Post by: Highmac on October 07, 2003, 02:24:18 AM
Post by: kelly on October 07, 2003, 07:26:28 AM
Post by: Gregg on October 07, 2003, 12:52:19 PM
Post by: jepinto on October 08, 2003, 05:20:46 AM
Check to see if the .com address resolves to a "true" account; type the url into your browser. Many have the incoming mail set up to have any unknown addys go to one person, for instance our office account has JoeBlow@xxx.com comes to me because there is no JoeBlow.
Diana could expalin it better than me, but on the Cobalt srver, one of my mail aliases is "@xxx.com" which allows the above.
And all that is to say....the person receiving the misdirected mail (.com vs .net) may do like me, and not anser mail that appears to have no reason, fearing spam, and not wanting to "verify" the address.
Post by: Gregg on October 08, 2003, 07:39:58 AM
(edit changed content)
Post by: Diana on October 08, 2003, 06:13:44 PM
Without actually seeing the "bounce" you got, it sounds like it may be the SWEN virus. SWEN will actually create a message that looks like a bounce, addressing it and adding headers that would make one think it's a bounce. It's not, it is actually the virus masquarading as a bounce. The message you see in these is very sparce.
The Return-Path: header will have the real sender's address in it. If the two messages you received have the same address in that header, that affirms the sender even more. Sometimes it's not perfectly clear, but if that address domain is the same as the relaying/mailing domain that is the first hop of the message, then it's even a better bet that that was the sender. SWEN is the easiest virus to trace in a long time...the previous few did a better job of spoofing.
Hopefully I didn't overload or confuse you here. If you can discover who actually sent that if it was a fake bounce, you might be able to contact the ISP and tell them who is infected..
see ya
Post by: June Drabek on October 08, 2003, 08:35:48 PM
Post by: Gregg on October 09, 2003, 07:46:13 AM
The original message was received at Mon, 6 Oct 2003 17:05:14 -0400
from imta05a2.registeredsite.com [64.225.255.14]
*** ATTENTION ***
This email is being returned to you because the remote server would not
or could not accept the message. The registeredsite servers are just
reporting to you what happened and are not the source of the problem.
The address which was undeliverable is in the section labeled:
"----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is in the section labeled:
"----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--Registeredsite Postmaster
----- The following addresses had permanent fatal errors -----
<ronranc@hotmail.com>
(reason: 550 Requested action not taken: mailbox unavailable)
----- Transcript of session follows -----
... while talking to mx2.hotmail.com.:
>>> DATA
<<< 550 Requested action not taken: mailbox unavailable
550 5.1.1 <ronranc@hotmail.com>... User unknown
<<< 503 Need Rcpt command.
Post by: Diana on October 09, 2003, 09:36:41 AM
It sounds like you're dealing with a real bounce in that example. (SPAM that was being delivered to the bouncing address was sent back to you if the SPAMMER was faking the from/sender and used your domain to fake from/sender)
Here is an example of what a virus fake bounce might look like to a viewer:
***in the body of the message:
Message from aol.com
Undelivered mail to fcscinm@aol.com
Message follows:
***end message...there is no "Message follows:" part***
The virus fake bounce will come with the actual virus embedded or attached. If you're on a PC at work, antivirus should catch it, if you're on a Mac, then you're ok.
HTH,