Can someone help me figure out where this is coming from? (email issues)

dreamliner77

The Analog Kid
Joined
Mar 16, 2002
Messages
4,708
#1
Well, fired up Outlook to check my email and found out I had 507 new messages! All bounce backs. It looks like someone spoofed my address.

Below is the text of one of the bounce backs. Can someone help me get to the bottom of this?

Code:
Viruses found in the attached files.
The file HTML: Virus found Win32/Heur. The attachment was removed from the mail.

The original message follows:
Hi. This is the qmail-send program at numbers.netdns.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<laurance@sunland.com.sg>:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <jesse@*******.net>
Received: (qmail 15052 invoked by uid 511); 17 Sep 2008 23:31:52 -0000
Received: from unknown (HELO ?204.141.31.88?) (204.141.31.88)
  by 0 with SMTP; 17 Sep 2008 23:31:52 -0000
Message-ID: <31989.raghu@xueqing>
Date: Wed, 17 Sep 2008 22:36:20 +0000
From: "123greetings.com" <jesse@******.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: "friend" <laurance@sunland.com.sg>
Subject: You have received an eCard
Content-Type: multipart/mixed;
 boundary="B11FB435CF1A9E4"

This is a multi-part message in MIME format.

--B11FB435CF1A9E4
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Good day.
You have received an eCard

To pick up your eCard, open attached file Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!
--B11FB435CF1A9E4
Content-Type: application/zip;
 name="e-card.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="e-card.zip"

UEsDBBQAAgAIAHUkMTkfsP6hQ3wAAHOCAAAKAAAAZS1jYXJkLmV4Ze39Z1RTwdc3DIcWRUCagDRF
BQu9Y0OxYQEUkSZFQCGAUmxYgdBCB7EgTXrv0msIXXrvAUKAQAIhoRMgyTzhf133te77LR+eD+/7
6TlrnQXnzJ45U/bs/fvN2XOiZwaBMEEgEGbGCQAEogX5r+N//S3V7T4F+f9yHMjo34FAdJlYIHHv
OrX/1/0ZCDcTBxMbJ8SLccHDOK2ZIBHLjKe8ZpyrTP+Vk+e/Hsr633lY/6dU5v9K++86/SflP9c8
/3Of53+vBKO8PMj//w8jfVPF//zDaNv/VIj5/5RhNH+GIaf0vy7+037P/3c5rf+SU/6fxjHa9I75
v/P8n3L1/zeqqCKvqHJQz1Nc7MxHBD3HB86emw5938AECf3KSM2AQM4yQ7QBfIdamDScTIagWVog
xKLEaN8gb+9pTFNg5L71FAjsDo7yi/fyCWribeDohiRVyAmiPWFEDT4+lvzrh6g3x6yeJkt0
xKLEaN8gb+QSBn
kFnU60RUMhEPQbw5k36SCzJHXCDisR4ziVe+jgB+Itl2iv8NTaNt+x0bC4H5UBnySvFP8njX
kFnU60RUMhEPQbw5k36SCzJHXCDisR4ziVe+jgB+Itl2iv8NTaNt+uevn

--B11FB435CF1A9E4--


Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.21/1676 - Release Date: 9/17/2008 5:07 PM
 

Mainframeguy

Debiant by way of Ubuntu
Joined
Aug 29, 2002
Messages
3,763
#3
but that's not what he wants help with! 123Greetings commonly gets used in this sort of thing, I googled about a bit because it rang a bell -but I cannot see anything to trace it in the mail you have pasted. Also this is a spam with a virus.... I think dreamliner is after tracking the originator of the spoofing of his address....
 
Joined
Feb 2, 2004
Messages
7,027
#4
this is all I can find about its origin:

who[root@ks362625 ~]# whois 204.141.31.88

OrgName: NTT America, Inc.
OrgID: NTTAM-1
Address: 8005 South Chester Street
Address: Suite 200
City: Centennial
StateProv: CO
PostalCode: 80112
Country: US

ReferralServer: rwhois://rwhois.gin.ntt.net:4321/

NetRange: 204.141.0.0 - 204.141.255.255
CIDR: 204.141.0.0/16
NetName: NTTA-204-141
NetHandle: NET-204-141-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: AUTH21.NS.GIN.NTT.NET
NameServer: AUTH22.NS.GIN.NTT.NET
NameServer: AUTH23.NS.GIN.NTT.NET
NameServer: AUTH24.NS.GIN.NTT.NET
NameServer: AUTH25.NS.GIN.NTT.NET
Comment:
Comment: Reassignment information for this block is
Comment: available at rwhois.gin.ntt.net port 4321
RegDate: 1994-09-07
Updated: 2007-06-14

RTechHandle: VIA4-ORG-ARIN
RTechName: VIPAR
RTechPhone: +1-303-645-1900
RTechEmail: vipar@us.ntt.net

OrgAbuseHandle: NAAC-ARIN
OrgAbuseName: NTT America Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@ntt.net

OrgNOCHandle: NASC-ARIN
OrgNOCName: NTT America Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@us.ntt.net

OrgTechHandle: VIPAR-ARIN
OrgTechName: VIPAR
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@us.ntt.net

# ARIN WHOIS database, last updated 2008-09-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[root@ks362625 ~]#
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
Joined
Apr 8, 2003
Messages
6,376
#5
its more than likely a zombied or spoofed ip of a pc sending out spam, just block it with a filter and go on about your business :p
 

dreamliner77

The Analog Kid
Joined
Mar 16, 2002
Messages
4,708
#6
Mainframeguy was right.

Unfortunately, I can't really block it with a filter. I'm not a huge fan of having my domain spoofed and would like to dig to the bottom of it.

It seems alot of the bounce backs have stopped today.
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
Joined
Apr 8, 2003
Messages
6,376
#7
could be someone who has your email address in the contacts has been infected and its picked up the address from there.
 

Johnny

.. Commodore ..
Political User
Joined
Jan 12, 2004
Messages
5,015
#8
I had this problem when I went to some stupid card site to retrieve in an email one of my relatives sent me. I clicked the link and it added me to the mailing address and spoofs. I emailed the company and told them about it, of course it got no where ...
 

Members online

No members online now.

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Hey ep!

All good with me, applying for microsoft mvp right now, should have done this a while ago.

Notifications don't work, I only found your response by comming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier, mine is perriscalderon at gmail
Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...

Forum statistics

Threads
62,035
Messages
673,561
Members
89,038
Latest member
msaad