Odd activity in mail - anyone else??

MacDoc · Feb 7th, 2004, 09:27 PM

I sent this note off to our hosting site about the continuous messages we've been receiving about undeliverable mail. Anyone else seeing this activity.
••••••

to Verio tech support

"I am continually receiving notification of these undeliverable messages that purport to originate from our macdoc.com domain.

The names are always simple first names and sent towards other addresses also with simple first names and a domain. None of these names are legitimate macdoc addresses

This appears to be some sort of unauthorized activity and would like it controlled.
These are arriving every few minutes.

I have now set the spam filter up to intercept them but I would like an explanation as to the nature and origin.
We are an entirely Mac based setup here and 99% of our clients are as well so I can only think it is something occurring at the server end."

typical messages - they all had two attachments - a report and a .zip file
••••••
Forwarded Message
From: MAILER-DAEMON@cmlapp400.van.ca.siteprotect.com Mail Delivery System)
Date: Sat, 7 Feb 2004 18:51:17 -0600 CST)
To: peter@macdoc.com
Subject: Undelivered Mail Returned to Sender

This is the Postfix program at host cmlapp400.van.ca.siteprotect.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix program

<alex@summitdirect.com>: unknown user: "alex@summitdirect.com"

Reporting-MTA: dns; cmlapp400.van.ca.siteprotect.com
Arrival-Date: Sat, 7 Feb 2004 18:51:17 -0600 CST)

Final-Recipient: rfc822; alex@summitdirect.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "alex@summitdirect.com"

From: peter@macdoc.com
Date: Sat, 7 Feb 2004 19:33:25 -0500
To: alex@summitdirect.com
Subject: Test

------ End of Forwarded Message

••••••

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

george@lbcc.edu

Reporting-MTA: dns;prometheus.lbccd.lbcc.cc.ca.us
Received-From-MTA: dns;macdoc.com
Arrival-Date: Sat, 7 Feb 2004 17:55:10 -0800

Final-Recipient: rfc822;george@lbcc.edu
Action: failed
Status: 5.1.1

From: george@macdoc.com
Date: Sat, 7 Feb 2004 20:36:16 -0500
To: george@lbcc.edu
Subject: Hi

The message contains Unicode characters and has been sent as a binary attachment.
•••••

The original message was received at Sat, 7 Feb 2004 16:20:36 -0500 EST)
from uucp@localhost

----- The following addresses had permanent fatal errors -----
<james@nonline.net>
reason: 550 5.1.1 <james@nonline.net>... User unknown)
expanded from: <james@nonline.net>)

----- Transcript of session follows -----
... while talking to 127.0.0.1]:
>>> DATA
<<< 550 5.1.1 <james@nonline.net>... User unknown
550 5.1.1 <james@nonline.net>... User unknown
<<< 503 5.0.0 Need RCPT recipient)

Reporting-MTA: dns; mail.nonline.net
Arrival-Date: Sat, 7 Feb 2004 16:20:36 -0500 EST)

Final-Recipient: RFC822; james@nonline.net
Action: failed
Status: 5.1.1
Remote-MTA: DNS; 127.0.0.1]
Diagnostic-Code: SMTP; 550 5.1.1 <james@nonline.net>... User unknown
Last-Attempt-Date: Sat, 7 Feb 2004 16:20:36 -0500 EST)

From: linda@macdoc.com
Date: Thu, 5 Feb 2004 23:16:28 -0500
To: james@nonline.net
Subject: wwncruu

hmto · Feb 7th, 2004, 09:57 PM

Hi Dave,
I had the same thing happen to me about a week or two ago with a total of maybe 6 email notifications Very strange and offputting especially since it had a recorded time like 3 or 4am and with the same attachments and zips. I'm sleeping at that time!! They also had origins from Australia and such. User names also one named. Currently running 10.3 on mail with rogers high speed cable.

kloan · Feb 7th, 2004, 10:31 PM

I am also getting the same thing with my Rogers account. Last week I got maybe 1 or 2 a day. I am also getting many of those stupid MS Security update ones, all of course have viruses attached... lucky I have Norton, but it certainly is annoying. All this because I made ONE post in a newsgroup with my Rogers account.. never had any problems before..

The Doug · Feb 7th, 2004, 10:43 PM

Couldn't this be connected to MyDoom (or similar) spoofing of legitimate e-mail addresses? I haven't had any problems like this, at any rate.

kent · Feb 7th, 2004, 11:08 PM

I believe that this is one of the ways that "My Doom" disguises itself. I probably recieved at least 150+ email messages over the past two weeks with: "Hello", "TEST", "Hi" or an error message about a returned email (people I don't even know). I'm using Telus ADSL. All these messages had a 22 KB file attached. I was and still am getting REALLY sick of receiving this emails!

MacDoc · Feb 7th, 2004, 11:11 PM

Yes I suspect it's either aresult of the myDoom directly or some odd combination of a spammer attempting random hits then that being multiplied by the virus or being intercepted as a virus carrier.
It's just annoying as it's random enough that Spamsieve is not catching them right now.

iPetie · Feb 7th, 2004, 11:19 PM

This"is" MyDoom virus. The mail to you is diguised as undeliverable mail from someone within the infected users address book. This is to throw you off as you would have remembered if you had sent the mail to the initial contact.
My question is this, How stupid are people to actually open an attachment under such suspicious circumstances?
Boggles what is left of my mind.

MacDoc · Feb 8th, 2004, 08:20 AM

Well at least SpamSieve has figured it out now but I'm a big concerned it's over trained and might catch some legit incoming tho that's been exceedingly rare.

SINC · Feb 8th, 2004, 09:15 AM

While I have not experienced this, my daughter has. She has the same email address on my computer as well as her Lombard, at the same server as me.

She received 160 such emails when she opened her mail one morning last week. She deleted all, and in alarm changed her email address and sent a notice out to her address book, to approximately 20 people.

The new email address began receiving about 60 per hour again. I asked her to set up yet another email address, but not to notify those in her address book. This address has not received any mail other than from me and works fine.

My conclusion is one of her friends has a PC (well MOST of her friends have PCs) that is infected with the MyDoom worm.
I told her to try giving the new address to one friend at a time, and wait for a reply. She should be able to figure out which one is infected if the spam shows up after the reply, and advise her friend accordingly is my reasoning.

Will my theory work?

Cheers

[img]smile.gif[/img]

kps · Feb 8th, 2004, 09:38 AM

At times like these I'm glad I use Mailsmith, it has a built in "POP Monitor", which allows me to view incoming mail on the remote server and delete those messages which are obviously spam or potential virus carriers without ever downloading any of them to my machine.

There used to be a stand alone app of the same name, but I have not been able to find it at Version Tracker.

Barebones has a trial version of Mailsmith if anyone is interested in this capability.