Email Problem

Hagar

I'm posting this here because I believe I have a security issue not a virus.
If I'm not posting in the correct forum Mods please move. Thanks.

Every day I get a number, 6 to 10 usually, of emails telling me something along the lines of "you mail to x could not be delivered" or "there is no address of that name on this server". I'm not sending these mails. If someone is spoofing my address I don't think there is much I can do about it. My concern is that someone is actually accessing my pc when I'm online and using me as a relay for spam. From time to time my pc does seem to slow down. Maybe I'm only imagining that bit.

I'm running XP Pro fully updated with all patches as of last Wed. I use IE 6 again fully patched and the standard Windows firewall with default options.
I use AVG, Ad-Aware and Spybot again all latest versions fully updated. I download Stinger weekly and run it. My service provider is Wanadoo.fr.
I'm using a USB modem not a WiFi connection.

Any ideas anyone?

aidan_walsh

Do these emails have attachments? If so, its not a virus trying off your system, its one trying to get on. Something similar to the Mytob.**@MM strain that I've been dealing at work, that has been able to spoof its origin address as coming from our American helpdesk.

ressem

Agreed,
it's unlikely that your machine is the origin of these bounced mail messages.

It's probably either an external machine sending viruses/spam to your address or a spammer/phisher/virus spoofing your address resulting in you getting a bounce message.

Given the spelling error pointed out it's more likely to be a virus.

Assuming your AV is up to date (just in case), looking at the headers of the messages in your inbox can give you the ip used to connect to the original SMTP server. Doing a tracert lookup on the ip (through console or http://www.dnsstuff.com/) will probably show that the bounce sender's ip didn't match the domain it claimed to be from.

Hagar

Thanks for the response guys. I have been unable to reply due to another email problem. This time with boards.ie

Here is todays offering. There is also an attachment which I haven't touched called ATT00076.dat (288 bytes)

To me it looks like someone is spoofing my address. I get a lot of spam and have done so from the day I signed up with wanadoo. Some of the are addressed to "Annie". I suppose its possible that this person had the address before me and let it lapse. It was a bit of a surprise to get me@wanadoo.fr to be honest.

I use this address for business and I'm a bit concerned that it will be blacklisted on me.


- These recipients of your message have been processed by the mail server:
mccormick81mead@mail2bryan.com; Failed; 5.1.1 (bad destination mailbox address)

Remote MTA 66.28.189.160: SMTP diagnostic: 550 5.1.1 <mccormick81mead@mail2bryan.com> is not a valid mailbox

---

Return-Path: <me@wanadoo.fr>
Received: from ctmail.com (10.9.0.11) by C9mailgw05.amadis.com (NPlex 6.5.029)
id 42B358EF0914E8C8 for mccormick81mead@mail2bryan.com; Tue, 19 Jul 2005 04:31:54 -0700
X-Commtouch-Loop:3
Received: FROM [82.120.190.135] By c9diamond05.diamond.amadis.com ; Tue, 19 Jul 2005 04:31:54 -0800
Received: by sproxy.google.com with SMTP id i35so47797869u
for mccormick81mead@mail2bryan.com; Tue, 19 Jul 2005 11:33:27 -0400
Received-SPF: pass (msn.com: domain of mccormick81mead@mail2bryan.com designates 114.27.158.19 as permitted sender)
Message-ID: <357m0163[3]n.61725596@msn.com>
Date: Tue, 19 Jul 2005 11:33:27 -0400
From: "Renee Keller" <me@wanadoo.fr>
X-Mailer: PHP
X-MIME-Autoconverted: from quoted-printable to 8bit by msn.com id j8OQRQlG5982106
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: mccormick81mead@mail2bryan.com
Subject: Hola!
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at peony.msn.com
X-Spam-Status: No, hits=-99.00 required=5.00 tests=USER_IN_WHITELIST
version=3.0
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 3.0 (1.3) on msn.com

ressem

You might want to alter your email address in the post below before it's picked up by more page crawlers.

Ok, the message from the mail2world smtp server (mail2bryan) looks valid. The attached smtp header below
"Received: FROM [82.120.190.135] By c9diamond05.diamond.amadis.com ; Tue, 19 Jul 2005 04:31:54 -0800"
looks like spoofed rubbish.

82.120.190.135 looks like a homeuser/internet cafe connection provided by wanadoo.fr

Is your own IP in this subnet?
--Edit: for privacy you shouldn't answer--
If so then you might want to look at using a firewall that is more strict on logging and blocking outgoing traffic, just in case. Perhaps run ethereal on your PC and log the outgoing SMTP traffic for the day.
Or get the new firewall to allow outgoing SMTP connections to your ISPs mail server only.


If not, and your email address alone is being spoofed then it's only individuals that receive spam from your address that will block you, not ISPs or blacklists.

193.252.159.45 pos0-0-0-0.ncidf104.paris.francetelecom.net.
193.253.171.8 bsput151-net1lo3.francetelecom.net.
82.120.190.135 [Reached Destination]aputeaux-151-1-15-135.w82-120.abo.wanadoo.fr

Hagar

Thanks for the heads-up on my email address. I should have copped that myself.

Good idea about the firewall I'll have to get something better than the bog-standard piece of junk that I have.