Skip

WTF Gmail?
June 27, 2010 10:38 AM   Subscribe

Why am I getting all these "Mail Delivery Subsystem," error-message emails sent to my gmail account?

Like many people, I have several gmail accounts. They all forward messages to one main account, which is the only one I check. Let's say it's called allmymail@gmail.com.

Starting yesterday, about half the emails I send and receive trigger another email to get sent to me. It looks like this:

Mail Delivery Subsystem to me

show details 1:11 PM (15 minutes ago)

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

allmymail.bak@gmail.com

Message will be retried for 2 more day(s)


Note the line I italicized. It refers to my email address but with ".bak" appended to the username part.

Have I been hacked in some way? Or is gmail just having problems? This morning, I changed the passwords on all my accounts. I'm still getting the odd emails. Note that I don't get them when I send mail to -- or receive mail from -- any particular person. I seem to get them randomly. And I get them when emails are sent to or received from any of my accounts.

Here's some more of the message (I altered my email address. It's not really allmymail@gmail.com. Otherwise, this is exactly what I keep receiving.)

----- Original message -----

Received: from mr.google.com ([10.224.87.214])
by 10.224.87.214 with SMTP id x22mr3384871qal.72.1277658708656 (num_hops = 1);
Sun, 27 Jun 2010 10:11:48 -0700 (PDT)
Received: by 10.224.87.214 with SMTP id x22mr1643148qal.72.1277567954544;
Sat, 26 Jun 2010 08:59:14 -0700 (PDT)
X-Forwarded-To: allmymail.bak@gmail.com
X-Forwarded-For: allmymail@gmail.com allmymail.bak@gmail.com
Delivered-To: allmymail@gmail.com
Received: by 10.224.53.195 with SMTP id n3cs236786qag;
Sat, 26 Jun 2010 08:59:13 -0700 (PDT)
Received: from mr.google.com ([10.213.27.206])
by 10.213.27.206 with SMTP id j14mr1049416ebc.3.1277567951138 (num_hops = 1);
Sat, 26 Jun 2010 08:59:11 -0700 (PDT)
Received: by 10.213.27.206 with SMTP id j14mr718401ebc.3.1277567951108;
Sat, 26 Jun 2010 08:59:11 -0700 (PDT)
X-Forwarded-To: allmymail@gmail.com
X-X-Forwarded-For: grumblebeemail@gmail.com allmymail@gmail.com
Delivered-To: grumblebeemail@gmail.com
Received: by 10.213.8.71 with SMTP id g7cs13889ebg;
Sat, 26 Jun 2010 08:59:10 -0700 (PDT)
Received: by 10.142.8.21 with SMTP id 21mr847516wfh.175.1277567947538;
Sat, 26 Jun 2010 08:59:07 -0700 (PDT)
Return-Path: <>notification+aymra2yn@facebookmail.com>
Received: from mx-out.facebook.com (outmail008.snc1.tfbnw.net [69.63.178.167])
by mx.google.com with ESMTP id f4si23082968wfg.42.2010.06.26.08.59.05;
Sat, 26 Jun 2010 08:59:06 -0700 (PDT)

There's more, of course. I can post the rest if anyone thinks it's important.

Note that the this email got routed from my Facebook account to my grumblebeemail account (which is linked to my Facebook account) to my global account -- and then to the weird .bak version of my global account.

But it's not a Facebook issue. This is happening with non-Facebook exchanges, too.

As far as I can tell, people are getting the emails I send them and I am getting theirs. So that's not the problem. The problem is all these weird .bak emails I keep getting.
posted by grumblebee to Computers & Internet (10 answers total) 8 users marked this as a favorite
 
Looks like a "Joe job." That is, your address was used as the (fake) origin of spam messages and you're getting the bounces.
posted by Obscure Reference at 11:43 AM on June 27, 2010


I get a lot of bounced mail when some spammer uses my domain name as camouflage for his/her operations, but when that happens it's entirely independent of anything I've sent - it's just that they sent out a whole lot of spam with me as the reply-to address, and a lot of the spam bounced. Could this be what you're experiencing, and just thinking that the messages are correlated with your own emails?
posted by Joe in Australia at 11:46 AM on June 27, 2010


Check your gmail settings for allmymail, and see if there's a rule to forward your mail to allmymail.bak@gmail. It's possible that someone hacked your account, created a "allmymail.bak" account, and setup your mail to forward to it, and then got it shutdown for some reason (maybe fraud detection on gmail's part).
posted by helios at 11:48 AM on June 27, 2010 [1 favorite]


I get a lot of bounced mail when some spammer uses my domain name as camouflage for his/her operations, but when that happens it's entirely independent of anything I've sent - it's just that they sent out a whole lot of spam with me as the reply-to address, and a lot of the spam bounced. Could this be what you're experiencing, and just thinking that the messages are correlated with your own emails?

They are all parts of threads started by me sending to or receiving from someone legitimate.
posted by grumblebee at 11:51 AM on June 27, 2010



Check your gmail settings for allmymail, and see if there's a rule to forward your mail to allmymail.bak@gmail.


THAT was it! Wow. Thanks.
posted by grumblebee at 11:53 AM on June 27, 2010


In that case, it's probably a good idea to also change your password on any site that someone could conceivably "request a password" from that would be sent to these addresses. It's possible that they might have been trying to get access to your bank/paypal/facebook/other account.
posted by helios at 12:19 PM on June 27, 2010


That's great advice, helios. Although, since the mail is being forwarded to the .bak account, wouldn't I see the password email? I mean, if he requested my password from PayPal (and guessed my security question/answer), wouldn't PayPal send the password to allmymail (from which it would then get forward to allmymail.bak)? In which case, I would have seen it.
posted by grumblebee at 12:33 PM on June 27, 2010


Yeah, it's unlikely that they had gotten to any other accounts, but possible. There's no way to know if the person has your password, or if they used some kind of scripting attack to set up that forwarding rule. But if they did have your password, they could have just deleted those mails on your main account before you read them. In fact, the person could have set this up automatically; it's probably a good idea to make sure that there isn't also a rule in your Gmail filters to delete mails that contain "password" or something like that.
posted by helios at 12:49 PM on June 27, 2010


Just a heads up to others who read this thread. My gmail account was disabled due to suspicious activity last week. I was able to reactivate it following the instructions to verify my account. When I got in, my email account had been used to send spam messages from a company with usdrugs-co.com or something similar preceded by a random alpha numeric string that varied with each message (they sent out about 3 group mailings each containing 4 or 5 people from my contact list). I checked the account activity log and my email account had been accessed by a mobile devise in India.

Google "hacked gmail accounts" and you'll find a google user thread with about 200 messages. There appears to be a common problem that seems to have started sometime this spring. Google has gotten more proactive (they disabled my account within minutes) about handling this issue but have fallen short of admitting that someone may be hacking into their server. I had a pretty strong password including both letters and numbers, am careful about where I log on, etc. However I did use the same password for my facebook account, which is linked to my gmail account and one theory is that might be the weak link. I changed all of my passwords, but it doesn't appear that they got into any of my other accounts. However, I will continue to monitor all of them for suspicious activity.

If your account has been compromised/hacked/stolen you will need to check at least all of the following things:

Account Security:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and secondary e-mail address]

Potential Spam:
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it's disabled and empty]

E-mail Theft
Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]

Additional Information
Keeping account secure: https://mail.google.com/support/bin/answer.py?hl=en&answer=46526
Protecting your account: https://mail.google.com/support/bin/answer.py?hl=en&answer=29407
If your account is compromised: http://mail.google.com/support/bin/answer.py?hl=en&answer=50270
posted by kaybdc at 1:27 PM on June 27, 2010 [6 favorites]


I should clarify that my suggestions for what to do when you're account has been hacked was cut and pasted by a friend in IT who got them off one of the google support forums. I believe that they were from a google employee. I should have credited them in my response.
posted by kaybdc at 2:58 PM on June 27, 2010


« Older I broke my 3GS. Not AT&T ...   |  Does anyone know what happened... Newer »
This thread is closed to new comments.


Post