp-03.rdc-nyc.rr.com > Received-From-MTA: DNS; cpe-68-174-20-197.si.res.rr.com > Arrival-Date: Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > > Final-Recipient: RFC822; [EMAIL PROTECTED] > Action: failed > Status: 5.1.1 > Remote-MTA: DNS; mail.prudentialrand.com > Diagnostic-Code: SMTP; 550 unknown user <[EMAIL PROTECTED]> > Last-Attempt-Date: Mon, 11 Jul 2005 18:47:48 -0400 (EDT) > > Attachment 2: > Received: from prudentialrand.com (cpe-68-174-20-197.si.res.rr.com > [68.174.20.197]) > by ms-smtp-03.rdc-nyc.rr.com (8.12.10/8.12.7) with ESMTP id > j6BMlhGi015287 > for <[EMAIL PROTECTED]>; Mon, 11 Jul 2005 18:47:44 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: YOUR PASSWORD HAS BEEN SUCCESSFULLY UPDATED > Date: Mon, 11 Jul 2005 18:46:26 -0700 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0010_CDC4E07D.EE85C8F4" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Virus-Scanned: Symantec AntiVirus Scan Engine > X-Virus-Scan-Result: Repaired 15810 [EMAIL PROTECTED] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
