f13.net

For the past week, I'm been getting User Unknown email bounces for emails that I know I didn't send out (I'm not in the least interested in Hairy Ebony Teens...). Either I got zombified or else someone is faking my email address. I've ran a full virus scan as well as AdAware and got nothing. Any other things I should run to check this out?

Here's an example of the bounces I'm getting. The IP address in the "Original message received" line changes from bounce to bounce. I removed my username from the email address which is a sbcglobal.net address. Thanks in advance.

---

The original message was received at Wed, 7 Sep 2005 02:41:56 -0400
(EDT)
from 3.245.88.202.asianet.co.in [202.88.245.3]

*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with
its
delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors
-----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail
could
not be delivered.  The next line contains a second error message which
is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



   ----- The following addresses had permanent fatal errors -----
<donna71563@aol.com>

   ----- Transcript of session follows -----
... while talking to air-yi04.mail.aol.com.:
>>> RCPT To:<donna71563@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <donna71563@aol.com>... User unknown

Message/delivery-status

Reporting-MTA: dns; rly-yi06.mx.aol.com
Arrival-Date: Wed, 7 Sep 2005 02:41:56 -0400 (EDT)

Final-Recipient: RFC822; donna71563@aol.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yi04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Wed, 7 Sep 2005 02:42:00 -0400 (EDT)

Text Attachment

Received: from  3.245.88.202.asianet.co.in (3.245.88.202.asianet.co.in
[202.88.245.3]) by rly-yi06.mx.aol.com (v107.10) with ESMTP id
MAILRELAYINYI66-7dc431e8baa319; Wed, 07 Sep 2005 02:41:53 -0400
Received: from sbcglobal.net (sbcmx6.prodigy.net [207.115.57.18])
   by 3.245.88.202.asianet.co.in (Postfix) with ESMTP id 27C82DE0EA
   for <donna71563@aol.com>; Wed, 07 Sep 2005 05:35:25 +0400
Message-ID: <110101c5b34c$c4a704ee$6ae3f4c6@sbcglobal.net>
From: Removed <Removed@sbcglobal.net>
To: Donna71563 <donna71563@aol.com>
Subject: A hairy ebony teen
Date: Wed, 07 Sep 2005 05:35:25 +0400
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000
X-AOL-IP: 202.88.245.3
X-AOL-SCOLL-SCORE: 0:2:260316172:12616466
X-AOL-SCOLL-URL_COUNT: 0

---

That is a good name for a fantasy football team.

Its possible you are a zombie but more likely somebody who has your address in their address book is the zombie. This kind of crap is VERY common these days as most new virus and spam bots will randomize the from address from infected systems address book to make the sender look more legit.

Unfortunatly due to the way email works there currently is not good way to prevent this. My recommendation would be first to get a good AV program and scan the hell out of your system just to be sure it is not you. If it is not which I believe is the case then you may need to change your email address and be very careful about who you give your addresses to.


kaid

Doesn't look like you're the zombie according to the header information since your IP (the IP you're posting with) doesn't show up in the routing information.

I had this happen, and I am certain my rig isn't emailing anyone unless the virus knows how to start and stop my software proxy.  I use POPFile for mail sorting, and I turn it and my mail client off when I'm not using it.

Many virii include thier own SMTP server.  Your software has nothing to do with thier ability to use your computer to route spam.

I guess they just pull the smtp server name from my real client's config?  Just curious.  I misconfigured my outgoing servername to "make sure" when AVG came up empty.

You can tell I'm not on the ball this week, since the software proxy only affects inbound shit.  No need to sort outgoing.

There is some confusion here.  Some Virii spread via your email system.  This is a method of propagation, they read your list of email address and send themselves to everyone on the list and also send your list of email addresses back 'home'.

Often the above virus' 'package' will contain an SMTP server (among other things) which, whenever you are connected to the internet, will call home and begin acting as a relay for the spammer.  This requires nothing on your part other than an active internet connection and is what is referred to as a zombie.

What you are seeing is that someone that you know was infected and had thier list of addresses co-opted.  Your address probably came up randomly as the from address (many new SMTP servers will verify that the sender is real before attempting to deliver an email) to use on a batch of out going emails (relayed through the second part of the virus, the zombie).  So you are recieving the bounced emails.  As was pointed out above, your ip address is not in the bounced messages headers so you are probably not the person infected.