Can someone help me figure out where this is coming from? (email issues)

dreamliner77

The Analog Kid
Joined
16 Mar 2002
Messages
4,716
Well, fired up Outlook to check my email and found out I had 507 new messages! All bounce backs. It looks like someone spoofed my address.

Below is the text of one of the bounce backs. Can someone help me get to the bottom of this?

Code:
Viruses found in the attached files.
The file HTML: Virus found Win32/Heur. The attachment was removed from the mail.

The original message follows:
Hi. This is the qmail-send program at numbers.netdns.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<laurance@sunland.com.sg>:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <jesse@*******.net>
Received: (qmail 15052 invoked by uid 511); 17 Sep 2008 23:31:52 -0000
Received: from unknown (HELO ?204.141.31.88?) (204.141.31.88)
  by 0 with SMTP; 17 Sep 2008 23:31:52 -0000
Message-ID: <31989.raghu@xueqing>
Date: Wed, 17 Sep 2008 22:36:20 +0000
From: "123greetings.com" <jesse@******.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: "friend" <laurance@sunland.com.sg>
Subject: You have received an eCard
Content-Type: multipart/mixed;
 boundary="B11FB435CF1A9E4"

This is a multi-part message in MIME format.

--B11FB435CF1A9E4
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Good day.
You have received an eCard

To pick up your eCard, open attached file Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!
--B11FB435CF1A9E4
Content-Type: application/zip;
 name="e-card.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="e-card.zip"

UEsDBBQAAgAIAHUkMTkfsP6hQ3wAAHOCAAAKAAAAZS1jYXJkLmV4Ze39Z1RTwdc3DIcWRUCagDRF
BQu9Y0OxYQEUkSZFQCGAUmxYgdBCB7EgTXrv0msIXXrvAUKAQAIhoRMgyTzhf133te77LR+eD+/7
6TlrnQXnzJ45U/bs/fvN2XOiZwaBMEEgEGbGCQAEogX5r+N//S3V7T4F+f9yHMjo34FAdJlYIHHv
OrX/1/0ZCDcTBxMbJ8SLccHDOK2ZIBHLjKe8ZpyrTP+Vk+e/Hsr633lY/6dU5v9K++86/SflP9c8
/3Of53+vBKO8PMj//w8jfVPF//zDaNv/VIj5/5RhNH+GIaf0vy7+037P/3c5rf+SU/6fxjHa9I75
v/P8n3L1/zeqqCKvqHJQz1Nc7MxHBD3HB86emw5938AECf3KSM2AQM4yQ7QBfIdamDScTIagWVog
xKLEaN8gb+9pTFNg5L71FAjsDo7yi/fyCWribeDohiRVyAmiPWFEDT4+lvzrh6g3x6yeJkt0
xKLEaN8gb+QSBn
kFnU60RUMhEPQbw5k36SCzJHXCDisR4ziVe+jgB+Itl2iv8NTaNt+x0bC4H5UBnySvFP8njX
kFnU60RUMhEPQbw5k36SCzJHXCDisR4ziVe+jgB+Itl2iv8NTaNt+uevn

--B11FB435CF1A9E4--


Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.21/1676 - Release Date: 9/17/2008 5:07 PM
 
but that's not what he wants help with! 123Greetings commonly gets used in this sort of thing, I googled about a bit because it rang a bell -but I cannot see anything to trace it in the mail you have pasted. Also this is a spam with a virus.... I think dreamliner is after tracking the originator of the spoofing of his address....
 
this is all I can find about its origin:

who[root@ks362625 ~]# whois 204.141.31.88

OrgName: NTT America, Inc.
OrgID: NTTAM-1
Address: 8005 South Chester Street
Address: Suite 200
City: Centennial
StateProv: CO
PostalCode: 80112
Country: US

ReferralServer: rwhois://rwhois.gin.ntt.net:4321/

NetRange: 204.141.0.0 - 204.141.255.255
CIDR: 204.141.0.0/16
NetName: NTTA-204-141
NetHandle: NET-204-141-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: AUTH21.NS.GIN.NTT.NET
NameServer: AUTH22.NS.GIN.NTT.NET
NameServer: AUTH23.NS.GIN.NTT.NET
NameServer: AUTH24.NS.GIN.NTT.NET
NameServer: AUTH25.NS.GIN.NTT.NET
Comment:
Comment: Reassignment information for this block is
Comment: available at rwhois.gin.ntt.net port 4321
RegDate: 1994-09-07
Updated: 2007-06-14

RTechHandle: VIA4-ORG-ARIN
RTechName: VIPAR
RTechPhone: +1-303-645-1900
RTechEmail: vipar@us.ntt.net

OrgAbuseHandle: NAAC-ARIN
OrgAbuseName: NTT America Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@ntt.net

OrgNOCHandle: NASC-ARIN
OrgNOCName: NTT America Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@us.ntt.net

OrgTechHandle: VIPAR-ARIN
OrgTechName: VIPAR
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@us.ntt.net

# ARIN WHOIS database, last updated 2008-09-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[root@ks362625 ~]#
 
its more than likely a zombied or spoofed ip of a pc sending out spam, just block it with a filter and go on about your business :p
 
Mainframeguy was right.

Unfortunately, I can't really block it with a filter. I'm not a huge fan of having my domain spoofed and would like to dig to the bottom of it.

It seems alot of the bounce backs have stopped today.
 
could be someone who has your email address in the contacts has been infected and its picked up the address from there.
 
I had this problem when I went to some stupid card site to retrieve in an email one of my relatives sent me. I clicked the link and it added me to the mailing address and spoofs. I emailed the company and told them about it, of course it got no where ...
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back