44 {{ upvoteCount | shortNum }}
44 {{ upvoteCount | shortNum }}

Mail Delivery Failed for Mail I didn't send

by AnneE
24 replies
In the last 24 hours, I'm now receiving on average a "Mail delivery failed" email about every 10 minutes which shows my email address as sender. Should I be concerned?

Sorry if this is a dumb question, but I'm a bit concerned with whether someone is sending a ton of junk emails that appear to be from me. The contents of these emails are generally nonsensical -- lots of words that are not necessarily in sentences.

Any ideas what's up with that?
#delivery #failed #mail #send
  • Profile picture of the author David Keith
    is it an email address from a provider like gmail/yahoo/hotmail? or is it from your own domain? have you looked at the email headers to see who actually sent it?
    Signature
    Just a Little War Room Gift.
    {{ DiscussionBoard.errors[5782158].message }}
  • Profile picture of the author Charlotte Jay
    Sounds like you got hacked. Change your password, clear your cache and cookies. Hopefully that should do the trick. The same thing happened to my GMail account a couple of days ago.
    {{ DiscussionBoard.errors[5782160].message }}
    • Profile picture of the author AnneE
      The message headers look like:

      Return-path: <my email address here>
      Received: from static-141-158-133-2.scr.east.verizon.net ([141.158.133.2] helo=server.ea-net.local)
      by dylan.lunarpages.com with esmtpsa (TLSv1:RC4-MD5:128)
      (Exim 4.69)
      (envelope-from <my email address here>)
      id 1S5USJ-0006cu-Aa
      for removed email address; Wed, 07 Mar 2012 19:55:55 -0800
      MIME-Version: 1.0
      Date: Wed, 07 Mar 2012 22:56:22 -0500
      X-Priority: 3 (Normal)
      X-Mailer: Microsoft Outlook Express 6.00.2800.1158
      Content-Type: text/plain;
      charset="iso-8859-1"
      Content-Transfer-Encoding: quoted-printable
      Subject: taxi passed us a fake saws body, and needle showed how well they hid across town. Me, I would to
      From: my email address here
      To: removed email address
      Message-ID: <CHILKAT-MID-a3d54662-9dc9-5e1b-4d0c-afe21885a1db@server.ea-net.local>

      Memoir Another friend, Jennifer, just served Nora can These young men s= ay, Yeah, I will them from=20 far Jersey ........


      See the texts don't even make sense. I'll go change my password. Now that you say it I'm thinking, duh..... I should have thought of that. perhaps a little more tired than I realized.
      Signature
      You may be surprised that this unconventional way to learn Spanish works
      {{ DiscussionBoard.errors[5782197].message }}
      • Profile picture of the author Troy_Phillips
        Have you set up a WP blog in the last few days ... you can get emails like that sometimes when you are getting comments to your blog .. almost looks like keyword loaded comments.



        Originally Posted by AnneE View Post

        The message headers look like:

        Return-path: <my email address here>
        Received: from static-141-158-133-2.scr.east.verizon.net ([141.158.133.2] helo=server.ea-net.local)
        by dylan.lunarpages.com with esmtpsa (TLSv1:RC4-MD5:128)
        (Exim 4.69)
        (envelope-from <my email address here>)
        id 1S5USJ-0006cu-Aa
        for removed email address; Wed, 07 Mar 2012 19:55:55 -0800
        MIME-Version: 1.0
        Date: Wed, 07 Mar 2012 22:56:22 -0500
        X-Priority: 3 (Normal)
        X-Mailer: Microsoft Outlook Express 6.00.2800.1158
        Content-Type: text/plain;
        charset="iso-8859-1"
        Content-Transfer-Encoding: quoted-printable
        Subject: taxi passed us a fake saws body, and needle showed how well they hid across town. Me, I would to
        From: my email address here
        To: removed email address
        Message-ID: <CHILKAT-MID-a3d54662-9dc9-5e1b-4d0c-afe21885a1db@server.ea-net.local>

        Memoir Another friend, Jennifer, just served Nora can These young men s= ay, Yeah, I will them from=20 far Jersey ........


        See the texts don't even make sense. I'll go change my password. Now that you say it I'm thinking, duh..... I should have thought of that. perhaps a little more tired than I realized.
        Signature

        {{ DiscussionBoard.errors[5782213].message }}
  • Profile picture of the author Wendy Maki
    I have had this happen a number of times. At first I panicked until I checked into it with the ISP I had at the time. All that has happened (probably) is that someone has gotten hold of either your email address (from a subscription or otherwise) or the domain of your email (if you use a catchall type email with a domain you own)... and you will find that email address either on the visible part of the email or in the source code (it's often hidden behind a fake visible address). Then the nefarious party used that email address to APPEAR as the source of the spam to hide the real source when they bulk mailed to a lot of people. Inevitably some of those bounce ... and they bounce back to YOU, rather than the people who actually sent it. ISPs know this ploy apparently and will not blame you.

    I hope this helps ease your mind. Obviously if there are more problems look into other causes, like viruses mailing from your computer, but start with the more usual cause...
    Signature

    -- Find blues festivals around the world at the bluesmusicfestivals.com directory and jazz festivals at jazzmusicfests.com.

    {{ DiscussionBoard.errors[5782202].message }}
  • Profile picture of the author Kingfish85
    Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

    Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[5782235].message }}
    • Profile picture of the author AnneE
      Originally Posted by Kingfish85 View Post

      Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

      Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
      Er.... what's an SPF record.

      I did change the password and logged into FTP browser with new password, just to look for any new files. Pretty tame hackers if someone actually had the password, perhaps just spoofing the emails as suggested. Though so far, since I change password no bounced mail -- too soon to say it's stopped for good though.
      Signature
      You may be surprised that this unconventional way to learn Spanish works
      {{ DiscussionBoard.errors[5782279].message }}
    • Profile picture of the author tpw
      Originally Posted by Kingfish85 View Post

      Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

      I don't know about the SPF record either, and I have been doing this a long time.

      But I definitely concur that someone is most likely spoofing your email address.

      It happens all the time to me... And frequently, people will spoof my address in the To: and From: field with the same address.
      Signature
      Bill Platt, Oklahoma USA, PlattPublishing.com
      Publish Coloring Books for Profit (WSOTD 7-30-2015)
      {{ DiscussionBoard.errors[5782449].message }}
    • Profile picture of the author Karen Blundell
      Originally Posted by Kingfish85 View Post

      Someone is spoofing your email. No need to be alarmed, it happens ALL the time.

      Create an SPF record. It will stop any mail from coming back that didn't originate from the domain.
      Kingfish is right. It's what I had to do because the pharma spammers were using my email addy to spoof. You can create an SPF record from within your hosting cpanel
      Signature
      ---------------
      {{ DiscussionBoard.errors[5832939].message }}
  • Profile picture of the author Dann Vicker
    This used to happen to me until I figured to change the password...that sort of did the trick.
    Signature

    Looking for high quality solo ad traffic? 200-2000 clicks available/day. Testimonials here. PM me

    {{ DiscussionBoard.errors[5782338].message }}
  • Profile picture of the author AnneE
    Hmm... I did Google for SPF records, they didn't look like items that amateurs should be playing with. I still received one bounced email, but then I realized, sometimes mail does take a while to get bounced.

    Thanks for the suggestions everyone. Nice to feel a sense of help from a community. I'm heading to bed. We'll see what tomorrow brings.
    Signature
    You may be surprised that this unconventional way to learn Spanish works
    {{ DiscussionBoard.errors[5782380].message }}
  • Profile picture of the author agc
    Originally Posted by AnneE View Post

    In the last 24 hours, I'm now receiving on average a "Mail delivery failed" email about every 10 minutes which shows my email address as sender. Should I be concerned?

    Sorry if this is a dumb question, but I'm a bit concerned with whether someone is sending a ton of junk emails that appear to be from me. The contents of these emails are generally nonsensical -- lots of words that are not necessarily in sentences.

    Any ideas what's up with that?
    I'm guessing it's a Wordpress site?

    Go look at the files in each of your ftp directories... sort by date. That said, they probably whacked the date too... so look at any files that have changed... either LATEST or EARLIEST dates.

    SPECIFICALLY look at any STATS.PHP or WP-STATS.PHP files. Look at what's inside them. If you see a bunch of base 64 crap... odds are it's a virus/hack.

    This is a known wordpress hack. I was getting email bounces for a domain of mine that hosts a wordpress blog. I found a stats.php dated like 1967. or 1867. I forget, but it was obvious. Renaming stats.php.virus (ie not deleting the file just in case I actually need to put it back later) fixed the problem.
    {{ DiscussionBoard.errors[5782505].message }}
    • Profile picture of the author AnneE
      Originally Posted by agc View Post

      I'm guessing it's a Wordpress site?

      Go look at the files in each of your ftp directories... sort by date. That said, they probably whacked the date too... so look at any files that have changed... either LATEST or EARLIEST dates.

      SPECIFICALLY look at any STATS.PHP or WP-STATS.PHP files. Look at what's inside them. If you see a bunch of base 64 crap... odds are it's a virus/hack.

      This is a known wordpress hack. I was getting email bounces for a domain of mine that hosts a wordpress blog. I found a stats.php dated like 1967. or 1867. I forget, but it was obvious. Renaming stats.php.virus (ie not deleting the file just in case I actually need to put it back later) fixed the problem.
      It does have a WP blog on the domain. The bounced emails are still going. I will look for the sort of file you are describing this morning. If nothing else having my Inbox dominated by this junk is very annoying!

      I definitely appreciate people helping me out.
      Signature
      You may be surprised that this unconventional way to learn Spanish works
      {{ DiscussionBoard.errors[5784325].message }}
  • Profile picture of the author Kingfish85
    Hi AnneE, sorry for the long delay. SPF stands for Sender Policy Framework. It will validate that the email was actually sent from your domain. you can do this in cPanel under "Email Authentication", click enable. If you don't have the option or are unsure, contact your host.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[5784340].message }}
    • Profile picture of the author AnneE
      Originally Posted by Kingfish85 View Post

      Hi AnneE, sorry for the long delay. SPF stands for Sender Policy Framework. It will validate that the email was actually sent from your domain. you can do this in cPanel under "Email Authentication", click enable. If you don't have the option or are unsure, contact your host.
      Ah.... clicking an option on cPanel I think I can handle. Thanks for pointing out this option.

      Actually though, I think I have what agc suggested. I believe someone hacked the website password and FTPed PHP files that they are now executing and those PHP files are what is sending emails from my account.

      I went and looked at the files in the Wordpress directories. None of them had suspicious dates, but there are tons of files with nonsensical names. About 4 folders had been created with names such as sbxjt which contain an index.php in them. So someone could have gone to my site and tacked on the /sbxjt/ to the domain name and run code that they transferred there. I first did a mass transfer of the whole directory to an external hard-drive and now I'm deleting these folders on my website. Hopefully that will be the end of it.
      Signature
      You may be surprised that this unconventional way to learn Spanish works
      {{ DiscussionBoard.errors[5784685].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by AnneE View Post

        Ah.... clicking an option on cPanel I think I can handle. Thanks for pointing out this option.

        Actually though, I think I have what agc suggested. I believe someone hacked the website password and FTPed PHP files that they are now executing and those PHP files are what is sending emails from my account.

        I went and looked at the files in the Wordpress directories. None of them had suspicious dates, but there are tons of files with nonsensical names. About 4 folders had been created with names such as sbxjt which contain an index.php in them. So someone could have gone to my site and tacked on the /sbxjt/ to the domain name and run code that they transferred there. I first did a mass transfer of the whole directory to an external hard-drive and now I'm deleting these folders on my website. Hopefully that will be the end of it.
        Hi AnnE,

        If all you're getting is delivery failure bounce-backs, most likely someone is just spoofing your email address. It's pretty common and in most cases they get flagged as spam and automatically sent to your spam box. Sometimes the will slip through depending on the content of the email. Enabling SPF should eliminate the problem.
        Signature

        |~| VeeroTech Hosting - sales @ veerotech.net
        |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
        |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
        |~| Visit us @veerotech Facebook - Twitter - LinkedIn

        {{ DiscussionBoard.errors[5784701].message }}
        • Profile picture of the author agc
          Originally Posted by Kingfish85 View Post

          Hi AnnE,

          If all you're getting is delivery failure bounce-backs, most likely someone is just spoofing your email address. It's pretty common and in most cases they get flagged as spam and automatically sent to your spam box. Sometimes the will slip through depending on the content of the email. Enabling SPF should eliminate the problem.
          While that MIGHT be true, it is NOT safe assumption!

          *IF* it's just a spoofed return address, then you are correct, there is nothing you can do about it except ignore it.

          However...

          *IF* the emails are originating via a wordpress hack, THEN your email address is not spoofed... it's actually originating from your email exchange / SMTP server / agent. This means you REALLY ARE sending the spam emails.

          At a minimim, this will eventually end up in your domain getting into all the email black lists. Worse, you could end up with hosting companies just shutting down your account. Or god forbid, in a rare case even wind up dealing with law enforcement. Not that you are guilty... but dealing with law enforcement is ALWAYS to be avoided, even if innocent.

          *IF* you've been hacked *AND* this is a domain you ever intend to send any real email from, then this is a serious problem and needs to be cleaned up now.
          {{ DiscussionBoard.errors[5785096].message }}
          • Profile picture of the author BackLinkiT
            Check your out of office assistant too, just to be on the safe side.

            Some goofball hacked my gmail account and even set the out of office to reply with more garbage to every email I received!

            Cheeky b*&%$^!

            Peter
            {{ DiscussionBoard.errors[5785207].message }}
            • Profile picture of the author agc
              Originally Posted by BackLinkiT View Post

              Check your out of office assistant too, just to be on the safe side.

              Some goofball hacked my gmail account and even set the out of office to reply with more garbage to every email I received!

              Cheeky b*&%$^!

              Peter
              Oh yeah, there are lots of those hacks for GMAIL and Yahoo mail.

              Important to keep in mind in the context of this thread being useful for other people.

              But I suspect the Op found his virus in the /gurgeburf/ directories of his Wordpress blog.
              {{ DiscussionBoard.errors[5785417].message }}
          • Profile picture of the author AnneE
            Originally Posted by agc View Post

            ...

            *IF* the emails are originating via a wordpress hack, THEN your email address is not spoofed... it's actually originating from your email exchange / SMTP server / agent. This means you REALLY ARE sending the spam emails.

            ...
            Yes, this is what I'm thinking was actually going on on my account. Only time will tell for sure. But certainly all the files I deleted from within the Wordpress subdirectories weren't there for no reason. Someone moved them there for a purpose, a not good purpose. The email address of mine that they were using is the admin account for the Wordpress blog.
            Signature
            You may be surprised that this unconventional way to learn Spanish works
            {{ DiscussionBoard.errors[5785545].message }}
  • Profile picture of the author AnneE
    Bummer, I thought this was done when a week ago I deleted all the weird Wordpress files and changed the account password. But today the Undeliverable mail messages (and therefore my account sending SPAM) began again. I did today now set the SPF enabled bit and will see if this helps at all.
    Signature
    You may be surprised that this unconventional way to learn Spanish works
    {{ DiscussionBoard.errors[5831616].message }}
  • Profile picture of the author agc
    Go back and verify that you don't have a new hack / exploit / virus.

    Is your WordPress up to the latest version?

    If you are at you're wits end, most hosting companies can help clean up a wordpress installation that's been hacked.
    {{ DiscussionBoard.errors[5832060].message }}
    • Profile picture of the author azmanar
      Hi,

      If you want to clean-up your WP, please refer to this WF blog post.

      There are some options for you to choose from.
      Signature
      === >>> Tomorrow Should Be Better Than Today
      {{ DiscussionBoard.errors[5832898].message }}
  • Profile picture of the author Kingfish85
    Hi AnneE, I sent you a PM, but I wasn't sure if your noticed it or not.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[5832949].message }}

Trending Topics