Spam bounce back sign of zombiism?

[DaveC426913]

Occasionally I get administrator emails that indicate emails bounced back. The email is some spam thing. It looks for all the world like I sent that piece of spam, though I have the latest spam blocking s/w. Does this, in fact, mean that my system is affected, or is it a fake?

 

[vincentm]

Check the domain name in which that email is sent from, it should be the same domain as the email address you're using (ie; @gmail.com, etc). If its the same domain as your's then it's legit, if not then delete it immediately.

 

[Greg Bernhardt]

yes, it happens to PF all the time. Once I got on board with SPF standards it lessoned alot.

 

[DaveC426913]

Check the domain name in which that email is sent from, it should be the same domain as the email address you're using (ie; @gmail.com, etc). If its the same domain as your's then it's legit, if not then delete it immediately.

Your answer confuses me.

You're suggesting that, if it's the same domain that's OK, but if it's not that's bad.

Seems to me that, if it has the same domain as the address I'm using then it IS originally from me - which suggests to me that my computer IS a zombie sending it out and having it bounce back. Which is bad.

If it is NOT the same domain as me, then it is simply everyday harmless spam made to LOOK like a bounce.

 

[DaveC426913]

yes, it happens to PF all the time. Once I got on board with SPF standards it lessoned alot.

I don't know what this means.

 

[vincentm]

Your answer confuses me.

You're suggesting that, if it's the same domain that's OK, but if it's not that's bad.

Yes, because it is an auto generated message sent by the server.

Seems to me that, if it has the same domain as the address I'm using then it IS originally from me - which suggests to me that my computer IS a zombie sending it out and having it bounce back. Which is bad.

Email addresses that are sent out from a domain might not reach their intended targets, because one of two things

1) It's blocked by the email server on the other end ( target domain)

or

2) it's blocked on your end by the email server


If it's legit, and not spam, ( which is likely the case ) then it would have your domain or the intended targets domain in the email address

If it is NOT the same domain as me, then it is simply everyday harmless spam made to LOOK like a bounce.

Spam messages posing as bouncebacks are rare ( now that i think about it) but they can happen.

 

[Doc Al]

I'm confused by all this. I get these mystery "bounce-backs" every once in a while despite the security on my work PC.

Here's one example that I got last week. It was a real message from the Sys Admin, but not something I had sent:

From: System Administrator
Subject: Undeliverable: feverishly turn signal

Your message did not reach some or all of the intended recipients.​

One of the addresses looked roughly like my user name but at some netzero.net domain.

 

[Moonbear]

Yeah, they're spam. I get them too. They aren't being sent from your computer, and can just be deleted and ignored (I have NO idea if there's anything malicious in them, so don't open them). I don't know how they do it, but it seems to get them around the spam catchers by making them look like a bounced message.

I had the same worry the first time I got one of those for a message I clearly had not sent, but when nobody in my address book was complaining about strange messages from me, and no other bounce backs came in, and nobody in the IS office quarantined my computer or called me about a problem, I decided it was just a clever spam, not that my computer had been taken over by some sort of virus or worm sending out spam.

(If you get a LOT of bounce backs, then I'd worry. You can always contact your ISP, or whoever is in charge of IT in your office, to verify there isn't any unusual amount of messages being sent from your computer...even if it doesn't appear on your machine, they'd know the volume being sent from your machine.)

 

[Chris Hillman]

Geez Louise, hasn't anyone here ever heard of forging email addresses? Spammers do this all the time.

I'd much rather hear a genuine expert try to explain this, but since the responses so far have been (to the best of my limited knowledge) somewhat misleading, I'll try to do the best I can.

To oversimplify, a spammer typically has a huge collection of addresses, including A,B, and using a computer C in their botnet, they send a spam from C to A with the originating address forged so that the email claims to come from B. If A sits behind a server running anti-spam software, the email actually sent from C may be "returned" to B with an "explanatory" header (although this practice has been deprecated for many years, since it serves no useful purpose). If someone at B examines the "path" line in the original message (which should be included in the message sent to B), this often immediately shows that the actual originating address (the IP of C) is in a completely different part of the world from B. However, it usually makes sense to simply train your anti-spam software to regard all such messages as "annoyance spam". Again, responsible server operators generally do not send out such emails to other domains.

As someone said, if you use a mailhost you might get a message concerning an suspicious email sent from your domain to the mailserver, and in such cases you should contact your mailhost admin if you are concerned. AFAIK, in most cases even these messages are of little help in determining whether there has been any breach of any machines under your control. As the particulars you noted in the putative "bounceback" message you received suggest, this might well be a snafu.

And as Moonbear suggested, some of these putative bounceback messages are sent by spammers hoping to refine their lists of valid email addresses.

While there appear to be many possible explanations, I think everyone agrees that it is generally thought to be safe to delete putative bounceback "automessages" without reading them, although I'd pay attention to a personal email from an admin of a genuine server which you really do use (after carefully checking its authenticity--- an ancient and venerable technology, the telephone, is handy here!).

 

[hakan]

Hello
Can anybody analyze it.
I just changed x originating, x sender, to and from fields to me.For the sake of not getting more spam.As for the mail I am really confused.I never saw something like this.Looks like I am the sender but return path is different.To make it short,I am not trying to explain but looking for advice.
Delivered-To: me@gmail.com
Received: by 10.35.68.8 with SMTP id v8cs155858pyk;
Mon, 24 Mar 2008 13:46:39 -0700 (PDT)
Received: by 10.78.170.17 with SMTP id s17mr16746952hue.17.1206391598102;
Mon, 24 Mar 2008 13:46:38 -0700 (PDT)
Return-Path: <kenop@sarsinc.com>
Received: from casa-lb4n2gfdhl ([190.54.200.124])
by mx.google.com with SMTP id f6si2171818nfh.21.2008.03.24.13.46.29;
Mon, 24 Mar 2008 13:46:37 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning kenop@sarsinc.com does not designate 190.54.200.124 as permitted sender) client-ip=190.54.200.124;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning kenop@sarsinc.com does not designate 190.54.200.124 as permitted sender) smtp.mail=kenop@sarsinc.com
Date: Mon, 24 Mar 2008 13:46:36 -0700 (PDT)
X-Originating-IP: [190.54.200.124]
X-Originating-Email: [me@gmail.com]
X-Sender: me@gmail.com
Received: (qmail 9368 by uid 778); Mon, 24 Mar 2008 05:46:33 -0400
Message-Id: <20080324014633.9370.qmail@casa-lb4n2gfdhl>
To: <me@gmail.com>
Subject: RE: MensHealth id 618839
From: <me@gmail.com>