Michael Lazin on 6 Nov 2008 06:19:25 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SPAM Question


If you are receiving a lot of bouncebacks your account was probably not used to send spam.  More likely your email address was spoofed. 

On Thu, Nov 6, 2008 at 7:04 AM, George A. Theall <theall@tifaware.com> wrote:
On Wed, Nov 05, 2008 at 08:51:32PM -0500, Brian Vagnoni wrote:

> I found this in my inbox. I didn't send it, bvagod@nu-star.com isn't my address or a domain I recognize. Any ideas? The body of the message was html and something about msn.

Your email address was probably used to send some spam.  It's hard to
know with certainty, though, since all you have is one message that
appears to be a bounce.  Anyway...

> Hi. This is the qmail-send program at mg.greatlakes-is.com.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
>
> <bvagod@nu-star.com>:

nu-star.com has two MX records, and the one with the higher priority is
mx1-mg.greatlakes-is.com. So this seems normal.

> 208.79.240.2 failed after I sent the message.

nu-star.com's other MX record points to mail.rollernet.us
(208.79.240.2).

> Remote host said: 550 5.7.1 Message content rejected, spam score is too high.
>
> --- Below this line is a copy of the message.
>
> Return-Path: <bvagnoni@v-system.net>

This generally comes from the envelope sender (ie, "MAIL FROM") and
explains why you got the bounce.

> Received: (qmail 7194 invoked by uid 89); 4 Nov 2008 20:40:24 -0000
> Received: by simscan 1.3.1 ppid: 7191, pid: 7192, t: 0.4180s
>          scanners:none
> Received: from unknown (HELO casa-9plhr7737j) (189.26.205.187)
>   by 0 with SMTP; 4 Nov 2008 20:40:24 -0000

Assuming this is accurate, the IP belongs to Global Village Telecom,
which appears to be an ISP in Brazil.

> Received-SPF: softfail (0: transitioning SPF record at v-system.net does not designate 189.26.205.187 as permitted sender)

If you run your own DNS, you may have a record of this transaction.

> X-Originating-IP: [826.4.779.37]

Really... 826.? Must be one of those new-fangled IPv5 addresses. :-)


George
--
theall@tifaware.com
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



--
Michael Lazin
To gar auto estin noein te kai enai
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug