Hello,
I have recently been receiving multiple emails titled the same as this thread's topic. They are NOT emails I have sent, or addresses I would consider sending to.
I have been corresponding with Malwarebytes forum, as I have their premium version 3.* products, & the real-time protection has not warned, or picked up on this activity. I have since reverted back to an earlier Acronis True Image OS snapshot. I am in the process of trying to understand where they came from, & how they were sent out, from my main email address. I DO NOT use this address for ANY website [etc.] registration I have ANY doubt about. I have sub-addresses for that purpose.
I am also in the process of completing an online scan, using Trendmicro Housecall. It has found 2 viruses {troj_ge.93681AA2 --can't find much on this particular virus, either}, both of which appear to be in Housecall's own installed temp files' folder. Malwarebytes does NOT recognise either of the files as malicious. So...who is right??
Any advise or assistance would be greatly appreciated. Thanks in advance.
John
PS. if there is any way of easily adding image snapshots into this topic, how is it done? The file sharing sites I used to use no longer support forums on a free account basis.
Mail Delivery Failed: returning message to sender
-
1gkar
- Posts: 2
- Joined: April 24th, 2017, 8:26 pm
-
tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Mail Delivery Failed: returning message to sender
Its trivial for spammers to forge the From: address. If they send the message to a invalid address, whatever mail server decides the recipient doesn't exist will send a return message to the From: address (you) telling you that the message delivery failed. This is just spam bouncing due to a invalid recipient, nothing to do with malware or viruses. Thats why malwarebytes anti-malware and TrendMicro Housecall etc. won't find anything to complain about that message.
Sometimes this occurs because the spammer got your email address from social media or some hacked address book. Sometimes they just choose a valid domain name and use dictionaries to guess at valid usernames. Its so cheap to send spam they can to afford use inefficient brute force methods. They forge the From: address because it increases the chance of the message being opened, and makes it more work than most people will go to for somebody to complain about their spam.
All that you can do is ignore the message, or create a message filter to classify them as junk and move/delete them.
Sometimes this occurs because the spammer got your email address from social media or some hacked address book. Sometimes they just choose a valid domain name and use dictionaries to guess at valid usernames. Its so cheap to send spam they can to afford use inefficient brute force methods. They forge the From: address because it increases the chance of the message being opened, and makes it more work than most people will go to for somebody to complain about their spam.
All that you can do is ignore the message, or create a message filter to classify them as junk and move/delete them.
-
tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
-
1gkar
- Posts: 2
- Joined: April 24th, 2017, 8:26 pm
Re: Mail Delivery Failed: returning message to sender
tanstaafl,
Thanks for the rapid reply. Are you saying these returned emails aren't necessarily from my specific email address originally?
Otherwise, I am attempting to understand how messages which were never sent from my PC {at least, by any Human} were returned to me. Is it some abnormally , with email clients & the entire email architecture, that allows email servers to guess their original sending address? Please excuse my ignorance in this. Thanks again. I appreciate people like yourself who moderate forums over the net.
Regards,
John
Thanks for the rapid reply. Are you saying these returned emails aren't necessarily from my specific email address originally?
Otherwise, I am attempting to understand how messages which were never sent from my PC {at least, by any Human} were returned to me. Is it some abnormally , with email clients & the entire email architecture, that allows email servers to guess their original sending address? Please excuse my ignorance in this. Thanks again. I appreciate people like yourself who moderate forums over the net.
Regards,
John
-
tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Mail Delivery Failed: returning message to sender
"Are you saying these returned emails aren't necessarily from my specific email address originally?"
Yes. While its possible I doubt that malware on your PC sent the message. What you ran into is very typical of what spammers do.
The rfc's (specifications) that define how Internet mail should work have a deliberate security "loophole". You can set the value of the From: header (who supposedly sent a message) totally independent of who actually sent the message. Thunderbird has a built-in feature to let you specify whatever From: address you want. It makes use of this "loophole". This is very useful as it lets you manage what address replies are sent to, and lets you use aliases. The tradeoff is that spammers can also abuse this feature as you found the hard way. Spammers don't need to use Thunderbird to do this, its a easy to implement feature for whatever software they use.
Its something that you run into periodically. Typically you get flooded by those messages for about a week and then they move on to a different From: address.
More advanced information you probably don't care about:
This is also one of the reasons why S/MIME and OpenPGP exist. Not so much for encrypting mail, but adding a digital signature (based on cryptography) that you can verify to prove who really did send a message, and that it wasn't altered in transit. However, most people don't find it worth the hassle. Some popular email providers such as Gmail, Yahoo and Outlook support a method called DomainKeys Identified Mail (DKIM). It is not as powerful as it doesn't check who sent the message, but is useful as it can be used to check what domain it was really sent from. Most of the time that is good enough. There is a DKIM verifier add-on but most people don't use it. Instead they rely upon their email provider using DKIM to determine if its spam. Some other methods are Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). Again, they're something its usually not worthwhile for a user to pay any attention to, just something that your email provider may use if they're serious at trying to detect spam.
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC
"A pink contract is an agreement between an email spammer and the spammer's Internet service provider. The contract exempts the spammer from the provider's terms of service, which typically prohibit spamming. In return, the spammer pays far more money for his internet connection than non-spammers. AT&T got in trouble for such a contract.
The contract is called pink because that is the color of SPAM (the food), alluding to the fact that the contract enables spamming. Any ISP in the United States can get in real trouble for signing pink contracts. Problem is that there's a whole big world wide web out there and the bulk of the pink contracts are signed with overseas ISPs where US Federal Authorities have absolutely no power."
from https://en.wikipedia.org/wiki/Pink_contract
This is the reason why sometimes people try to filter mail based on where it was sent from. Unfortunately, thats not easy/lightweight to do unless your email provider adds special headers that you can test, with that information. If they do that, they've probably already used that information to help them determine if its spam, so there is no point duplicating the effort. Another approach is to test the Content-Type: header to see if it specifies a foreign character set . Unfortunately, they don't have to identify the character set, and might use Unicode.
http://kb.mozillazine.org/Foreign_language_spam
Yes. While its possible I doubt that malware on your PC sent the message. What you ran into is very typical of what spammers do.
The rfc's (specifications) that define how Internet mail should work have a deliberate security "loophole". You can set the value of the From: header (who supposedly sent a message) totally independent of who actually sent the message. Thunderbird has a built-in feature to let you specify whatever From: address you want. It makes use of this "loophole". This is very useful as it lets you manage what address replies are sent to, and lets you use aliases. The tradeoff is that spammers can also abuse this feature as you found the hard way. Spammers don't need to use Thunderbird to do this, its a easy to implement feature for whatever software they use.
Its something that you run into periodically. Typically you get flooded by those messages for about a week and then they move on to a different From: address.
More advanced information you probably don't care about:
This is also one of the reasons why S/MIME and OpenPGP exist. Not so much for encrypting mail, but adding a digital signature (based on cryptography) that you can verify to prove who really did send a message, and that it wasn't altered in transit. However, most people don't find it worth the hassle. Some popular email providers such as Gmail, Yahoo and Outlook support a method called DomainKeys Identified Mail (DKIM). It is not as powerful as it doesn't check who sent the message, but is useful as it can be used to check what domain it was really sent from. Most of the time that is good enough. There is a DKIM verifier add-on but most people don't use it. Instead they rely upon their email provider using DKIM to determine if its spam. Some other methods are Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). Again, they're something its usually not worthwhile for a user to pay any attention to, just something that your email provider may use if they're serious at trying to detect spam.
https://wiki.zimbra.com/wiki/Best_Pract ... _and_DMARC
"A pink contract is an agreement between an email spammer and the spammer's Internet service provider. The contract exempts the spammer from the provider's terms of service, which typically prohibit spamming. In return, the spammer pays far more money for his internet connection than non-spammers. AT&T got in trouble for such a contract.
The contract is called pink because that is the color of SPAM (the food), alluding to the fact that the contract enables spamming. Any ISP in the United States can get in real trouble for signing pink contracts. Problem is that there's a whole big world wide web out there and the bulk of the pink contracts are signed with overseas ISPs where US Federal Authorities have absolutely no power."
from https://en.wikipedia.org/wiki/Pink_contract
This is the reason why sometimes people try to filter mail based on where it was sent from. Unfortunately, thats not easy/lightweight to do unless your email provider adds special headers that you can test, with that information. If they do that, they've probably already used that information to help them determine if its spam, so there is no point duplicating the effort. Another approach is to test the Content-Type: header to see if it specifies a foreign character set . Unfortunately, they don't have to identify the character set, and might use Unicode.
http://kb.mozillazine.org/Foreign_language_spam