Case of the Mysterious Email
November 28, 2007 10:38 AM Subscribe
Who tried to send this email, apparently from me?
Early this month I received a bounced email that appeared to be from me. I ignored it at the time, then a few weeks later I got another bounced email, going to the same address, again seemingly from me.
At first I thought it was joejob, but it's clearly not: the bounce came from my ISPs mail relay (Pair, which authenticates outbound email), the headers look like they came from me, they have my computer's IP address, its windows Workgroup name (Wilkie), even the Microsoft Outlook build version number is the same-- the headers of the outgoing message look just like I sent the message, only I didn't.
Next I thought Virus, even though I had AVG installed. I ran a scan of the computer, it came up empty. So uninstalled AVG and installed Kaspersky AV and ran it. It found and deleted some trojans in email attachments in an old archive folder, but I never opened or clicked on any of them, so I don't see how they could have sent anything. No system viruses, malware or anything.
Other facts of the case:
Computer in question is Windows XP sp 2.
Mail program is Outlook 2003.
Outlook is configured to never send receipts.
No one else uses the computer that these emails appear to have come from.
At the times the messages appear to have been sent, I was home, and the computer was presumably on. I may have been using it, don't recall.
The messages do not appear in my sent folder.
I don't recognize the address the message was sent to.
And finally, here is of one of the bounces (some fragments of personal details like addresses replaced by ???):
Hi. This is the qmail-send program at relay01.pair.com.
I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.
:
61.129.65.17 does not like recipient.
Remote host said: 452 4.2.1 Mailbox temporarily disabled: eweweweee@eastday.com Giving up on 61.129.65.17. I'm not going to try again; this message has been in the queue too long.
--- Below this line is a copy of the message.
Return-Path:
Received: (qmail 23634 invoked from network); 22 Nov 2007 00:14:06 -0000
Received: from unknown (HELO Wilkie) (unknown)
by unknown with SMTP; 22 Nov 2007 00:14:06 -0000
X-pair-Authenticated: 72.74.???.??
From: "Kevin"
To:
Subject: =?Windows-1252?B?Tm90IHJlYWQ6ICoqSlVOSyoqILT6IMDtINK1IM7x?=
Date: Wed, 21 Nov 2007 19:14:06 -0500
Message-ID: <000001c82c9c$986c8bf0$6700a8c0@>
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MS-TNEF-Correlator: 00000000803F0C72AA992E4DAD51CC29988A79A684E17D02
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
eJ8+IgYAAQaQCAAEAAAAAAAB [rest of message removed]
Early this month I received a bounced email that appeared to be from me. I ignored it at the time, then a few weeks later I got another bounced email, going to the same address, again seemingly from me.
At first I thought it was joejob, but it's clearly not: the bounce came from my ISPs mail relay (Pair, which authenticates outbound email), the headers look like they came from me, they have my computer's IP address, its windows Workgroup name (Wilkie), even the Microsoft Outlook build version number is the same-- the headers of the outgoing message look just like I sent the message, only I didn't.
Next I thought Virus, even though I had AVG installed. I ran a scan of the computer, it came up empty. So uninstalled AVG and installed Kaspersky AV and ran it. It found and deleted some trojans in email attachments in an old archive folder, but I never opened or clicked on any of them, so I don't see how they could have sent anything. No system viruses, malware or anything.
Other facts of the case:
Computer in question is Windows XP sp 2.
Mail program is Outlook 2003.
Outlook is configured to never send receipts.
No one else uses the computer that these emails appear to have come from.
At the times the messages appear to have been sent, I was home, and the computer was presumably on. I may have been using it, don't recall.
The messages do not appear in my sent folder.
I don't recognize the address the message was sent to.
And finally, here is of one of the bounces (some fragments of personal details like addresses replaced by ???):
Hi. This is the qmail-send program at relay01.pair.com.
I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.
61.129.65.17 does not like recipient.
Remote host said: 452 4.2.1 Mailbox temporarily disabled: eweweweee@eastday.com Giving up on 61.129.65.17. I'm not going to try again; this message has been in the queue too long.
--- Below this line is a copy of the message.
Return-Path:
Received: (qmail 23634 invoked from network); 22 Nov 2007 00:14:06 -0000
Received: from unknown (HELO Wilkie) (unknown)
by unknown with SMTP; 22 Nov 2007 00:14:06 -0000
X-pair-Authenticated: 72.74.???.??
From: "Kevin"
To:
Subject: =?Windows-1252?B?Tm90IHJlYWQ6ICoqSlVOSyoqILT6IMDtINK1IM7x?=
Date: Wed, 21 Nov 2007 19:14:06 -0500
Message-ID: <000001c82c9c$986c8bf0$6700a8c0@>
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MS-TNEF-Correlator: 00000000803F0C72AA992E4DAD51CC29988A79A684E17D02
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
eJ8+IgYAAQaQCAAEAAAAAAAB [rest of message removed]
essexjan is correct
Spammers can also use your email address as the "from" field in an email. I got tons of mailer-daemon responses one time because some spammer sent out an email with my address as the return address.
Basically the "from" field is not at all secure in email messages.
posted by burnmp3s at 11:21 AM on November 28, 2007
Spammers can also use your email address as the "from" field in an email. I got tons of mailer-daemon responses one time because some spammer sent out an email with my address as the return address.
Basically the "from" field is not at all secure in email messages.
posted by burnmp3s at 11:21 AM on November 28, 2007
If a mod could clean that up, one ???ing is missing and the redacted data is duplicated in the base-64 string.
posted by moift at 11:22 AM on November 28, 2007
posted by moift at 11:22 AM on November 28, 2007
Response by poster: I'm not sure the first two responders read the full question-- it is not a case of a spammer simply using my from address. The headers of the bounced email seem to come from my computer-- right IP address, right workgroup name, right version of Outlook.
posted by justkevin at 11:39 AM on November 28, 2007
posted by justkevin at 11:39 AM on November 28, 2007
My bet is that your system is infected with something that your scanners aren't picking up.
posted by dcjd at 11:49 AM on November 28, 2007
posted by dcjd at 11:49 AM on November 28, 2007
Weird.
Install a firewall and make it check with you and ask permission every time an email wants to be sent. I bet it checks with you when you weren't sending anything, thereby proving to your satisfaction that something (rootkit? I dunno) is installed on your machine.
posted by evariste at 12:08 PM on November 28, 2007
Install a firewall and make it check with you and ask permission every time an email wants to be sent. I bet it checks with you when you weren't sending anything, thereby proving to your satisfaction that something (rootkit? I dunno) is installed on your machine.
posted by evariste at 12:08 PM on November 28, 2007
Mod note: edited some of the message out since it contained email addresses
posted by jessamyn (staff) at 12:59 PM on November 28, 2007
posted by jessamyn (staff) at 12:59 PM on November 28, 2007
To the OP: you can use this online Base64 decoder to see the encoded message content. There's not much there, but your two email addresses are in there, that's why jess removed them.
posted by ikkyu2 at 1:01 PM on November 28, 2007
posted by ikkyu2 at 1:01 PM on November 28, 2007
going to the same address
Most likely what is happening is that you actually sent a message to this guy a long time ago and forgot about it. He switched mail providers and is doing some kind of transfer. His new mailbox filled up (Remote host said: 452 4.2.1 Mailbox temporarily disabled) and now its bouncing back to you. Afterall, you are the sender. This kind of thing happens often enough.
I'd ask this guy to stop it: eweweweee@eastday.com
posted by damn dirty ape at 4:05 PM on November 28, 2007
Most likely what is happening is that you actually sent a message to this guy a long time ago and forgot about it. He switched mail providers and is doing some kind of transfer. His new mailbox filled up (Remote host said: 452 4.2.1 Mailbox temporarily disabled) and now its bouncing back to you. Afterall, you are the sender. This kind of thing happens often enough.
I'd ask this guy to stop it: eweweweee@eastday.com
posted by damn dirty ape at 4:05 PM on November 28, 2007
« Older Duplicate events created in GCal using Firefox 3... | What should I do with my last three weeks in... Newer »
This thread is closed to new comments.
More here.
posted by essexjan at 11:05 AM on November 28, 2007