Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Spam bounce back sign of zombiism?

  1. Nov 30, 2007 #1


    User Avatar
    Gold Member

    Occasionally I get administrator emails that indicate emails bounced back. The email is some spam thing. It looks for all the world like I sent that piece of spam, though I have the latest spam blocking s/w. Does this, in fact, mean that my system is affected, or is it a fake?
  2. jcsd
  3. Dec 6, 2007 #2
    Check the domain name in which that email is sent from, it should be the same domain as the email address you're using (ie; @gmail.com, etc). If its the same domain as your's then it's legit, if not then delete it immediately.
  4. Dec 6, 2007 #3
    yes, it happens to PF all the time. Once I got on board with SPF standards it lessoned alot.
  5. Dec 6, 2007 #4


    User Avatar
    Gold Member

    Your answer confuses me.

    You're suggesting that, if it's the same domain that's OK, but if it's not that's bad.

    Seems to me that, if it has the same domain as the address I'm using then it IS originally from me - which suggests to me that my computer IS a zombie sending it out and having it bounce back. Which is bad.

    If it is NOT the same domain as me, then it is simply everyday harmless spam made to LOOK like a bounce.
    Last edited: Dec 6, 2007
  6. Dec 6, 2007 #5


    User Avatar
    Gold Member

    I don't know what this means.
  7. Dec 7, 2007 #6

    Yes, because it is an auto generated message sent by the server.

    Email addresses that are sent out from a domain might not reach their intended targets, because one of two things

    1) It's blocked by the email server on the other end ( target domain)


    2) it's blocked on your end by the email server

    If it's legit, and not spam, ( which is likely the case ) then it would have your domain or the intended targets domain in the email address
    Spam messages posing as bouncebacks are rare ( now that i think about it) but they can happen.
  8. Dec 7, 2007 #7

    Doc Al

    User Avatar

    Staff: Mentor

    I'm confused by all this. I get these mystery "bounce-backs" every once in a while despite the security on my work PC.

    Here's one example that I got last week. It was a real message from the Sys Admin, but not something I had sent:

    From: System Administrator
    Subject: Undeliverable: feverishly turn signal

    Your message did not reach some or all of the intended recipients.​
    One of the addresses looked roughly like my user name but at some netzero.net domain.
  9. Dec 7, 2007 #8


    User Avatar
    Staff Emeritus
    Science Advisor
    Gold Member

    Yeah, they're spam. I get them too. They aren't being sent from your computer, and can just be deleted and ignored (I have NO idea if there's anything malicious in them, so don't open them). I don't know how they do it, but it seems to get them around the spam catchers by making them look like a bounced message.

    I had the same worry the first time I got one of those for a message I clearly had not sent, but when nobody in my address book was complaining about strange messages from me, and no other bounce backs came in, and nobody in the IS office quarantined my computer or called me about a problem, I decided it was just a clever spam, not that my computer had been taken over by some sort of virus or worm sending out spam.

    (If you get a LOT of bounce backs, then I'd worry. You can always contact your ISP, or whoever is in charge of IT in your office, to verify there isn't any unusual amount of messages being sent from your computer...even if it doesn't appear on your machine, they'd know the volume being sent from your machine.)
    Last edited: Dec 7, 2007
  10. Dec 7, 2007 #9

    Chris Hillman

    User Avatar
    Science Advisor

    Geez Louise, hasn't anyone here ever heard of forging email addresses? Spammers do this all the time.

    I'd much rather hear a genuine expert try to explain this, but since the responses so far have been (to the best of my limited knowledge) somewhat misleading, I'll try to do the best I can.

    To oversimplify, a spammer typically has a huge collection of addresses, including A,B, and using a computer C in their botnet, they send a spam from C to A with the originating address forged so that the email claims to come from B. If A sits behind a server running anti-spam software, the email actually sent from C may be "returned" to B with an "explanatory" header (although this practice has been deprecated for many years, since it serves no useful purpose). If someone at B examines the "path" line in the original message (which should be included in the message sent to B), this often immediately shows that the actual originating address (the IP of C) is in a completely different part of the world from B. However, it usually makes sense to simply train your anti-spam software to regard all such messages as "annoyance spam". Again, responsible server operators generally do not send out such emails to other domains.

    As someone said, if you use a mailhost you might get a message concerning an suspicious email sent from your domain to the mailserver, and in such cases you should contact your mailhost admin if you are concerned. AFAIK, in most cases even these messages are of little help in determining whether there has been any breach of any machines under your control. As the particulars you noted in the putative "bounceback" message you received suggest, this might well be a snafu.

    And as Moonbear suggested, some of these putative bounceback messages are sent by spammers hoping to refine their lists of valid email addresses.

    While there appear to be many possible explanations, I think everyone agrees that it is generally thought to be safe to delete putative bounceback "automessages" without reading them, although I'd pay attention to a personal email from an admin of a genuine server which you really do use (after carefully checking its authenticity--- an ancient and venerable technology, the telephone, is handy here!).
    Last edited: Dec 7, 2007
  11. Mar 30, 2008 #10
    Can anybody analyze it.
    I just changed x originating, x sender, to and from fields to me.For the sake of not getting more spam.As for the mail I am really confused.I never saw something like this.Looks like I am the sender but return path is different.To make it short,I am not trying to explain but looking for advice.
    Delivered-To: me@gmail.com
    Received: by with SMTP id v8cs155858pyk;
    Mon, 24 Mar 2008 13:46:39 -0700 (PDT)
    Received: by with SMTP id s17mr16746952hue.17.1206391598102;
    Mon, 24 Mar 2008 13:46:38 -0700 (PDT)
    Return-Path: <kenop@sarsinc.com>
    Received: from casa-lb4n2gfdhl ([])
    by mx.google.com with SMTP id f6si2171818nfh.21.2008.;
    Mon, 24 Mar 2008 13:46:37 -0700 (PDT)
    Received-SPF: softfail (google.com: domain of transitioning kenop@sarsinc.com does not designate as permitted sender) client-ip=;
    Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning kenop@sarsinc.com does not designate as permitted sender) smtp.mail=kenop@sarsinc.com
    Date: Mon, 24 Mar 2008 13:46:36 -0700 (PDT)
    X-Originating-IP: []
    X-Originating-Email: [me@gmail.com]
    X-Sender: me@gmail.com
    Received: (qmail 9368 by uid 778); Mon, 24 Mar 2008 05:46:33 -0400
    Message-Id: <20080324014633.9370.qmail@casa-lb4n2gfdhl>
    To: <me@gmail.com>
    Subject: RE: MensHealth id 618839
    From: <me@gmail.com>
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook