OT - has my email domain been hijacked?

Chris Wright linux-list at cwic-solutions.co.uk
Wed Sep 14 20:06:14 UTC 2005 

> -----Original Message-----
> From: fedora-list-bounces at redhat.com 
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of 
> kevin.kempter at dataintellect.com
> Sent: Wednesday, September 14, 2005 8:40 PM
> To: fedora-list at redhat.com
> Subject: OT - has my email domain been hijacked?
> 
> Returned mail: User unknown
> Hi List;
> 
> I keep getting emails similar to the text below. I/We own the 
> domain dataintellect.com and we have email addresses setup 
> however I always see a bogus dataintellect.com email address 
> as the sender.
> 
> -or is this simply a random spam email?
> 
> Thanks in advance for any advice...
> 
> 
> ================================================
> 
> From: 
> Mail Delivery Subsystem <MAILER-DAEMON at aol.com>
>   To: 
> carina_x at dataintellect.com
>   Date: 
> Today 13:31:26
>    
>   Spam Status: Spamassassin 0% probability of being spam.
> 
> Full report:
> No, score=0.0 required=5.0 tests=AWL,BAYES_50 autolearn=no  
> version=3.0.4 The original message was received at Wed, 14 
> Sep 2005 15:31:23 -0400 (EDT) from 
> client-201.230.112.161.speedy.net.pe [201.230.112.161]
> 
> 
> *** ATTENTION ***
> 
> Your e-mail is being returned to you because there was a 
> problem with its delivery.  The address which was 
> undeliverable is listed in the section
> labeled: "----- The following addresses had permanent fatal 
> errors -----".
> 
> The reason your mail is being returned to you is listed in the section
> labeled: "----- Transcript of Session Follows -----".
> 
> The line beginning with "<<<" describes the specific reason 
> your e-mail could not be delivered.  The next line contains a 
> second error message which is a general translation for other 
> e-mail servers.
> 
> Please direct further questions regarding this message to 
> your e-mail administrator.
> 
> --AOL Postmaster
> 
> 
> 
>    ----- The following addresses had permanent fatal errors 
> ----- <acardi at cs.com> <adorablealicia at cs.com> 
> <aclaudet at cs.com> <acarter5 at cs.com> <acrader at cs.com>
> 
>    ----- Transcript of session follows ----- ... while 
> talking to air-yg01.mail.aol.com.:
> >>> RCPT To:<acrader at cs.com>
> <<< 550 MAILBOX NOT FOUND
> 550 <acrader at cs.com>... User unknown
> >>> RCPT To:<acarter5 at cs.com>
> <<< 550 MAILBOX NOT FOUND
> 550 <acarter5 at cs.com>... User unknown
> >>> RCPT To:<aclaudet at cs.com>
> <<< 550 MAILBOX NOT FOUND
> 550 <aclaudet at cs.com>... User unknown
> >>> RCPT To:<adorablealicia at cs.com>
> <<< 550 MAILBOX NOT FOUND
> 550 <adorablealicia at cs.com>... User unknown
> >>> RCPT To:<acardi at cs.com>
> <<< 550 MAILBOX NOT FOUND
> 550 <acardi at cs.com>... User unknown
> unnamed
> 
> Received: from  client-201.230.112.161.speedy.net.pe
> (client-201.230.112.161.speedy.net.pe [201.230.112.161]) by 
> rly-yg02.mx.aol.com (v107.10) with ESMTP id 
> MAILRELAYINYG23-26f43287a8232f; Wed, 14 Sep 2005 15:31:21 -0400
> Received: from mail.strawberrysampler.com ([64.118.71.80]) by 
> 201.230.112.161 with ESMTP id 4868741;
>          Wed, 14 Sep 2005 19:21:59 -0100
> Received: (qmail 73986 invoked by uid 5164); Date: Wed, 14 
> Sep 2005 19:21:59 -0100
> Date: Wed, 14 Sep 2005 19:21:59 -0100
> Message-ID: <20050914.68664.carina_x at dataintellect.com>
> From: "Men of Focus" <carina_x at dataintellect.com>
> Sender: carina_x at dataintellect.com
> To: acardi at cs.com, adorablealicia at cs.com, aclaudet at cs.com, 
> acarter5 at cs.com,
>         acrader at cs.com
> X-Responder-ID: 14
> Subject: Living without concerns!
> Content-Type: text/html; charset="UTF-8"
> X-AOL-IP: 201.230.112.161
> X-AOL-SCOLL-SCORE: 1:2:306687321:10737418
> X-AOL-SCOLL-URL_COUNT: 3
> 


That appears to be a SPAMMER who is faking a user ID at your domain in the
from address.
The dumb mail server of some of the recipients hasn't worked out that the
headers are forged, so it is returning the 'unknown address error' back to
you instead of the source.
What it should do is look at the headers to see that it is faked, and just
bin it without doing nothing.

It appears to be from:


201.230.112.161
client-201.230.112.161.speedy.net.pe
Host reachable, 488 ms. average

201.230.112.128 - 201.230.112.255

PE-TDPERX3-LACNIC
Av. San Felipe 1144 Surquillo, 1144, edi A
34 - Lima -
Peru
+51 1 210-6771 []

Gestion Dir. IP Telefonica del Peru
gestionip at TELEFONICA.NET.PE
Calle San Felipe 1144, 1144,
LI34 - Lima - LI
Peru
phone: +51 1 2106771 []

PE-PETD9-LACNIC
Created: 17-Aug-2005
Updated: 17-Aug-2005
Source: whois.lacnic.net

So I would forward on to them:

That is unless of course your server is acting like an open relay (which it
is not).

Regards

Chris

More information about the users mailing list