Mail Delivery Failed for Mail I didn't send

by 24 comments
In the last 24 hours, I'm now receiving on average a "Mail delivery failed" email about every 10 minutes which shows my email address as sender. Should I be concerned?

Sorry if this is a dumb question, but I'm a bit concerned with whether someone is sending a ton of junk emails that appear to be from me. The contents of these emails are generally nonsensical -- lots of words that are not necessarily in sentences.

Any ideas what's up with that?
#internet marketing #delivery #failed #mail #send
  • Profile picture of the author David Keith
    is it an email address from a provider like gmail/yahoo/hotmail? or is it from your own domain? have you looked at the email headers to see who actually sent it?
  • Profile picture of the author Charlotte Jay
    Sounds like you got hacked. Change your password, clear your cache and cookies. Hopefully that should do the trick. The same thing happened to my GMail account a couple of days ago.
    • Profile picture of the author AnneE
      The message headers look like:

      Return-path: <my email address here>
      Received: from static-141-158-133-2.scr.east.verizon.net ([141.158.133.2] helo=server.ea-net.local)
      by dylan.lunarpages.com with esmtpsa (TLSv1:RC4-MD5:128)
      (Exim 4.69)
      (envelope-from <my email address here>)
      id 1S5USJ-0006cu-Aa
      for removed email address; Wed, 07 Mar 2012 19:55:55 -0800
      MIME-Version: 1.0
      Date: Wed, 07 Mar 2012 22:56:22 -0500
      X-Priority: 3 (Normal)
      X-Mailer: Microsoft Outlook Express 6.00.2800.1158
      Content-Type: text/plain;
      charset="iso-8859-1"
      Content-Transfer-Encoding: quoted-printable
      Subject: taxi passed us a fake saws body, and needle showed how well they hid across town. Me, I would to
      From: my email address here
      To: removed email address
      Message-ID: <CHILKAT-MID-a3d54662-9dc9-5e1b-4d0c-afe21885a1db@server.ea-net.local>

      Memoir Another friend, Jennifer, just served Nora can These young men s= ay, Yeah, I will them from=20 far Jersey ........


      See the texts don't even make sense. I'll go change my password. Now that you say it I'm thinking, duh..... I should have thought of that. perhaps a little more tired than I realized.
  • Profile picture of the author Wendy Maki
    I have had this happen a number of times. At first I panicked until I checked into it with the ISP I had at the time. All that has happened (probably) is that someone has gotten hold of either your email address (from a subscription or otherwise) or the domain of your email (if you use a catchall type email with a domain you own)... and you will find that email address either on the visible part of the email or in the source code (it's often hidden behind a fake visible address). Then the nefarious party used that email address to APPEAR as the source of the spam to hide the real source when they bulk mailed to a lot of people. Inevitably some of those bounce ... and they bounce back to YOU, rather than the people who actually sent it. ISPs know this ploy apparently and will not blame you.

    I hope this helps ease your mind. Obviously if there are more problems look into other causes, like viruses mailing from your computer, but start with the more usual cause...
  • Profile picture of the author Kingfish85
    Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

    Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
    • Profile picture of the author AnneE
      Originally Posted by Kingfish85 View Post

      Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

      Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
      Er.... what's an SPF record.

      I did change the password and logged into FTP browser with new password, just to look for any new files. Pretty tame hackers if someone actually had the password, perhaps just spoofing the emails as suggested. Though so far, since I change password no bounced mail -- too soon to say it's stopped for good though.
    • Profile picture of the author tpw
      Originally Posted by Kingfish85 View Post

      Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

      I don't know about the SPF record either, and I have been doing this a long time.

      But I definitely concur that someone is most likely spoofing your email address.

      It happens all the time to me... And frequently, people will spoof my address in the To: and From: field with the same address.
    • Profile picture of the author Karen Blundell
      Originally Posted by Kingfish85 View Post

      Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

      Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
      Kingfish is right. It's what I had to do because the pharma spammers were using my email addy to spoof. You can create an SPF record from within your hosting cpanel
  • Profile picture of the author Dann Vicker
    This used to happen to me until I figured to change the password...that sort of did the trick.
  • Profile picture of the author AnneE
    Hmm... I did Google for SPF records, they didn't look like items that amateurs should be playing with. I still received one bounced email, but then I realized, sometimes mail does take a while to get bounced.

    Thanks for the suggestions everyone. Nice to feel a sense of help from a community. I'm heading to bed. We'll see what tomorrow brings.
  • Profile picture of the author agc
    Originally Posted by AnneE View Post

    In the last 24 hours, I'm now receiving on average a "Mail delivery failed" email about every 10 minutes which shows my email address as sender. Should I be concerned?

    Sorry if this is a dumb question, but I'm a bit concerned with whether someone is sending a ton of junk emails that appear to be from me. The contents of these emails are generally nonsensical -- lots of words that are not necessarily in sentences.

    Any ideas what's up with that?
    I'm guessing it's a Wordpress site?

    Go look at the files in each of your ftp directories... sort by date. That said, they probably whacked the date too... so look at any files that have changed... either LATEST or EARLIEST dates.

    SPECIFICALLY look at any STATS.PHP or WP-STATS.PHP files. Look at what's inside them. If you see a bunch of base 64 crap... odds are it's a virus/hack.

    This is a known wordpress hack. I was getting email bounces for a domain of mine that hosts a wordpress blog. I found a stats.php dated like 1967. or 1867. I forget, but it was obvious. Renaming stats.php.virus (ie not deleting the file just in case I actually need to put it back later) fixed the problem.
    • Profile picture of the author AnneE
      Originally Posted by agc View Post

      I'm guessing it's a Wordpress site?

      Go look at the files in each of your ftp directories... sort by date. That said, they probably whacked the date too... so look at any files that have changed... either LATEST or EARLIEST dates.

      SPECIFICALLY look at any STATS.PHP or WP-STATS.PHP files. Look at what's inside them. If you see a bunch of base 64 crap... odds are it's a virus/hack.

      This is a known wordpress hack. I was getting email bounces for a domain of mine that hosts a wordpress blog. I found a stats.php dated like 1967. or 1867. I forget, but it was obvious. Renaming stats.php.virus (ie not deleting the file just in case I actually need to put it back later) fixed the problem.
      It does have a WP blog on the domain. The bounced emails are still going. I will look for the sort of file you are describing this morning. If nothing else having my Inbox dominated by this junk is very annoying!

      I definitely appreciate people helping me out.
  • Profile picture of the author Kingfish85
    Hi AnneE, sorry for the long delay. SPF stands for Sender Policy Framework. It will validate that the email was actually sent from your domain. you can do this in cPanel under "Email Authentication", click enable. If you don't have the option or are unsure, contact your host.
    • Profile picture of the author AnneE
      Originally Posted by Kingfish85 View Post

      Hi AnneE, sorry for the long delay. SPF stands for Sender Policy Framework. It will validate that the email was actually sent from your domain. you can do this in cPanel under "Email Authentication", click enable. If you don't have the option or are unsure, contact your host.
      Ah.... clicking an option on cPanel I think I can handle. Thanks for pointing out this option.

      Actually though, I think I have what agc suggested. I believe someone hacked the website password and FTPed PHP files that they are now executing and those PHP files are what is sending emails from my account.

      I went and looked at the files in the Wordpress directories. None of them had suspicious dates, but there are tons of files with nonsensical names. About 4 folders had been created with names such as sbxjt which contain an index.php in them. So someone could have gone to my site and tacked on the /sbxjt/ to the domain name and run code that they transferred there. I first did a mass transfer of the whole directory to an external hard-drive and now I'm deleting these folders on my website. Hopefully that will be the end of it.
  • Profile picture of the author AnneE
    Bummer, I thought this was done when a week ago I deleted all the weird Wordpress files and changed the account password. But today the Undeliverable mail messages (and therefore my account sending SPAM) began again. I did today now set the SPF enabled bit and will see if this helps at all.
  • Profile picture of the author agc
    Go back and verify that you don't have a new hack / exploit / virus.

    Is your WordPress up to the latest version?

    If you are at you're wits end, most hosting companies can help clean up a wordpress installation that's been hacked.
  • Profile picture of the author Kingfish85
    Hi AnneE, I sent you a PM, but I wasn't sure if your noticed it or not.

Next Topics on Trending Feed