Can someone help me figure out where this is coming from? (email issues)

Discussion in 'Windows Applications' started by dreamliner77, Sep 18, 2008.

  1. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation
    Well, fired up Outlook to check my email and found out I had 507 new messages! All bounce backs. It looks like someone spoofed my address.

    Below is the text of one of the bounce backs. Can someone help me get to the bottom of this?

    Code:
    Viruses found in the attached files.
    The file HTML: Virus found Win32/Heur. The attachment was removed from the mail.
    
    The original message follows:
    Hi. This is the qmail-send program at numbers.netdns.net.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.
    
    <laurance@sunland.com.sg>:
    Sorry, no mailbox here by that name. vpopmail (#5.1.1)
    
    --- Below this line is a copy of the message.
    
    Return-Path: <jesse@*******.net>
    Received: (qmail 15052 invoked by uid 511); 17 Sep 2008 23:31:52 -0000
    Received: from unknown (HELO ?204.141.31.88?) (204.141.31.88)
      by 0 with SMTP; 17 Sep 2008 23:31:52 -0000
    Message-ID: <31989.raghu@xueqing>
    Date: Wed, 17 Sep 2008 22:36:20 +0000
    From: "123greetings.com" <jesse@******.net>
    User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
    MIME-Version: 1.0
    To: "friend" <laurance@sunland.com.sg>
    Subject: You have received an eCard
    Content-Type: multipart/mixed;
     boundary="B11FB435CF1A9E4"
    
    This is a multi-part message in MIME format.
    
    --B11FB435CF1A9E4
    Content-Type: text/plain;
     charset=iso-8859-1
    Content-Transfer-Encoding: 7bit
    
    Good day.
    You have received an eCard
    
    To pick up your eCard, open attached file Please be sure to view your eCard before the days are up!
    
    We hope you enjoy you eCard.
    
    Thank You!
    --B11FB435CF1A9E4
    Content-Type: application/zip;
     name="e-card.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
     filename="e-card.zip"
    
    UEsDBBQAAgAIAHUkMTkfsP6hQ3wAAHOCAAAKAAAAZS1jYXJkLmV4Ze39Z1RTwdc3DIcWRUCagDRF
    BQu9Y0OxYQEUkSZFQCGAUmxYgdBCB7EgTXrv0msIXXrvAUKAQAIhoRMgyTzhf133te77LR+eD+/7
    6TlrnQXnzJ45U/bs/fvN2XOiZwaBMEEgEGbGCQAEogX5r+N//S3V7T4F+f9yHMjo34FAdJlYIHHv
    OrX/1/0ZCDcTBxMbJ8SLccHDOK2ZIBHLjKe8ZpyrTP+Vk+e/Hsr633lY/6dU5v9K++86/SflP9c8
    /3Of53+vBKO8PMj//w8jfVPF//zDaNv/VIj5/5RhNH+GIaf0vy7+037P/3c5rf+SU/6fxjHa9I75
    v/P8n3L1/zeqqCKvqHJQz1Nc7MxHBD3HB86emw5938AECf3KSM2AQM4yQ7QBfIdamDScTIagWVog
    xKLEaN8gb+9pTFNg5L71FAjsDo7yi/fyCWribeDohiRVyAmiPWFEDT4+lvzrh6g3x6yeJkt0
    xKLEaN8gb+QSBn
    kFnU60RUMhEPQbw5k36SCzJHXCDisR4ziVe+jgB+Itl2iv8NTaNt+x0bC4H5UBnySvFP8njX
    kFnU60RUMhEPQbw5k36SCzJHXCDisR4ziVe+jgB+Itl2iv8NTaNt+uevn
    
    --B11FB435CF1A9E4--
    
    
    Checked by AVG - http://www.avg.com
    Version: 8.0.169 / Virus Database: 270.6.21/1676 - Release Date: 9/17/2008 5:07 PM
    
    
     
  2. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    its only a spam email anyway
     
  3. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    but that's not what he wants help with! 123Greetings commonly gets used in this sort of thing, I googled about a bit because it rang a bell -but I cannot see anything to trace it in the mail you have pasted. Also this is a spam with a virus.... I think dreamliner is after tracking the originator of the spoofing of his address....
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    this is all I can find about its origin:

    who[root@ks362625 ~]# whois 204.141.31.88

    OrgName: NTT America, Inc.
    OrgID: NTTAM-1
    Address: 8005 South Chester Street
    Address: Suite 200
    City: Centennial
    StateProv: CO
    PostalCode: 80112
    Country: US

    ReferralServer: rwhois://rwhois.gin.ntt.net:4321/

    NetRange: 204.141.0.0 - 204.141.255.255
    CIDR: 204.141.0.0/16
    NetName: NTTA-204-141
    NetHandle: NET-204-141-0-0-1
    Parent: NET-204-0-0-0-0
    NetType: Direct Allocation
    NameServer: AUTH21.NS.GIN.NTT.NET
    NameServer: AUTH22.NS.GIN.NTT.NET
    NameServer: AUTH23.NS.GIN.NTT.NET
    NameServer: AUTH24.NS.GIN.NTT.NET
    NameServer: AUTH25.NS.GIN.NTT.NET
    Comment:
    Comment: Reassignment information for this block is
    Comment: available at rwhois.gin.ntt.net port 4321
    RegDate: 1994-09-07
    Updated: 2007-06-14

    RTechHandle: VIA4-ORG-ARIN
    RTechName: VIPAR
    RTechPhone: +1-303-645-1900
    RTechEmail: vipar@us.ntt.net

    OrgAbuseHandle: NAAC-ARIN
    OrgAbuseName: NTT America Abuse Contact
    OrgAbusePhone: +1-800-551-1630
    OrgAbuseEmail: abuse@ntt.net

    OrgNOCHandle: NASC-ARIN
    OrgNOCName: NTT America Support Contact
    OrgNOCPhone: +1-800-551-1630
    OrgNOCEmail: support@us.ntt.net

    OrgTechHandle: VIPAR-ARIN
    OrgTechName: VIPAR
    OrgTechPhone: +1-303-645-1900
    OrgTechEmail: vipar@us.ntt.net

    # ARIN WHOIS database, last updated 2008-09-17 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    [root@ks362625 ~]#
     
  5. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    its more than likely a zombied or spoofed ip of a pc sending out spam, just block it with a filter and go on about your business :p
     
  6. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation
    Mainframeguy was right.

    Unfortunately, I can't really block it with a filter. I'm not a huge fan of having my domain spoofed and would like to dig to the bottom of it.

    It seems alot of the bounce backs have stopped today.
     
  7. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    could be someone who has your email address in the contacts has been infected and its picked up the address from there.
     
  8. Johnny

    Johnny .. Commodore .. Political User

    Messages:
    5,015
    Location:
    Happy Valley
    I had this problem when I went to some stupid card site to retrieve in an email one of my relatives sent me. I clicked the link and it added me to the mailing address and spoofs. I emailed the company and told them about it, of course it got no where ...
     
  9. Tarun

    Tarun www.lunarsoft.net

    Messages:
    90
    Post them to spamcop.