mj

I keep getting tonnes of email bouncing back to me saying undeliverable message, I have NAV, and have done various online AV scans , all these come up clean, by the way these are messages I have never sent.

I also use adaware,spybot,spy sweeper, I connect to the net via a ADSL router, I think this has some kind of firewall built in.

I get in the region of 10-20 of these every day, they say they are undelivered from my address, however, not one has come from somebody in my address book, although by chance, although the odd one is recognisable - a lad that works for us now used to copy me in on all his email funnies etc - some of the other recipients of these messages ( from ages ago ) are now coming back to me saying undelivered, the bulk of them are just from clearly bogus addresses.

Is a third party using my email address to send out spam??, BTW, some of these are infected with various viruses by the looks of it, others tell me the contents of the mesage can be viewed at blah,blah blah ( a link ), when I hover my mouse over the link though a load of gobledygook apears at the bottom of the message pane.


Any ideas?

Thanks if you can help,

Mike.

camk

Someone with you in their contacts list has the Netsky virus and is using your address to send out virus messages. They then get knocked back by AV software on the recipients machine and YOU get the message. You need to track down the culprit. Its possible if you check the headers on the original message to get teh IP and PC name, which if they are on your network will help.

mj

here is a typical one, I take it by the headers you mean the message properties..


X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
Return-Path: <a0610050abca188db8ebe@[172.26.0.12].0.8>
Delivered-To: my email addy Received: (qmail 5721 invoked from network); 16 Apr 2004 09:22:04 -0000
Received: from unknown (HELO my domain name) (**.**.***.***)
by 0 with SMTP; 16 Apr 2004 09:22:04 -0000
From: a0610050abca188db8ebe@[172.26.0.12].0.8
To: my email addy
Subject: Mail Delivery (failure my email addy)
Date: Fri, 16 Apr 2004 11:21:26 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal



Does this make any sense to you lot?,

alot of the message properties list the line as below, although the IP address changes now and again.:

Received: from unknown (HELO my domain name) (**.**.***.***)

mj

Apologies for keeping posting gibberish, I have looked up the most common IP addy that appears in these messages I am getting, does this mean anything to anyone?


% This is the RIPE Whois server.% The objects are in RPSL format.%% Rights restricted by copyright.% See http://www.ripe.net/ripencc/pub-services/db/copyright.htmlinetnum: 81.106.64.0 - 81.106.95.255netname: NTLdescr: NTL Infrastructure - Oldhamcountry: GBadmin-c: NNMC1-RIPEtech-c: NNMC1-RIPEstatus: ASSIGNED PAmnt-by: AS5089-MNTremarks: INFRA-AWchanged: hostmaster@ntli.net 20030120source: RIPEroute: 81.96.0.0/12descr: NTL-UK-IP-BLOCKorigin: AS5089mnt-by: AS5089-MNTchanged: hostmaster@ntli.net 20020614source: RIPErole: NTLI Network Management Centreaddress: NTL Internetaddress: Crawley Courtaddress: Winchesteraddress: Hampshireaddress: SO21 2QAtrouble: -------------------------------------------------------trouble: For abuse notifications please -trouble: file an online case @ http://www.ntlworld.com/netreporttrouble: +44 2920 305142trouble: -------------------------------------------------------trouble: For peering issues/requests please -trouble: email : peering@ntli.nettrouble: -------------------------------------------------------admin-c: MH22007-RIPEadmin-c: CF2297-RIPEadmin-c: CM1377-RIPEtech-c: MH22007-RIPEtech-c: CF2297-RIPEtech-c: CM1377-RIPEnic-hdl: NNMC1-RIPEmnt-by: AS5089-MNTnotify: data.planning@ntl.come-mail: data.planning@ntl.comchanged: hostmaster@ntli.net 20020815changed: hostmaster@ntli.net 20020913changed: hostmaster@ntli.net 20030328changed: hostmaster@ntli.net 20030401changed: hostmaster@ntli.net 20030603changed: hostmaster@ntli.net 20030707changed: hostmaster@ntli.net 20040303changed: hostmaster@ntli.net 20040312source: RIPE

mj

forgot to say, the offending IP is 81.106.94.93

JackClark

Scanning the address book for email addresses is yesterdays trick. Modern day viruses and spammers search web pages either live or on a victims machine. You only have to post your email address on a web page, that's it. Don't feel bad and set a rule to move the returned emails, check occationaly for genuine ones.

mj

From memory, I have never posted that address on a website

thats what hotmail is for

ChrisB

To add to what Jack said...

NetSky.D (as an example) will look in:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.oft
.php
.pl
.rtf
.sht
.shtm
.msg
.tbb
.txt
.uin
.vbs
.wab

for e-mail addresses to send it's self to.

what would scooby do

My email address on my website is encoded in a neat javascript applet - works very well - 0 spam since I installed it..

what would scooby do

p.s. anyone who pisses me off get's their email address added to my website in plain view - is this breaking any laws - nope

mj

here's a question for you..


81.106.94.93 resolves to spr2-stkp3-6-0-cust93.manc.broadband.ntl.com


how do I find out who this is?

sti555

contact ntl

http://www.ntl.com/locales/gb/en/contact/

they will contact the customer on your behalf

mj

waste of time:

At last, just had a response..sort of anyway. I tried calling Ntl tech support today, is it just me, or are customer support phone No's a bit thin on the ground on ntl's website.

So I rang sales instead, surprise surprise I got an answer in 2.73 seconds . When the guy that answred finished his opening spiel I told him I need tech support, but not being an Ntl customer I had rung sales hoping to be put through. He put me through to some girl that knew what a computer was, but there endeth the story . To her credit she took my phone No, and promised someone would call me back.

So they just called me back..

Ring ring.... ( shortened version)

NTL:Hello is that Mr mj1?

Me: yes

NTL:IYou reported a problem with Ntl....

Me: yes, are you on the technical side?

NTL: [smug] yes [/smug].

Me: ok, I keep getting viruses sent to me by an ntl user that is spoofing my email address

NTL:right ok, update your antivirus protection...etc,etc,etc

Me: I already have, makes no difference, and have done various AV scans, I have the IP address of the original sender.

NTL:ok, just hang on a minute ( she dissapears for 2 minutes while asking what an IP address is )

NTL:mj1?

Me: yes?

NTL:I have just spoken to one of our guys what is more of wizz with computers that me ( err, not too difficult then, the cleaner must be in ), and he says you need to update your antivirus protection...etc,etc,etc

Me: I've done that, I have checked out the IP from the message headers and they resolve to an Ntl user, can I speak to the guy your'e speaking to please?

NTL:ok, just hang on a minute ( she dissapears for another 2 minutes while asking what resolve means, and tries to find the cleaner she was just talking to... )



zzzzzzzzzzzzzz............................



NTL:mj1?

Me: hello.

NTL:Hi, err...... yes, he says you need to go to doubleyew,doubleyew,doubleyew, dot, broadband, dot, com. You can check the IP address there.

Me: I've checked the IP address, it always comes back to Ntl.

NTL:errrr

Me: Can I speak to someone in tech support please?

NTL: OK, ( can't get off the bloody phone fast enough ) I'll put you through...


Ring ring....

NTL: Hello, you have reached NTL Customer services..............please enter your Ntl telephone No after the tone......

Me: AAAAAAAARRRRRRGGGGGGGGHHHHHHHHHHHHHHHHHHHH





Moan over.