Beginning at 8:39 this morning, I started receiving various "Undelivered Mail Returned to Sender" emails from all over the world. Not all the subjects are the same, but all indicate a failed delivery. I don't know if someone's forging my email and they're real bounce reports or if it's something else. I see about 16 pages of them in Questmail, which probably amounts to over 200 emails. Has anyone else gotten this?

This last week two of my email addresses have been the target of a joe job.

Do some of the bounces include the headers of the bounced message? If so, see if FutureQuest played any part in the original delivery.

For me, they look like

Return-Path: <me@mydomain.com>
Received: from Mailrelay15.libero.it (172.31.0.167) by smtp-in2.libero.it (7.3.120)
id 4628E49E18DB4454; Sun, 20 Apr 2008 19:41:00 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av//AM4cC0i+QZAyPGdsb2JhbACRGB4YAQEBFBw
X-cp3a: YES
X-IronPort-AV: E=Sophos;i="4.25,686,1199660400";
d="scan'208";a="304107310"
Received: from unknown (HELO 212.52.84.83) ([190.65.144.50])
by Mailrelay15.libero.it with SMTP; 20 Apr 2008 19:40:48 +0200
X-Originating-IP: 252.188.245.5 by smtp.190.65.144.50; Sun, 20 Apr 2008 13:40:47 -0500
Message-ID: <upzpnzWFJXSRdoel68@libero.it>
From: "Somebody Shelton" <somebody@libero.it>
Reply-To: "Somebody Shelton" <somebody@libero.it>
To: somebody@libero.it
Subject: Inexpensive Louis Vuitton bags
Date: Sun, 20 Apr 2008 13:40:47 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

Return-path: <me@mydomain.com>
Received: from adsl190-28-162-133.epm.net.co ([190.28.162.133])
by server5.cts-gmbh.net with smtp (Exim 4.63)
(envelope-from <me@mydomain.com>)
id 1Jnd3s-0006Gl-SS
for gastro@club-zero.tv; Sun, 20 Apr 2008 19:10:45 +0200
X-Originating-IP: 252.10.206.208 by smtp.190.28.162.133; Sun, 20 Apr 2008 13:19:20 -0500
Message-ID: <vopptcrDNZILSgastro@club-zero.tv>
From: "somebodyelse Beard" <somebodyelse@club-zero.tv>
Reply-To: "somebodyelse Beard" <somebodyelse@club-zero.tv>
To: somebodyelse@club-zero.tv
Subject: Inexpensive Louis Vuitton bags
Date: Sun, 20 Apr 2008 13:19:20 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

Return-Path: <me@mydomain.com>
Received: (qmail 44112 invoked by uid 3179); 19 Apr 2008 05:31:08 -0000
Delivered-To: chrismd-westminsterspeed:com-fred@westminsterspeed.com
Received: (qmail 44109 invoked from network); 19 Apr 2008 05:31:08 -0000
Received: from mailwash40.pair.com (66.39.2.40)
by ulawun.pair.com with SMTP; 19 Apr 2008 05:31:08 -0000
Received: from localhost (localhost [127.0.0.1])
by mailwash40.pair.com (Postfix) with SMTP id E8F542BD3A;
Sat, 19 Apr 2008 01:31:07 -0400 (EDT)
Received: from host-201-151-139-226.block.alestra.net.mx (unknown [201.151.139.226])
by mailwash40.pair.com (Postfix) with SMTP id 21B342BCF0;
Sat, 19 Apr 2008 01:30:53 -0400 (EDT)
X-Originating-IP: 76.48.166.153 by smtp.201.151.139.226; Sat, 19 Apr 2008 01:30:47 -0500
Message-ID: <rjdfhlJCJQXdunn@westminsterspeed.com>
From: "somebodyelse Ricks" <somebodyelse@westminsterspeed.com>
Reply-To: "somebodyelse Ricks" <somebodyelse@westminsterspeed.com>
To: somebodyelse@westminsterspeed.com
Subject: Replica watch is a perfect gift
Date: Sat, 19 Apr 2008 01:30:47 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

(me and somebody added for forum post incase the to addresses were part of the spam list and actually legitimate people)

They've joe-jobbed my address as the from or return path but nothing else has anything to do with my mail servers nor are the originating IPs even close to me.

Got 300 of these joe-job bounces today, 270 yesterday, 300 th day before. The one they did it with last week stopped at least, but this one continues. Joe jobs really are a pain in the neck.

All the time. Unfortunately, we see many, many emails to the Service Desk on this topic all the time. :(

Hardly a day goes by that we don't get at least a couple of Site Owners emailing us about this.

They are probably forged. You need to examine the headers of the emails to see the routing.
http://service.futurequest.net/kb107

P.S. Now I suppose it's obvious why FutureQuest sent out a warning a little while back to anyone who still had their email set to bounce failures vs. fail them at smtp connect time so we aren't part of this problem in the future.

If you haven't already enabled domain keys that might help make sure less of the joe-jobbed spam is delivered, but I suspect that the mail servers that are bouncing the spam will continue to bounce to you even so :(

This happened to me last week - it usually only lasts a day - and a few trickle in over the next couple of days.

John

I've been using a simple filter that I got from kitchin in this post (http://www.aota.net/forums/showthread.php?postid=161924#post161924) to redirect returned bogus messages to a separate account:condredirect blowback@yourdomain.tld test -z $SENDER
It's been 100% effective so far, with no false positives.

You can start with blowback@yourdomain.tld as a POP box, then change it to a blackhole (or rewrite the filter to delete the email) once you're confident it works.

-- Tom

Do some of the bounces include the headers of the bounced message? Not the three or four I read but one mentions that the subject was "High Quality Watches" and contains attachments that I didn't open.

P.S. Now I suppose it's obvious why FutureQuest sent out a warning a little while back to anyone who still had their email set to bounce failures vs. fail them at smtp connect time so we aren't part of this problem in the future.I'd still like to allow bounces only to verified senders. Since I wasn't the actual sender of the bounced emails, I wouldn't have received all these bounce messages if the sender had to be verified.

If you haven't already enabled domain keys that might help make sure less of the joe-jobbed spam is delivered, but I suspect that the mail servers that are bouncing the spam will continue to bounce to you even so :(It was already enabled.


I've been using a simple filter that I got from kitchin in this post (http://www.aota.net/forums/showthread.php?postid=161924#post161924) to redirect returned bogus messages to a separate account:
It's been 100% effective so far, with no false positives.

You can start with blowback@yourdomain.tld as a POP box, then change it to a blackhole (or rewrite the filter to delete the email) once you're confident it works.I'd never be confident. I think I'd rather have them appear in my main email box. I rarely check the others and I don't want to be surprised by tens of thousands when I check.

The U.S. Attorney's office asked me if I prefer email or postal mail a few days ago. I'm glad I chose postal mail.

Wow ... Count me in, unfortunately.

I usually have less than 50 spam messages in my main account, and currently appear to have well over or 1000 this morning with an additional 1000 in my bulk folder (which I have switched to delete). That is over 2000 bouces in less than 4 hours since this started. I have never forwarded mail outside of futurequest, and I have never experienced this in the decade I've had this primary domain.

I hope this isn't the start of a new trend -- this would be difficult to deal with on a daily basis.

I don't want to jinx myself, but it seems to be slowing down a bit for me, at least right now.

Could anyone who has experience with this tell me if my domain or email address will be notably blacklisted as a result of this [hopefully] temporary 'Joe job' use of my email address? I'm basically wondering if, once the onslaught is over, there will be any residual side-effects that I may have to deal with.

I appreciate your time and assistance in advance -- thanks!

Russ

Other than the inconvenience of having your mailbox stuffed by the drive-by, I don't think you'll suffer long-term effects as blacklists will list the IP of the mail server used to send out the spam, not the forged from or reply-to address.

I've also gotten hit by a joe-jobbing over the weekend, and it's resurged this morning. I will try that custom filter script though.

It resurged for me to. I'd like to send everyone who bounced the forged mail to me a link to a filter that only bounces to verified senders, but I know of no such software.

How much would it cost FutureQuest to catch the bad guy?

Not clear on the concept, eh?

What concept?

Please educate me - why is it called a 'joe-job'? (I'm sure the ancient assembler-programmer and sci-fi references in my head are wrong...) :dunno:

Please educate me - why is it called a 'joe-job'? (I'm sure the ancient assembler-programmer and sci-fi references in my head are wrong...) :dunno:Just because the first popularized one was against a person named Joe Doll. So just think - if some new form of spam befalls you, you could get a new attack named after you as the first victim :confuz:
The name "joe job" originated from such a spam attack on Joe Doll, webmaster of Joe's Cyberpost.[1] One user had his joes.com account removed for advertising through spam; in retaliation, he sent another spam, but with the "reply-to" headers forged to make it appear to be from Joe Doll.[2] Besides prompting angry replies, it also caused joes.com to fall prey to denial-of-service attacks that took the website down temporarily.

So just think - if some new form of spam befalls you, you could get a new attack named after you as the first victim

Thanks for edification! But I sure hope there's no jinx attached - dont think I need that particular headache, despite whatever infamy may go with it! :hrmm:

Tom,

Thanks a lot for referring us to the simple filter. The day after my 'Joe job' this week, I added it and it seems to work very well. I'm happy with it and intend to keep using it.

However, it also catches legit bounce backs. I tested sending an email (both times from questmail) to my misspelled address at both my job and my university, and the filter caught the return, instead of letting me see it directly. This is not a big deal, since I rarely get them, and wouldn't mind checking my catchall occasionally (my SA filter is set to delete, so there's usually not much there) but I just wanted to be sure that I set this up correctly. I only added in the simple filter, and did not create/include a configuration file of any kind.

I'm just wondering if this is your experience or if I messed something up.

Thanks, again!

Russ


I've been using a simple filter that I got from kitchin in this post (http://www.aota.net/forums/showthread.php?postid=161924#post161924) to redirect returned bogus messages to a separate account:
It's been 100% effective so far, with no false positives.

You can start with blowback@yourdomain.tld as a POP box, then change it to a blackhole (or rewrite the filter to delete the email) once you're confident it works.

-- Tom

I'm just wondering if this is your experience or if I messed something up.Russ, you are correct.

"100% effective" means that it has caught all bounce-backs, including legitimate ones, and hasn't caught any message that isn't a bounce-back.

I primarily used this filter on the catchall, which can't get valid bounce-backs, because they would go to the actual account that sent the original message. If you're sending messages with a "From" address that isn't defined for your domain, then that's a different story.

Since I've convinced the client to turn off the catchall, I use the filter temporarily on mailboxes that are getting joe-jobbed (since that usually only lasts a few days).

Hope this helps

-- Tom

Tom,

This is very helpful. I will take the next step and create a new blowback@yourdomain.tld account, and have them directed there, instead of my bulk@yourdomain.tld. That now makes sense to me to be able to separate them in that manner.

Thanks, again!

http://downloads.lyris.com/mailshield/doc/4.0/mssstd4.0.pdfNew spam detection: multiple RCPT TO with blank MAIL FROM
The only kinds of email messages that have a blank Return-Path: (i.e.: MAIL
FROM) are system error messages, and these should only have one
recipient. Spammers sometimes use a blank MAIL FROM to hide their
tracks. This filter rejects mail that has multiple recipients but a blank MAIL
FROM.I'd rather not miss error messages. There's probably a way to add a multiple recipient check to the filter Tom linked to, but I don't know how. I'm not sure whether this would help though because I didn't check whether the bounces I've been getting have multiple recipients.

Just go a call from my daughter - her store email address is being hit. Checked the other mail accounts I've set up at FQ and that's the only one so far. I guess crossing my fingers won't help, right?

I'm on this bandwagon, too. :hrmm:

300 to 600 bounces a day since Sunday.

But technically, these probably aren't Joe-jobs. Joe-jobbing is a deliberate attempt to get someone in trouble. I think this is just a case of the spammer(s) using lousy software that doesn't properly [sic] randomize the address. It's randomizing the From name, though.

Two of my addresses are showing up in the From, Return-Path and Envelope-From or X-Envelope-From fields.

I'm also thinking this is mostly a whole lot of policy-lame mail servers and open relays, plus a maybe few zombies mixed in (the occasional "ADSL-" recieved line appears) -- rather than just a botnet. Some of the originating IPs are listed on the PBL.

Ah, well... Just gotta wait it out I guess. :dunno:

...There's probably a way to add a multiple recipient check to the filter Tom linked to, but I don't know how. I'm not sure whether this would help though because I didn't check whether the bounces I've been getting have multiple recipients.
If I understand correctly, the "multiple-recipient/blank-return" messages would look like a spam message. (and maybe Spam-Assassin catches those already?)

What I've been talking about is when you get a "Returned mail:..." message from a mail server in response to a spam message it received with your forged return address.

Those look something like this:This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 72 hours on the queue on xxx.xxx.com.

The message identifier is: 3rv9m3-883jf99-0C
The subject of the message is: Replica watches, bags, pens
The date of the message is: Tue, 08 Apr 2008 11:42:02 +0000

I'd still like more confirmation that it's a bounce of my own e-mail. A blank return-path plus something else. Like maybe when there's no return path, give more weight to spammy content. Then if the content of the bounced email is included in the bounce report, it's more likely to be detected as spam. And when there's no return path, don't credit the email for coming from a good IP.

Actually, that's not even good enough because I might have sent spam-like content and I'd want to know if it didn't get through. We need to stop the spammers.

Out of curiosity, what might be the origination of these mails? Is there any commonality as to the source of the 'to' or 'from' addresses?

I used to suffer thru these 100's of bounced/undeliverable episodes on a regular basis, then obscured the posted email addresses on my site with & characters. Over the past year, I'm down to mostly 0 of them for months at a time, and the occasional 1 or 2 I just assume are due to a customer's address book being hacked.

So I'm wondering, has some 'big' mail service (whether an email provider or mail-list provider or whatever) had its databases hacked - recently?

email is broken! 2 users have enjoyed this fun in the past two weeks.

I've been using a simple filter that I got from kitchin in this post (http://www.aota.net/forums/showthread.php?postid=161924#post161924) to redirect returned bogus messages to a separate account:


thank you for the filter. several users have opted to use it.

i was reluctant to do this type of filtering, but email already seems barely functional. why not add a little more glue and scotch tape, eh?

I don't want to jinx myself, but it seems to be slowing down a bit for me, at least right now.

Could anyone who has experience with this tell me if my domain or email address will be notably blacklisted as a result of this [hopefully] temporary 'Joe job' use of my email address? I'm basically wondering if, once the onslaught is over, there will be any residual side-effects that I may have to deal with.

I appreciate your time and assistance in advance -- thanks!

Russ

Email addresses are not generally blocklisted, IPs are. Since it's not your IP sending the spam, you're unlikely to appear on any blocklists.

Out of curiosity, what might be the origination of these mails? Is there any commonality as to the source of the 'to' or 'from' addresses?

I've used SpamCop to trace a few of the hundreds received over the past two days. Most originate in South America, i.e., Columbia and Brazil being the largest offenders.

I've used SpamCop to trace a few of the hundreds received over the past two days. Most originate in South America, i.e., Columbia and Brazil being the largest offenders.

Less interested in the true originating-source, could as easily have been East Euro or Africa or anywhere in Asia. What I meant by commonality, was whether there's any indication that AOL has had their user-lists hacked (yet again), or verizon or bellsouth or somebody like that has had a theft? I haven't heard or read anything along those lines, but... :dunno:

Less interested in the true originating-source, could as easily have been East Euro or Africa or anywhere in Asia. What I meant by commonality, was whether there's any indication that AOL has had their user-lists hacked (yet again), or verizon or bellsouth or somebody like that has had a theft? I haven't heard or read anything along those lines, but... :dunno:

No idea. For myself, it was my address hosted here at Futurequest. I've had the same email address and domain for about 14 years or more, and it's out there, big-time...

It would be good if questionable email that's not filtered out gives filter options when you read it so you don't have to access the email manager separately, and the filter should be optionally retroactive. The bottom of the header might say:Your inbox contains 300 new emails reporting undelivered email, from April 10, 2008 to April 20, 2008. Click one of the following if you'd like to adjust your email filter:

Increase sensitivity of bounce filtering for this many days: 1 5 10 20 30.

Increase the sensitivity of bounce filtering until you receive fewer than 2 10 25 50 100 undelivered email reports per day.

Increase the sensitivity of bounce filtering for April 10, 2008 to April 20, 2008, retroactively. (215 unread messages will be deleted from your inbox)

If the subject of the bounced email that supposedly came from you is included in the bounce report, and you actually sent an email with that subject at the right time, then the bounce report for that email won't be filtered.
any indication that AOL has had their user-lists hacked (yet again), or verizon or bellsouth or somebody like thatI don't know where the spammers got the addresses, but from whatever source they used, it looks like they singled out FutureQuest customers.

I don't know where the spammers got the addresses, but from whatever source they used, it looks like they singled out FutureQuest customers.

It appears that this is a widespread outbreak, and most likely affecting any number of networks at any given time...

#2 IT subject at SlashDot (http://it.slashdot.org/it) right now, the full article from ComputerWorld:
http://www.computerworld.com.au/index.php/id;1698505531;fp;16;fpid;1

-Bob

I suspected something like that yesterday when I received an email telling me that someone changed his email address because his was being forged. I checked his name servers and they didn't say Futurequest.

I've received almost no bounces for about a week, so you all could undo your filters if you didn't like the idea in the first place.

I suspect as I believe was speculated here earlier in this or another thread that some kind of spam-sending program was likely distributed that didn't randomize the forged return-path. Normally I suspect it's randomized so we all get a trickle of backscatter. But this one seemed to hit much harder (being more like a joe job) in that I got thousands and thousands of backscatter as it didn't seem to randomize. I also go it (actually worse) with two non-FutureQuest addressess so it's not targeting FutureQuest specifically.