Spammers are using my E-mail address!

Topic

New Reply

Help! My junkmail folder is getting filled with “Message Not Deliverable” type of SMTP status messages from servers. My email address is in the “reply-to” of these message headers, although never in the “from” field. I’ve blocked port 25 on my local machine and they’re still coming even after 3 hours. Is there anything I can do?

Thanks,

Eric

Reply | Quote

Replies

Hi Eric, welcome to the lounge.

Set it up correctly, whatever one it is.

Reply | Quote

Set it up correctly, whatever one it is.

1 thumb down (-1)

Reply | Quote

Eric,

I’d disconnect from the internet. Run all your anti-virus and rootkit detectors and see if you find anything. If not I’d reconnect but don’t open your email client. Go to the Anti-Virus vendor’s sites and use their online scanners and see what they turn up. You can also download Malwarebytes and run it.

It sounds like you have something that installed a mailer worm of some sort.

Good Luck.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I’ve blocked port 25 on my local machine and they’re still coming even after 3 hours. Is there anything I can do?

If you can rule out the possibility that your machine is sending the messages, then I think you just have to let the storm run its course. Mostly likely you are retrieving the messages from a mailbox using POP3 or IMAP, neither of which uses port 25, so you will continue to get them along with your regular mail.

On the other hand, if some malware on your machine is sending the messages, then you should disconnect, as noted above, until you can clean up.

Analyzing the returned messages may or may not be safe or effective. False NDRs are a common way to distribute, you guessed it, malware.

Reply | Quote

Sounds like your email address has been snatched by spammers. That can always happen if the email address you use is either public (you use it for login and signups at various sites) or if its not difficult to guess. Once in a great while my public address is taken and the spammers use it as the return address so it doesn’t trace back to them so easily and because they mass email, there’s bound to be a good percentage that are not valid deliverable email address so you get the kickback.

You can set up rules to block them or let them continue into the spam folder but there isn’t really anything else you can do except ride out the storm (usually a few days to a couple of weeks) as jscher2000 indicated.

Reply | Quote

Thanks for the advice, everyone. I’ve scanned three ways from Sunday and blocked ports and even shut my machine off and they’re still happening, so it looks like I’ll just have to ride it out.

I do hope my email address doesn’t get blacklisted. It’d be a real pain to have to switch.

Thanks,

Eric

Reply | Quote

The problem with all the virus/spam bot theories is that that is the last thing a spam bot virus wants to do is throw up red flags all over itself. Any return address BUT the computer it resides on is used in order for it to NOT draw attention to itself.

Granted it could be really really really stupid software….oh look, here I am, please remove me!

Reply | Quote

Granted it could be really really really stupid software….oh look, here I am, please remove me!

Ah, this reminds me of the Polish virus …

Reply | Quote

One way spammers get email addresses is by spambots. This is software that essentially crawls thousands of web pages per minute looking for email addresses published on the web pages.
When it sees them, it saves them to a file, and then spams them and/or uses them as return addresses.
Worse yet, they will sell those email addresses to other spammers and the nightmare continues.

A simple way to minimize this for anyone who needs to have an email address on a web page is to encrypt the email.

Easier than it sounds, you can do it in under a minute on a free site like http://spamdisappears.com

Reply | Quote

… http://spamdisappears.com

Thanks for that link. I have successfully used the Hivelogic Enkoder hivelogic.com/enkoder/form for some pages. This works well but uses JavaScript.

JPL

Reply | Quote

I’ve had this happen to me. And my machine certainly wasn’t compromised. It’s a pain, but it will stop at some point. I’ve seen spam addressed to an address that I lost over a decade ago (because they didn’t BCC, you could see the whole list it was sending to, it was in alpha order, and my user name was the same, just different domain), so once an email address is in the system, it’s in the system.

Reply | Quote

Change your password

Reply | Quote

Hey, good news everyone! This post made the latest edition of the Windows Secrets newsletter. I credit your awesome replies.

The good news is that, as Byron Tarbox suggested, the storm has passed. I’m back down to my normal spam level (which GMail continues to catch at exemplary levels).

Eric

Reply | Quote

that’s great news Eric!
glad to hear it, this thread particularly caught my eye because i just had my yahoo account hacked, similar situation, but different: the spams had me in the FROM entry, not only ‘reply to’… luckily i caught it about an hour after it happened apparently, i checked the time stamps on the plethora of shize coming in the moment my mailwasher kept loading & loading that account, could see it was when my pc’s were still turned off, i had just started up for the day after all.
so went in & changed me password in the online account interface immediately & voila, message pops into the window saying i been logged out of a couple apps i had never, ever even logged into, duh.
providing some gratification that i might have caught the pr*cks in there & pulled the plug, but i’m a dreamer.
point is, how we’ve all heard it, know i did, i’ve even helped others out of this same mess yet ignored my own advice, at the expense now of embarrassment, & providing 200 people in my yahoo addy book yet another pain in the ass malicious spam:
by changing the password to my webmail accounts on a regular basis!
pain in the arse maybe, but well worth it, just had to chime in~
😉

Reply | Quote

Wish I had seen this thread a year ago.
I had a Vietnam Veteran site for my old outfit online for a dozen years, a bit over a year ago I got the same type of messages (from the bad email addresses the spammer was sending messages to and my address was in the ‘From’ line.)
My ‘Server’ tech’s said that the spammers were not using my email service but just using my address. I changed my password on the website, several times plus, I increased the digits to 17 and 20 using all characters, repeatedly over the next six months, complained to my server techs four or five more times, always with the same reply. I had my computer checked by a professional tech @ a couple hundred dollars. My computer was clean however, I felt good about his work because he installed some great malware protection and virus protection.
I dropped the email addresses the spammers were using, they grabbed the new ones. Yes, I did that again and yet again with the password changes. I eventually used the above mentioned website to encrypt a new address – at my Server Tech’s suggestion.
Right after that, my server Tech wanted me to’re-write’ my web pages removing the ‘php scripts’. I had over 30 pages, built over the dozen years, Way too discouraging for me at 61 yrs young.. So I removed the website. End of problem.
The Internet is such a great thing however these spammers are a royal pain form of low life’s; they are supreme hackers who are distributed worldwide and impossible to catch.
Not looking for any help, just saying.

Reply | Quote

I constantly get spam emails addressed to my own email addresses. They seem to have been shared by different spammers as well. Sometimes it shows from me to me. Most times it shows sent from different addresses.

AND it is not stopping after several months. I just deleted 25 spams that came in the last few minutes that look like they came from the same people.

The only way to stop it might be to close down my own web pages and at this point I am not going to do that. Most of my business and personal email uses various email addresses on my web site.

Just be careful when you get unknown emails. In Thunderbird we can use Print Preview that does not actually open the email if I am not sure if it is genuine. A few times they have been emails I actually wanted. Mostly, it is obvious spam.

There may be such an option in other email programs so you are safer when checking the validity of an email.

Reply | Quote

My sympathies for your problem, glad the storm passed. The same thing happened to me 2 weeks ago, and it was a one to two day thing. It’s passed, but my biggest concern is that all of the bouncebacks were definitely coming from old addresses from my address book, not destinations selected at random. Worse, what was sent out wasn’t just spam, it was a link to a known infected website, and it was received by a lot of people still ON my valid address book. So they clearly got my address book contents from somewhere. I do Facebook, but I NEVER click the button which says “let us have your address book…” – or at least I don’t think I ever have. So I changed as many passwords as I could remember to find, and switched my default email to a different one (a pain, because the domain is MUCH longer to type than AOL), so if anybody has words of wisdom on my continued security, I’d appreciate them…

Reply | Quote

I use 48 numberslettersymbols in my passwords. to remember them I then come up with a lymric, and write it in a notebook that never leaves my desk. I have two type email addresses: secure and temporary. I keep rotating the passwords every other day on my secure accounts and delete the ones i use as temporary. I keep nothing on the computer I use online that would allow someone to get my contacts list. Just sending an email can take 30 minutes to type in my contacts addresses.

I would set up something like this for yourself, my primary web-based email has a 128 number/letter/symbol password. According to the indicator it is not crackable.

Reply | Quote

When Daisy (pseudonym) tries to send a message from her office PC to her Yahoo address, the office ISP sends this:

This is the mail system at host (office ISP)

I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below.

. . .

The mail system

: delivery temporarily suspended: host
j.mx.mail.yahoo.com[66.94.237.64] refused to talk to me: 421 4.7.1 [TS03]
All messages from 80.87.72.8 will be permanently deferred; Retrying will
NOT succeed. See http://postmaster.yahoo.com/421-ts03.html

Clicking on the link and selecting 421 4.7.1 (TS03) All messages from x.x.x.x permanently deferred
yields this:
This error message indicates we are seeing a high volume of messages from your IP address that is a characteristic of unsolicited, bulk emails. While this is a temporary SMTP error code, we do not recommend attempting to resend your messages until you examine your subscription practices and lists, and implement changes to ensure that your messages are sent only to users who have requested it. Please visit this page to review our best practice recommendations.

If you have deployed significant changes or feel you have received this message in error, you may contact our Postmaster team by filling out this form: http://help.yahoo.com/l/us/yahoo/mail/postmaster/bulk.html[/b]

Daisy does not send bulk email. Am I right in assuming that some spam artist has captured her email address? To complete Yahoo’s form requires a level of knowledge neither of us possesses.

I gather that her first step should be to change her password. If that fails, what next?

Reply | Quote

When Daisy (pseudonym) tries to send a message from her office PC to her Yahoo address…

Daisy does not send bulk email. Am I right in assuming that some spam artist has captured her email address?

Presumably the accused IP address is not in her company’s range of IP addresses. In that case, the ISP may have a subscriber abuse problem (or even an open relay, but that is rare among business ISPs). I’d lodge an inquiry with them.

(If it is a company IP address, I would suspect malware such as a spambot. Immediate deep cleaning recommended across the entire network, including any open or lightly secured wi-fi access points.)

Reply | Quote

Manu, the key to Daisy’s problem is the phrase “..coming from your IP address..”

That can only mean two things:

1. A spammer is spoofing Daisy’s IP address
2. Daisy’s machine has been taken over by a bot network and is actually originating all of that mail without her knowledge or permission.

She needs to first disconnect from the network, then have her PC completely scanned in a most thorough fashion for bots and viruses.

Any other opinions, folks?

Rich

Reply | Quote

It is relatively simple to forge a return address on an e-mail, and spammers do this regularly.

I have been unlucky enough to have an email address picked up by a spammer on more than one occasion. The result is thousands of e-mail being “returned” to the forged return address. Un-deliverable e-mail; messages from the brainless Barracuda Anti-spam firewalls; irate readers of the e-mail; etc.

At the time, I used a hosting company for my e-mail and forwarded to my ISP e-mail account. The result of all the e-mail coming back to me and the seriously flawed reasoning of my ISP and hosting firm:
– My ISP designated me a spammer
– My ISP designated my e-mail hosting company as a spammer and blocked all e-mails from my e-mail hosting company to my ISP
– My e-mail hosting company designated and blocked many major ISPs as spammers

I switched to a hosting firm where I can use the Sender Provider Framework (SPF). Please see http://www.openspf.org
If a return address is forged, a spam filter can test if the address is forged. For example, Span Assassin – that is widely used supports SPF testing
My domain includes the following DNS record:
“v=spf1 include:nameofthehostingfirm.net -all”
says that only nameofthehostingfirm.net is the only legitimate source of e-mail for my domain. -all means all others are forged.
It also depends on my hosting firm not allowing any of there other users to use my e-mail address. In my case, they enforce this as well.

Sadly, few major ISPs support SPF

Reply | Quote

Sign, My email is in my website and, this is put up in the contact us pages, to do Business, to aloow customer or prospect to call us for our IT services, now it has become spammer email address, this is really too much. i am also suffer from this email spamming issue, same as Eric, will wait and see if it goes off.

Lawrence Ng
Singapore

Reply | Quote

Sign, My email is in my website and, this is put up in the contact us pages, to do Business, to aloow customer or prospect to call us for our IT services, now it has become spammer email address, this is really too much. i am also suffer from this email spamming issue, same as Eric, will wait and see if it goes off.

Lawrence Ng
Singapore

Lawrence,

You should NEVER post an unencrypted email address on the web. Use a program or website like HiveLogic EnKoder.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I was just reading through my email (trying to catch up some) and found the link to this thread so, I thought I’d put my 2 cents in. After reading most of the post here I’ve realized that the actual types of spam aren’t all being addressed.

The different types of spam email methods are:
Viruses/malware that infect your computer:
This is really two different things.
1.) You use a webmail and a keylogger type malware has recorded your information.
2.) You use a local client like Outlook or Thunderbird (I use thunderbird) and malware is using that.
In both of these cases you should start with the advice to disconnect from the net, disable all programs, then proceed to scan with something like malwarebytes. After that you should go to your attached webmail account and change the password in case the spammers are sending mail using your username and password.

Viruses/malware that scan the net for email:
The biggest way to stop this is to keep your email as private as possible. With this method the spammers will use there own database of addresses.

Viruses/malware have infected your webmail account:
Most webmail providers will tell you your full of it if you tell them they have a virus in their system but, it does happen (happened to me not that long ago). In this case spammers don’t need your username or password and they will use your online address book. The best thing you can do in this case is to erase all the addresses in your online address book (something I wish I would have done but, didn’t think about in time). The spammers who use this method don’t manually log into your account but, instead leave a worm to do the job for them. If the worm doesn’t have any addresses to send to (your addresses) then they simply sit idol. Still do report these viruses as best you can (never figured out how to contact microsoft on this issue) as even if they tell you you’re full of it they will usually do a scan or be on the lookout when you warn them (or they’d be shooting themselves in the foot as a business).

There are of course some other possibilities/variations on how spammers can work like monitoring your account to see where you send data to but, the above are the main methods and ways I’ve found to deal with them.

Also: If you use a local client (outlook/Thunderbird) make sure you send all data encrypted, use plugins like adblock plus for Thunderbird (chances are the virus that caused your email client to send spam was a spam message in and of itself. In fact it’s probably the same spam message your account starts sending hence the nature of a worm).

Reply | Quote

I’m not a high-tech compugeek but I had this problem and I think I found the culprit. I use a trash hotmail account to sign onto Craigslist. (A trash email account is an account that you use to sign up for all the stupid and insignificant junk online that requires you to enter your email address) Anyway, I noticed that this particular email address was the origin of these spam emails and they were being sent to my entire address book on this trash account. I simply deleted all the contacts from my trash account and the problem was solved. So…apparently, every time I get onto Craigslist and try to post an ad, my trash site gets it’s address book scanned which is zero entries. I’ve tested my theory several times and I’m convinced that these spammers have hacked into the Craigslist website and they are using them to distribute their junk. Set up a trash hotmail account and change your Craigslist profile.

BTW…after I deleted my contacts, the problem has disappeared.

Reply | Quote

have various sites for 10+ years one has over 350 pages.
I usually get over 1 million e-mails a month but most are blocked using spamstopshere.com

October was by far the lowest month in a long time.
Here is the stats from site:
10/10 – Monthly report for xxxxxx.com
Good 1,515 0.18%
Spam 825,568 99.81%
Virus 48 0.01%
Total 827,131 100.00%

Here is another month’s report:
Good 2,558 0.14%
Spam 1,846,021 99.86%
Virus 112 0.01%
Total 1,848,691 100.00%

As far as I know no legitimate e-mail has been blocked. I have many different filters they offer.

A few spams do get by but the number blocked is amazingly huge.

A few months ago someone send thousands of messages via my e-mail but they some how got my password that I had used for more than a decade. Not from my machine and was about 3AM coming from Asia (per IP which may have been fake) and was an ad.

None of the addresses sent to were known by me.

I got a few thousand bounces that my e-mail limit of 1000 in 10 minutes had been exceeded.

Fortunately I was up and saw it.

Talked to ISP and they were about to cut off my service since had pw they had to assume it was me.

As soon as I frantically changed pw it stopped.

I like the idea of the http://www.spamdisappears.com link but have e-mail in hundreds of places, which of course is why I get all the blocked spam.

Reply | Quote

> Help! My junkmail folder is getting filled with “Message Not Deliverable” type of
> SMTP status messages from servers. My email address is in the “reply-to” of
> these message headers, although never in the “from” field. I’ve blocked port 25
> on my local machine and they’re still coming even after 3 hours. Is there
> anything I can do?

A lot of the advice I’ve seen assumes that your machine is sending the spam messages, or that the spammers have got the email address from your machine. In fact, they may have gotten it from any of your friends or business contacts who have your address in their address books, and as someone else pointed out, the spams probably are coming from a zombie machine in China or somewhere, so there’s little or nothing you can do (or could have done) to prevent it. I’ve been getting messages for years from a bunch of colleagues at my work, offering me Viagra, Russian brides, and other adventures. You can get an idea where they are coming from by looking carefully at the headers (should be a button on your mail program to see full headers) and paying attention to the chain of relays — the last IP address 80.112.23.1 or whatever is the source, unless the sender disguised that as well. I’m glad your volume has settled down — not everyone is so lucky.

SMTP mail was designed for use by honest people — we are ready for a better alternative I think.

Regards,
Allen

Reply | Quote

I use yahoo mail and just changed my yahoo mail password, not my address, and the mailing stopped.

Reply | Quote

What no one here has mentioned is the first thing to do when you suspect that your e-mail address has been misused by an unauthorized party:

NOTIFY YOUR ISP immediately. They will tell you if you will need to have your account destroyed, your password reset, or if they can simply handle the matter internally.

Of course, check your own computer with at least two different anti-spyware applications, in case there’s a spam-bot there. And if you have been using Gawker, FaceBook, or some other Social Media site, check that you didn’t install any Apps just before the e-mails started being sent out.

Regarding e-mail Account Security:
As I noted in another thread, most security researchers have concluded that the complexity of a password (non-alpha/numeric characters) matters a whole lot less than the sheer length of the password. Just as long as it is not a correctly spelled well known phrase, a 32-character string of letters and numbers should suffice, even for bank web sites.

-- rc primak

Reply | Quote

What no one here has mentioned is the first thing to do when you suspect that your e-mail address has been misused by an unauthorized party:

NOTIFY YOUR ISP immediately. They will tell you if you will need to have your account destroyed, your password reset, or if they can simply handle the matter internally.

Of course, check your own computer with at least two different anti-spyware applications, in case there’s a spam-bot there. And if you have been using Gawker, FaceBook, or some other Social Media site, check that you didn’t install any Apps just before the e-mails started being sent out.

Regarding e-mail Account Security:
As I noted in another thread, most security researchers have concluded that the complexity of a password (non-alpha/numeric characters) matters a whole lot less than the sheer length of the password. Just as long as it is not a correctly spelled well known phrase, a 32-character string of letters and numbers should suffice, even for bank web sites.

Notifying the ISP only applies to people whose email is through there ISP. I believe (though I’m not certain) that most people use free services like gmail, yahoo, and aol (there’s a few others I’ve heard of but, those are rare sites). I believe I mentioned in my post trying to contact those providers (though it’s often like finding a particular piece of sand on a beach). If you do have your email through your ISP (your yahoo account is connected to your SBC (or whatever it’s called at the time) internet or you have a wallmart address) it may be possible for them to deal with it themselves though there is no guarantee.

I suppose it’s possible that someone could have installed a malicious app and the more I think about it the more I think that’s probably the primary method in today’s net structure but, malicious apps aren’t by any means the only method (I realize you weren’t implying this I’m just making sure it’s clear).

I’ve also read the report about password length and that’s probably good advice though I think it really just depends on your paranoia. If someone accessed my webmail they’d be able to get my passwords for quite a few sites (because they send out the password in an email, many sites even send out your password with your initial email which in my mind negates the purpose of TLS). However, I’m pretty sure none of my email would give away my password information for my bank and I don’t put my personal information just anywhere.

I figure everyone has my picture, date of birth, and name. It doesn’t matter if I try to conceal that information or not so I might as well take advantage and put said info out there. If you don’t want said info on the net I’m sorry but in most [developed] countries you’d have to be an illegal alien and not attend any social gatherings whatsoever (government websites have most of your data and if you’ve been at a social gathering in the last 5 years someone probably posted a picture of you on facebook).

The best we can do is make sure our computers are safer than the average Joe’s and if we do online banking make sure the password is unique and we take advantage of all the security features. Also, if you can avoid using mobile devices to check your banking info. Most mobile devices have very poor security overall.

Now, back to the topic at hand; if you don’t feel like making your passwords extra safe (I don’t want to remember a 32 character password) then you just have to accept that someone may guess your password but, since most spammers don’t bother logging into your account (or if they do it’s because they used a sniffer which doesn’t care how large or complex your password is) it’s kind of pointless to worry to much about passwords. Avoid malicious sites, use things like WOT, and follow my advice from my previous post. Sooner or later someone will catch the Spammer. It really wouldn’t surprise me if someone developed a worm that went after spammers (that would be ideal, think of the possibilities if a worm infecting a Spammers computer and reporting data to the police, data that would convict the person as either a victim (a virus is sending the Spam) or an original Spammer).

Reply | Quote

I’ve been inundated with these “returned mail” messages for about 8 weeks. I get about 500 a day. I’ve done everything ‘by the book’ including contacting support @ my ISP. I’ve scanned my computer every which way and nothing is out of the ordinary. SO……………

I’ve installed a program called MailWasher. There’s a FREE and a PRO version. The free works just fine. http://www.mailwasher.net/ I’ve also been told that most of this type of ‘returned mail’ isn’t classified as true SPAM because they contain no valid “FROM” address, but http://www.spamcop.net/ says differently. Read about MailWasher. It’s worth it.

Reply | Quote

I’ve been inundated with these “returned mail” messages for about 8 weeks. I get about 500 a day.

Wow, that is the worst NDR flood I’ve ever heard of. You have our sympathy! Generally a week or two and the spammers move on to a new address. I suppose we should be thankful they at least normally do that. I take it you are using an ISP supplied email address. Now might be a good time to change to a Gmail which does tend to solve most of this. As well as eliminating the problem of changing email when moving home and getting a new ISP (which is the worst time to have to change email of course with all the hassle of moving).

Reply | Quote