cancel
Showing results for 
Search instead for 
Did you mean: 

LOTS of bounced spam messages today

jschlackman
Dabbler
Posts: 23
Registered: ‎07-11-2007

LOTS of bounced spam messages today

Clearly not content with sending me spam directly, it seems that today one purveyor of filth has decided to use my email address in their spoofed From: fields, and so I've had over a hundred bounce messages so far today - normally I get fewer than one a day. I imagine many more have been blocked by the edge detection, but I have had to raise my spam filter aggressiveness as quite a few slipped through on the previous setting (1). On the upside, at least my recent installation of POPFile is getting some good training data.
Anyone else experiencing this or am I just especially unlucky today?
5 REPLIES 5
pierre_pierre
Grafter
Posts: 19,757
Thanks: 3
Registered: ‎30-07-2007

Re: LOTS of bounced spam messages today

Not to sure if Bobs rule that changed yesterday should have stopped them, before you delete them all, post some headers for Bob, I thought he was checking to find if the name was from a PN ID or not.
Otherwise just plain unlucky, only lasts for about two days.
jschlackman
Dabbler
Posts: 23
Registered: ‎07-11-2007

Re: LOTS of bounced spam messages today

Here's a small selection of headers that didn't get caught by the PN filters. I'm honestly not that surprised as they are genuine bounce messages, albeit in response to fake emails. Note that for obvious reasons, I've altered the To: field. The email was all sent to an address in the same format as the one shown to my .org domain that is hosted with PN.

Return-path: <>
Envelope-to: name@surname.tld
Delivery-date: Fri, 16 May 2008 19:10:56 +0100
Received: from exprod5mx216.postini.com ([64.18.0.75] helo=psmtp.com)
  by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1Jx4ON-0005vE-GK
  for name@surname.tld; Fri, 16 May 2008 19:10:55 +0100
Received: from source ([203.56.45.136]) (using TLSv1) by exprod5mx216.postini.com ([64.18.4.10]) with SMTP;
Fri, 16 May 2008 13:10:51 CDT
Received: from localhost (localhost)
by ns2.zarnex.com.au (8.12.11/8.12.11) id m4GJ1h8T018533;
Sat, 17 May 2008 05:01:43 +1000
Date: Sat, 17 May 2008 05:01:43 +1000
From: Mail Delivery Subsystem <MAILER-DAEMON@ns2.zarnex.com.au>
Message-Id: <200805161901.m4GJ1h8T018533@ns2.zarnex.com.au>
To: <name@surname.tld>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="m4GJ1h8T018533.1210964503/ns2.zarnex.com.au"
Auto-Submitted: auto-generated (failure)
X-pstn-neptune: 4/4/1.00/85
X-pstn-levels:    (S:54.03932/99.90000 CV:99.0000 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <MAILER-DAEMON@ns2.zarnex.com.au> [db-null]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Returned mail: see transcript for details

Return-path: <>
Envelope-to: name@surname.tld
Delivery-date: Fri, 16 May 2008 17:08:47 +0100
Received: from exprod5mx236.postini.com ([64.18.0.122] helo=psmtp.com)
  by pih-sunmxcore14.plus.net with smtp (PlusNet MXCore v2.00) id 1Jx2UA-0003JU-Nr
  for name@surname.tld; Fri, 16 May 2008 17:08:47 +0100
Received: from source ([65.242.25.144]) by exprod5mx236.postini.com ([64.18.4.10]) with SMTP;
Fri, 16 May 2008 12:08:45 EDT
From: MAILER-DAEMON@floorgraphics.com
To: <name@surname.tld>
Date: Fri, 16 May 2008 13:06:56 -0400
Message-ID: <receipt-16266647@floorgraphics.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type="delivery-status"; boundary="_===16266647====floorgraphics.com===_"
X-pstn-neptune: 13/13/1.00/82
X-pstn-levels:    (S:87.07957/99.90000 CV:99.0000 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <MAILER-DAEMON@floorgraphics.com> [db-null]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Undeliverable mail: Hermes

Return-path: <>
Envelope-to: name@surname.tld
Delivery-date: Fri, 16 May 2008 16:13:15 +0100
Received: from exprod5mx229.postini.com ([64.18.0.115] helo=psmtp.com)
  by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1Jx1cQ-0007L8-N5
  for name@surname.tld; Fri, 16 May 2008 16:13:15 +0100
Received: from source ([200.181.57.140]) by exprod5mx229.postini.com ([64.18.4.10]) with SMTP;
Fri, 16 May 2008 10:13:12 CDT
Received: by marimbondo.sipam.gov.br (Postfix)
id 918429027FB; Fri, 16 May 2008 12:09:32 -0300 (BRT)
Date: Fri, 16 May 2008 12:09:32 -0300 (BRT)
From: MAILER-DAEMON@sipam.gov.br (Mail Delivery System)
To: name@surname.tld
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="3BF64900329.1210950572/marimbondo.sipam.gov.br"
Message-Id: <20080516150932.918429027FB@marimbondo.sipam.gov.br>
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels:    (S:39.16220/99.90000 CV:99.0000 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <MAILER-DAEMON@sipam.gov.br> [db-null]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Delayed Mail (still being retried)
jschlackman
Dabbler
Posts: 23
Registered: ‎07-11-2007

Re: LOTS of bounced spam messages today

Thought I'd follow up to report that the bounce flood dried up after a couple of days, as pierre_pierre predicted. Guess I was just unlucky.
pd
Grafter
Posts: 235
Registered: ‎09-05-2008

Re: LOTS of bounced spam messages today

Quote from: jschlackman
Clearly not content with sending me spam directly, it seems that today one purveyor of filth has decided to use my email address in their spoofed From: fields,

The same thing happened to me towards the end of last year, they were sending out spam with the address From: VIAGRA_Official_Site@pd1.org.uk.  I had to blacklist the six MAILER-DAEMON addresses my (then) domain host - uk2 - was using to return the bounces to me after receiving several hundred in one day.  When the domain expired in January this year I didn't bother renewing it.  Fortunately, I already had a second one ready to use.
pd
jschlackman
Dabbler
Posts: 23
Registered: ‎07-11-2007

Re: LOTS of bounced spam messages today

Irritatingly, mine was my EXACT email address, not just the domain - they've probably used made up usernames at my domain before, but those get eaten by the catch-all blackhole.