Mail Delivery Failed for Mail I didn't send

by 24 comments
In the last 24 hours, I'm now receiving on average a "Mail delivery failed" email about every 10 minutes which shows my email address as sender. Should I be concerned?

Sorry if this is a dumb question, but I'm a bit concerned with whether someone is sending a ton of junk emails that appear to be from me. The contents of these emails are generally nonsensical -- lots of words that are not necessarily in sentences.

Any ideas what's up with that?
#internet marketing #delivery #failed #mail #send

  • Profile picture of the author David Keith
    is it an email address from a provider like gmail/yahoo/hotmail? or is it from your own domain? have you looked at the email headers to see who actually sent it?
  • Profile picture of the author Charlotte Jay
    Sounds like you got hacked. Change your password, clear your cache and cookies. Hopefully that should do the trick. The same thing happened to my GMail account a couple of days ago.
  • Profile picture of the author AnneE
    The message headers look like:

    Return-path: <my email address here>
    Received: from static-141-158-133-2.scr.east.verizon.net ([141.158.133.2] helo=server.ea-net.local)
    by dylan.lunarpages.com with esmtpsa (TLSv1:RC4-MD5:128)
    (Exim 4.69)
    (envelope-from <my email address here>)
    id 1S5USJ-0006cu-Aa
    for removed email address; Wed, 07 Mar 2012 19:55:55 -0800
    MIME-Version: 1.0
    Date: Wed, 07 Mar 2012 22:56:22 -0500
    X-Priority: 3 (Normal)
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    Subject: taxi passed us a fake saws body, and needle showed how well they hid across town. Me, I would to
    From: my email address here
    To: removed email address
    Message-ID: <CHILKAT-MID-a3d54662-9dc9-5e1b-4d0c-afe21885a1db@server.ea-net.local>

    Memoir Another friend, Jennifer, just served Nora can These young men s= ay, Yeah, I will them from=20 far Jersey ........


    See the texts don't even make sense. I'll go change my password. Now that you say it I'm thinking, duh..... I should have thought of that. perhaps a little more tired than I realized.
  • Profile picture of the author Wendy Maki
    I have had this happen a number of times. At first I panicked until I checked into it with the ISP I had at the time. All that has happened (probably) is that someone has gotten hold of either your email address (from a subscription or otherwise) or the domain of your email (if you use a catchall type email with a domain you own)... and you will find that email address either on the visible part of the email or in the source code (it's often hidden behind a fake visible address). Then the nefarious party used that email address to APPEAR as the source of the spam to hide the real source when they bulk mailed to a lot of people. Inevitably some of those bounce ... and they bounce back to YOU, rather than the people who actually sent it. ISPs know this ploy apparently and will not blame you.

    I hope this helps ease your mind. Obviously if there are more problems look into other causes, like viruses mailing from your computer, but start with the more usual cause...
  • Profile picture of the author Troy_Phillips
    Have you set up a WP blog in the last few days ... you can get emails like that sometimes when you are getting comments to your blog .. almost looks like keyword loaded comments.



    Originally Posted by AnneE View Post

    The message headers look like:

    Return-path: <my email address here>
    Received: from static-141-158-133-2.scr.east.verizon.net ([141.158.133.2] helo=server.ea-net.local)
    by dylan.lunarpages.com with esmtpsa (TLSv1:RC4-MD5:128)
    (Exim 4.69)
    (envelope-from <my email address here>)
    id 1S5USJ-0006cu-Aa
    for removed email address; Wed, 07 Mar 2012 19:55:55 -0800
    MIME-Version: 1.0
    Date: Wed, 07 Mar 2012 22:56:22 -0500
    X-Priority: 3 (Normal)
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    Subject: taxi passed us a fake saws body, and needle showed how well they hid across town. Me, I would to
    From: my email address here
    To: removed email address
    Message-ID: <CHILKAT-MID-a3d54662-9dc9-5e1b-4d0c-afe21885a1db@server.ea-net.local>

    Memoir Another friend, Jennifer, just served Nora can These young men s= ay, Yeah, I will them from=20 far Jersey ........


    See the texts don't even make sense. I'll go change my password. Now that you say it I'm thinking, duh..... I should have thought of that. perhaps a little more tired than I realized.
  • Profile picture of the author Kingfish85
    Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

    Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
  • Profile picture of the author AnneE
    Originally Posted by Kingfish85 View Post

    Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

    Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
    Er.... what's an SPF record.

    I did change the password and logged into FTP browser with new password, just to look for any new files. Pretty tame hackers if someone actually had the password, perhaps just spoofing the emails as suggested. Though so far, since I change password no bounced mail -- too soon to say it's stopped for good though.
  • Profile picture of the author Dann Vicker
    This used to happen to me until I figured to change the password...that sort of did the trick.
  • Profile picture of the author AnneE
    Hmm... I did Google for SPF records, they didn't look like items that amateurs should be playing with. I still received one bounced email, but then I realized, sometimes mail does take a while to get bounced.

    Thanks for the suggestions everyone. Nice to feel a sense of help from a community. I'm heading to bed. We'll see what tomorrow brings.
  • Profile picture of the author tpw
    Originally Posted by Kingfish85 View Post

    Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

    I don't know about the SPF record either, and I have been doing this a long time.

    But I definitely concur that someone is most likely spoofing your email address.

    It happens all the time to me... And frequently, people will spoof my address in the To: and From: field with the same address.
  • Profile picture of the author agc
    Originally Posted by AnneE View Post

    In the last 24 hours, I'm now receiving on average a "Mail delivery failed" email about every 10 minutes which shows my email address as sender. Should I be concerned?

    Sorry if this is a dumb question, but I'm a bit concerned with whether someone is sending a ton of junk emails that appear to be from me. The contents of these emails are generally nonsensical -- lots of words that are not necessarily in sentences.

    Any ideas what's up with that?
    I'm guessing it's a Wordpress site?

    Go look at the files in each of your ftp directories... sort by date. That said, they probably whacked the date too... so look at any files that have changed... either LATEST or EARLIEST dates.

    SPECIFICALLY look at any STATS.PHP or WP-STATS.PHP files. Look at what's inside them. If you see a bunch of base 64 crap... odds are it's a virus/hack.

    This is a known wordpress hack. I was getting email bounces for a domain of mine that hosts a wordpress blog. I found a stats.php dated like 1967. or 1867. I forget, but it was obvious. Renaming stats.php.virus (ie not deleting the file just in case I actually need to put it back later) fixed the problem.
  • Profile picture of the author AnneE
    Originally Posted by agc View Post

    I'm guessing it's a Wordpress site?

    Go look at the files in each of your ftp directories... sort by date. That said, they probably whacked the date too... so look at any files that have changed... either LATEST or EARLIEST dates.

    SPECIFICALLY look at any STATS.PHP or WP-STATS.PHP files. Look at what's inside them. If you see a bunch of base 64 crap... odds are it's a virus/hack.

    This is a known wordpress hack. I was getting email bounces for a domain of mine that hosts a wordpress blog. I found a stats.php dated like 1967. or 1867. I forget, but it was obvious. Renaming stats.php.virus (ie not deleting the file just in case I actually need to put it back later) fixed the problem.
    It does have a WP blog on the domain. The bounced emails are still going. I will look for the sort of file you are describing this morning. If nothing else having my Inbox dominated by this junk is very annoying!

    I definitely appreciate people helping me out.
  • Profile picture of the author Kingfish85
    Hi AnneE, sorry for the long delay. SPF stands for Sender Policy Framework. It will validate that the email was actually sent from your domain. you can do this in cPanel under "Email Authentication", click enable. If you don't have the option or are unsure, contact your host.
  • Profile picture of the author AnneE
    Originally Posted by Kingfish85 View Post

    Hi AnneE, sorry for the long delay. SPF stands for Sender Policy Framework. It will validate that the email was actually sent from your domain. you can do this in cPanel under "Email Authentication", click enable. If you don't have the option or are unsure, contact your host.
    Ah.... clicking an option on cPanel I think I can handle. Thanks for pointing out this option.

    Actually though, I think I have what agc suggested. I believe someone hacked the website password and FTPed PHP files that they are now executing and those PHP files are what is sending emails from my account.

    I went and looked at the files in the Wordpress directories. None of them had suspicious dates, but there are tons of files with nonsensical names. About 4 folders had been created with names such as sbxjt which contain an index.php in them. So someone could have gone to my site and tacked on the /sbxjt/ to the domain name and run code that they transferred there. I first did a mass transfer of the whole directory to an external hard-drive and now I'm deleting these folders on my website. Hopefully that will be the end of it.
  • Profile picture of the author Kingfish85
    Originally Posted by AnneE View Post

    Ah.... clicking an option on cPanel I think I can handle. Thanks for pointing out this option.

    Actually though, I think I have what agc suggested. I believe someone hacked the website password and FTPed PHP files that they are now executing and those PHP files are what is sending emails from my account.

    I went and looked at the files in the Wordpress directories. None of them had suspicious dates, but there are tons of files with nonsensical names. About 4 folders had been created with names such as sbxjt which contain an index.php in them. So someone could have gone to my site and tacked on the /sbxjt/ to the domain name and run code that they transferred there. I first did a mass transfer of the whole directory to an external hard-drive and now I'm deleting these folders on my website. Hopefully that will be the end of it.
    Hi AnnE,

    If all you're getting is delivery failure bounce-backs, most likely someone is just spoofing your email address. It's pretty common and in most cases they get flagged as spam and automatically sent to your spam box. Sometimes the will slip through depending on the content of the email. Enabling SPF should eliminate the problem.
  • Profile picture of the author agc
    Originally Posted by Kingfish85 View Post

    Hi AnnE,

    If all you're getting is delivery failure bounce-backs, most likely someone is just spoofing your email address. It's pretty common and in most cases they get flagged as spam and automatically sent to your spam box. Sometimes the will slip through depending on the content of the email. Enabling SPF should eliminate the problem.
    While that MIGHT be true, it is NOT safe assumption!

    *IF* it's just a spoofed return address, then you are correct, there is nothing you can do about it except ignore it.

    However...

    *IF* the emails are originating via a wordpress hack, THEN your email address is not spoofed... it's actually originating from your email exchange / SMTP server / agent. This means you REALLY ARE sending the spam emails.

    At a minimim, this will eventually end up in your domain getting into all the email black lists. Worse, you could end up with hosting companies just shutting down your account. Or god forbid, in a rare case even wind up dealing with law enforcement. Not that you are guilty... but dealing with law enforcement is ALWAYS to be avoided, even if innocent.

    *IF* you've been hacked *AND* this is a domain you ever intend to send any real email from, then this is a serious problem and needs to be cleaned up now.
  • Profile picture of the author BackLinkiT
    Check your out of office assistant too, just to be on the safe side.

    Some goofball hacked my gmail account and even set the out of office to reply with more garbage to every email I received!

    Cheeky b*&%$^!

    Peter
  • Profile picture of the author agc
    Originally Posted by BackLinkiT View Post

    Check your out of office assistant too, just to be on the safe side.

    Some goofball hacked my gmail account and even set the out of office to reply with more garbage to every email I received!

    Cheeky b*&%$^!

    Peter
    Oh yeah, there are lots of those hacks for GMAIL and Yahoo mail.

    Important to keep in mind in the context of this thread being useful for other people.

    But I suspect the Op found his virus in the /gurgeburf/ directories of his Wordpress blog.
  • Profile picture of the author AnneE
    Originally Posted by agc View Post

    ...

    *IF* the emails are originating via a wordpress hack, THEN your email address is not spoofed... it's actually originating from your email exchange / SMTP server / agent. This means you REALLY ARE sending the spam emails.

    ...
    Yes, this is what I'm thinking was actually going on on my account. Only time will tell for sure. But certainly all the files I deleted from within the Wordpress subdirectories weren't there for no reason. Someone moved them there for a purpose, a not good purpose. The email address of mine that they were using is the admin account for the Wordpress blog.
  • Profile picture of the author AnneE
    Bummer, I thought this was done when a week ago I deleted all the weird Wordpress files and changed the account password. But today the Undeliverable mail messages (and therefore my account sending SPAM) began again. I did today now set the SPF enabled bit and will see if this helps at all.

Next Topics on Trending Feed