Tags:





Case of the Mysterious Email
November 28, 2007 10:38 AM   RSS feed for this thread Subscribe

Who tried to send this email, apparently from me?

Early this month I received a bounced email that appeared to be from me. I ignored it at the time, then a few weeks later I got another bounced email, going to the same address, again seemingly from me.

At first I thought it was joejob, but it's clearly not: the bounce came from my ISPs mail relay (Pair, which authenticates outbound email), the headers look like they came from me, they have my computer's IP address, its windows Workgroup name (Wilkie), even the Microsoft Outlook build version number is the same-- the headers of the outgoing message look just like I sent the message, only I didn't.

Next I thought Virus, even though I had AVG installed. I ran a scan of the computer, it came up empty. So uninstalled AVG and installed Kaspersky AV and ran it. It found and deleted some trojans in email attachments in an old archive folder, but I never opened or clicked on any of them, so I don't see how they could have sent anything. No system viruses, malware or anything.

Other facts of the case:
Computer in question is Windows XP sp 2.
Mail program is Outlook 2003.
Outlook is configured to never send receipts.
No one else uses the computer that these emails appear to have come from.
At the times the messages appear to have been sent, I was home, and the computer was presumably on. I may have been using it, don't recall.
The messages do not appear in my sent folder.
I don't recognize the address the message was sent to.

And finally, here is of one of the bounces (some fragments of personal details like addresses replaced by ???):

Hi. This is the qmail-send program at relay01.pair.com.
I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

:
61.129.65.17 does not like recipient.
Remote host said: 452 4.2.1 Mailbox temporarily disabled: eweweweee@eastday.com Giving up on 61.129.65.17. I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 23634 invoked from network); 22 Nov 2007 00:14:06 -0000
Received: from unknown (HELO Wilkie) (unknown)
by unknown with SMTP; 22 Nov 2007 00:14:06 -0000
X-pair-Authenticated: 72.74.???.??
From: "Kevin"
To:
Subject: =?Windows-1252?B?Tm90IHJlYWQ6ICoqSlVOSyoqILT6IMDtINK1IM7x?=
Date: Wed, 21 Nov 2007 19:14:06 -0500
Message-ID: <000001c82c9c$986c8bf0$6700a8c0@>
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MS-TNEF-Correlator: 00000000803F0C72AA992E4DAD51CC29988A79A684E17D02
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

eJ8+IgYAAQaQCAAEAAAAAAAB [rest of message removed]
posted by justkevin to computers & internet (9 comments total)
Someone who has your email address on their computer has a worm which has spoofed your address. The bounce-backs are from recipients' ISPs.

More here.
posted by essexjan at 11:05 AM on November 28, 2007


essexjan is correct

Spammers can also use your email address as the "from" field in an email. I got tons of mailer-daemon responses one time because some spammer sent out an email with my address as the return address.

Basically the "from" field is not at all secure in email messages.
posted by burnmp3s at 11:21 AM on November 28, 2007


If a mod could clean that up, one ???ing is missing and the redacted data is duplicated in the base-64 string.
posted by moift at 11:22 AM on November 28, 2007


I'm not sure the first two responders read the full question-- it is not a case of a spammer simply using my from address. The headers of the bounced email seem to come from my computer-- right IP address, right workgroup name, right version of Outlook.
posted by justkevin at 11:39 AM on November 28, 2007


My bet is that your system is infected with something that your scanners aren't picking up.
posted by dcjd at 11:49 AM on November 28, 2007


Weird.

Install a firewall and make it check with you and ask permission every time an email wants to be sent. I bet it checks with you when you weren't sending anything, thereby proving to your satisfaction that something (rootkit? I dunno) is installed on your machine.
posted by evariste at 12:08 PM on November 28, 2007


[edited some of the message out since it contained email addresses]
posted by jessamyn at 12:59 PM on November 28, 2007


To the OP: you can use this online Base64 decoder to see the encoded message content. There's not much there, but your two email addresses are in there, that's why jess removed them.
posted by ikkyu2 at 1:01 PM on November 28, 2007


going to the same address

Most likely what is happening is that you actually sent a message to this guy a long time ago and forgot about it. He switched mail providers and is doing some kind of transfer. His new mailbox filled up (Remote host said: 452 4.2.1 Mailbox temporarily disabled) and now its bouncing back to you. Afterall, you are the sender. This kind of thing happens often enough.

I'd ask this guy to stop it: eweweweee@eastday.com
posted by damn dirty ape at 4:05 PM on November 28, 2007


« Older Why has Google Calendar starte...   |   What should I do with my last ... Newer »
This thread is closed to new comments.


Related Questions
Computer virus that scanners aren't picking up? October 10, 2008
How do I get rid of this email virus? August 14, 2006
My office is bogus. June 9, 2006
Spoofed emails from my own domain? August 13, 2005
Rejecting bogus "mail returned" email July 28, 2004