Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 7.x
  4. Topic: Why is this happing? E-mail hacked?
« previous next »
Pages: [1]   Go Down

Why is this happing? E-mail hacked?

  • 3 Replies
  • 4638 Views

Offline Ted

  • ***
  • 56
  • +0/-0
    • http://www.shadowsfall.org
Why is this happing? E-mail hacked?
« on: January 02, 2007, 04:52:41 AM »
Just started reciving these today.  So far I have recived about 10 of these

This one came back with the subject "Returned mail: see transcript for details"  
Here is the body of the message.  IF I can figure out how to post the header I will.

Thanks.  


:::::::::::::::;

The original message was received at Mon, 1 Jan 2007 22:20:51 -0500
from 0x50a45d37.naenxx4.adsl-dhcp.tele.dk [80.164.93.55]

   ----- The following addresses had permanent fatal errors -----
<trillium@trilliummachinery.com>

   ----- Transcript of session follows -----
554 5.4.6 aliasing/forwarding loop broken



Reporting-MTA: dns; mail10c0.megamailservers.com
Received-From-MTA: DNS; 0x50a45d37.naenxx4.adsl-dhcp.tele.dk
Arrival-Date: Mon, 1 Jan 2007 22:20:51 -0500

Final-Recipient: RFC822; trillium@trilliummachinery.com
X-Actual-Recipient: RFC822; trillium.trilliummachinery.com@mail10c0.megamailservers.com
Action: failed
Status: 5.4.6
Last-Attempt-Date: Mon, 1 Jan 2007 22:21:22 -0500



X-Envelope-From: ooz@shadowsfall.org
Return-Path: <ooz@shadowsfall.org>
Received: from 0x50a45d37.naenxx4.adsl-dhcp.tele.dk (0x50a45d37.naenxx4.adsl-dhcp.tele.dk [80.164.93.55])
   by mail10c0.megamailservers.com (8.13.6.20060614/8.13.1) with SMTP id l023KY7X025288
   for <trillium@trilliummachinery.com>; Mon, 1 Jan 2007 22:20:51 -0500
Received: from sdo ([69.124.106.72]) by 0x50a45d37.naenxx4.adsl-dhcp.tele.dk with Microsoft SMTPSVC(6.0.3790.0); Sat, 1 Jan 2000 01:39:05 +0100
Message-ID: <386D4CA9.1010902@shadowsfall.org>
Date: Sat, 1 Jan 2000 01:39:05 +0100
From: Greta Mcbride <ooz@shadowsfall.org>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: trillium@trilliummachinery.com
Subject: The EJB software programming model is significantly simpler.
Content-Type: multipart/related;
 boundary="------------000304050603060904050208"

::::::::::::::::::::::
Code: [Select]
Logged
...

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Why is this happing? E-mail hacked?
« Reply #1 on: January 02, 2007, 11:08:18 AM »
Quote from: "Ted"
IF I can figure out how to post the header I will.

[...]
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
Since it seems that you are using Thunderbird:
Quote from: "http://www.zytrax.com/security/email_faqs.html"
How do I look at mail headers in Mozilla Thunderbird?
To view headers in Mozilla Thunderbird you have two choices. To view a interpreted version:

Click View Menu
Select 'Headers'
Select 'All' which displays the header for all messages until the option is changed again
To restore to normal mode, click View menu, select Headers then Normal
To view the raw source for this message only:

Click View Menu
Select 'Message Source'
This displays the source text for this message only.

Quote from: "Ted"
----- The following addresses had permanent fatal errors -----
<trillium@trilliummachinery.com>

----- Transcript of session follows -----
554 5.4.6 aliasing/forwarding loop broken
Did you perhaps create pseudonyms or aliases for which a user is not existent (anymore)? Did you modify other emauil settings recently?
Logged
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Ted

  • ***
  • 56
  • +0/-0
    • http://www.shadowsfall.org
Why is this happing? E-mail hacked?
« Reply #2 on: January 02, 2007, 03:57:47 PM »
Thanks for the tip about "Message Source".  I don't recall changing any settings (except last night after this had started) except for 1) downloading and installing updates 2) virus scanning settings.  Now last night I (as a test) set "E-mail to unknown users    Send to ted_riedel" from Send to ted.

Looks like a couple of different errors.
Type one

Subject:failure notice     Sender MAILER_DAEMON@someone (superwebdne.gr)

Header
From - Tue Jan  2 06:35:52 2007
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <>
Delivered-To: ted_riedel@rickoshay.shadowsfall.org
Received: (qmail 4556 invoked by alias); 2 Jan 2007 07:30:08 -0000
Delivered-To: alias-localdelivery-ted_riedel@shadowsfall.org
Received: (qmail 4553 invoked by alias); 2 Jan 2007 07:30:08 -0000
Delivered-To: dyjl@rickoshay.shadowsfall.org
Received: (qmail 4550 invoked by alias); 2 Jan 2007 07:30:08 -0000
Delivered-To: alias-localdelivery-dyjl@aviondreams.com
Received: (qmail 4547 invoked by uid 453); 2 Jan 2007 07:30:08 -0000
X-Spam-Status: No, hits=1.1 required=5.0
   tests=NO_REAL_NAME,UPPERCASE_50_75
X-Spam-Check-By: shadowsfall.org
Received: from ns1.superwebdns.gr (HELO superwebdns.gr) (62.103.159.132)
    by shadowsfall.org (qpsmtpd/0.32) with ESMTP; Mon, 01 Jan 2007 23:30:04 -0800
Received: (qmail 22986 invoked for bounce); 2 Jan 2007 09:30:11 +0200
Date: 2 Jan 2007 09:30:11 +0200
From: MAILER-DAEMON@superwebdns.gr
To: dyjl@aviondreams.com
Subject: failure notice

Hi. This is the qmail-send program at superwebdns.gr.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<jxd@oagoudiou.org>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <dyjl@aviondreams.com>
Received: (qmail 22975 invoked from network); 2 Jan 2007 09:30:11 +0200
Received: from 116.253.88.202.asianet.co.in (202.88.253.116)
  by theeaglesnest.eu with SMTP; 2 Jan 2007 09:30:08 +0200
Received: (qmail 28885 invoked from network); Tue, 2 Jan 2007 12:59:50 +0530
Received: from unknown (HELO xjvvas) (143.80.76.178)
   by 116.253.88.202.asianet.co.in with SMTP; Tue, 2 Jan 2007 12:59:50 +0530
Message-ID: <459A09EE.3050708@aviondreams.com>
Date: Tue, 2 Jan 2007 12:59:50 +0530
From: Hugh Ramirez <dyjl@aviondreams.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: jxd@oagoudiou.org
Subject: PERIODS OF LIGHTRAINFALL NEAR THE SHORE.
Content-Type: multipart/related;
 boundary="------------060805000005090805030103"

Type two
Subject:Delivery Status Notification (Failure)  Sender Mail Delivery Subsystem ---(My server?)

Header:
This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

     moultriebounce@gmail.com

Technical details of permanent failure:
PERM_FAILURE: Mail quota exceeded

   ----- Original message -----

Received: by 10.49.13.14 with SMTP id q14mr22965611nfi.1167723665521;
        Mon, 01 Jan 2007 23:41:05 -0800 (PST)
Return-Path: <gctnpu@aviondreams.com>
Received: from shore.porcpatio.com ([69.94.122.202])
        by mx.google.com with SMTP id z73si83926904nfb.2007.01.01.23.40.51;
        Mon, 01 Jan 2007 23:41:05 -0800 (PST)
Received-SPF: error (google.com: error in processing during lookup of gctnpu@aviondreams.com: DNS timeout)
Received: (qmail 17035 invoked by uid 1001); 2 Jan 2007 02:45:16 -0000
Delivered-To: redirect-com-cabanda-april.golf@cabanda.com
Received: (qmail 17031 invoked from network); 2 Jan 2007 02:45:15 -0000
Received: from 116.253.88.202.asianet.co.in (202.88.253.116)
  by 0 with SMTP; 2 Jan 2007 02:45:15 -0000
Received: from szk ([222.82.239.229])
   by 116.253.88.202.asianet.co.in (8.13.5/8.13.5) with SMTP id l027iejM025309;
   Tue, 2 Jan 2007 13:14:40 +0530
Message-ID: <459A0C80.2080307@aviondreams.com>
Date: Tue, 2 Jan 2007 13:10:48 +0530
From: Romero Jeff <gctnpu@aviondreams.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: april.golf@cabanda.com
Subject: RAIN SHOWERS CONTINUING THROUGH THIS MORNING.
Content-Type: multipart/related;
 boundary="------------050008010200090701020908"

--------------050008010200090701020908
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">

   ----- Message truncated -----

Type three:
subject:Delivery Notification: Delivery has failed  Sender: Internet Mail Delivery

Header:
This report relates to a message you sent with the following header fields:

  Message-id: <459A1FCE.6070608@aviondreams.com>
  Date: Tue, 02 Jan 2007 14:33:10 +0530
  From: Kane <emfcds@aviondreams.com>
  To: eon@dgp.mir.es
  Subject: married

Your message cannot be delivered to the following recipients:

  Recipient address: eon@dgp.mir.es
  Reason: Remote SMTP server has rejected address
  Diagnostic code: smtp;550 5.1.1 unknown or illegal alias: eon@dgp.mir.es
  Remote system: dns;mux.policia.es (correo1.dgp.mir.es -- Server ESMTP [Sun Java System Messaging Server 6.2-4.03 [built Sep 22 2005]])




Reporting-MTA: dns;correo.dgp.mir.es (tcp_dgp-daemon)

Original-recipient: rfc822;eon@dgp.mir.es
Final-recipient: rfc822;eon@dgp.mir.es
Action: failed
Status: 5.1.1 (Remote SMTP server has rejected address)
Remote-MTA: dns;mux.policia.es
 (correo1.dgp.mir.es -- Server ESMTP [Sun Java System Messaging Server 6.2-4.03
 [built Sep 22 2005]])
Diagnostic-code: smtp;550 5.1.1 unknown or illegal alias: eon@dgp.mir.es



Return-path: <emfcds@aviondreams.com>
Received: from tcp_dgp-daemon.correo.dgp.mir.es by correo.dgp.mir.es
 (MTA externa de la DGP) id <0JB800DD6GWV0I00@correo.dgp.mir.es>; Tue,
 02 Jan 2007 09:58:11 +0100 (CET)
Received: from 116.253.88.202.asianet.co.in ([202.88.253.116])
 by correo.dgp.mir.es (MTA externa de la DGP)
 with SMTP id <0JB800GTNGWSWFG2@correo.dgp.mir.es> for eon@dgp.mir.es; Tue,
 02 Jan 2007 09:58:07 +0100 (CET)
Received: from fnjy ([169.58.25.190])   by 116.253.88.202.asianet.co.in
 (8.13.3/8.13.3) with SMTP id l0293ijF059840; Tue, 02 Jan 2007 14:33:44 +0530
Date: Tue, 02 Jan 2007 14:33:10 +0530
From: Kane <emfcds@aviondreams.com>
Subject: married
To: eon@dgp.mir.es
Message-id: <459A1FCE.6070608@aviondreams.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN
Content-transfer-encoding: QUOTED-PRINTABLE
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)


:::::::::::

I don't know if I am in small panic over nothing or not.  I'm just hoping that neither my server or one of my familys PC's is not sending spam.

Hope this helps

Thanks

Ted

SME ver 7.0 on Dell Server Hardware.
Logged
...

Offline kryptos

  • *****
  • 245
  • +0/-0
Re: Why is this happing? E-mail hacked?
« Reply #3 on: September 27, 2007, 09:10:45 AM »
Hi,

Did this problem were fixed? i have the same problem. Some of our email users are getting returned mail for which they didn't send at all. See details below.

From: "Mail Delivery Subsystem" <MAILER-DAEMON@client.domain.com>
 To: <user1@mydomain.com>
 Sent: Thursday, September 13, 2007 7:38 PM
 Subject: Returned mail: see transcript for details


 The original message was received at Thu, 13 Sep 2007 19:38:06 +0800
 from localhost.localdomain [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
 <3dr_negishi@client.domain.com>
    (reason: 550 5.1.1 <3dr_negishi@client.domain.com>... User unknown)

   ----- Transcript of session follows -----
... while talking to client.domain.com:
 RCPT To:<3dr_negishi@client.domain.com>
 550 5.1.1 <3dr_negishi@client.domain.com>... User unknown
 550 5.1.1 <3dr_negishi@client.domain.com>... User unknown

The sending domain is our client.And our user are sure that she is not sending that email to our clients email domain.

Thanks,
Rocel
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 7.x
  4. Topic: Why is this happing? E-mail hacked?