A Flurry Of "Returned Mail"
-
Can someone help me to interpret what's going on here? My Junk Mail folder is filling up rapidly with email rejection notices. This has been going on sporadically for a couple of weeks, with a flurry of several hundred such messages, then a trickle, then none for a day or two before it starts again. A typical message is:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
remy525@yahoo.com
SMTP error from remote mail server after end of data:
host mta5.am0.yahoodns.net [67.195.103.233]: 554 Message not allowed - [299]------ This is a copy of the message's headers. ------
Return-path: <
my.address>
Received: from bosmailscan10.eigbox.net ([10.20.15.10])
by bosmailout03.eigbox.net with esmtp (Exim)
id 1SG1aE-0003Tv-28
for remy525@yahoo.com; Fri, 06 Apr 2012 01:19:38 -0400
Received: from bosimpout01.eigbox.net ([10.20.55.1])
by bosmailscan10.eigbox.net with esmtp (Exim)
id 1SG1aD-0006DH-IJ
for remy525@yahoo.com; Fri, 06 Apr 2012 01:19:37 -0400
Received: from bosauthsmtp01.eigbox.net ([10.20.18.1])
by bosimpout01.eigbox.net with NO UCE
id uVKd1i00301P9Sa01VKddX; Fri, 06 Apr 2012 01:19:37 -0400
X-Authority-Analysis: v=2.0 cv=eq1oOPVX c=1 sm=1
a=z5zA2GEyXHX4FYSAKYr2NA==:17 a=7UmD-tR_JRgA:10 a=VG0OwtqChsEA:10
a=8AlaD7fTCjEA:10 a=8nJEP1OIZ-IA:10 a=Sh_hsHRGdUoA:10 a=qrrI46oVAAAA:8
a=IIUmFY3D8pfpmdMjRkQA:9 a=gBDzBF7yGH2_iO3muJQA:7 a=wPNLvfGTeEIA:10
a=NTIIGRmZMWAA:10 a=P3BRNhQXk_0A:10 a=gYNu_iXhhMS5DrdM:21
a=St506IR-4_hhMAsl:21 a=FLmnjis/JmE4jomwi6pJ+A==:117
X-EN-OrigOutIP: 10.20.18.1
X-EN-IMPSID: uVKd1i00301P9Sa01VKddX
Received: from 141.24.27.77.dynamic.mundo-r.com ([77.27.24.141] helo=Servidor)
by bosauthsmtp01.eigbox.net with esmtpsa (TLSv1:RC4-MD5:128)
(Exim)
id 1SG1aD-0008JG-FT
for remy525@yahoo.com; Fri, 06 Apr 2012 01:19:37 -0400
MIME-Version: 1.0
Date: Fri, 06 Apr 2012 07:19:33 +0200
X-Priority: 3 (Normal)
X-Mailer: The Bat! (v2.00.3) Personal
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: eyes," is caused now."Astute build raised its Carvers' to Lord idea or tell "Someone cried, "But ritual emptiness marring the foolish of this endless uncles,
From: my.address
To: remy525@yahoo.com
Message-ID:
X-EN-UserInfo: c996fca110e1529a133127fe8b9b68eb:71b24f1e -
Can someone help me to interpret what's going on here? My Junk Mail folder is filling up rapidly with email rejection notices. This has been going on sporadically for a couple of weeks, with a flurry of several hundred such messages, then a trickle, then none for a day or two before it starts again. A typical message is:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
remy525@yahoo.com
SMTP error from remote mail server after end of data:
host mta5.am0.yahoodns.net [67.195.103.233]: 554 Message not allowed - [299]------ This is a copy of the message's headers. ------
Return-path: <
my.address>
Received: from bosmailscan10.eigbox.net ([10.20.15.10])
by bosmailout03.eigbox.net with esmtp (Exim)
id 1SG1aE-0003Tv-28
for remy525@yahoo.com; Fri, 06 Apr 2012 01:19:38 -0400
Received: from bosimpout01.eigbox.net ([10.20.55.1])
by bosmailscan10.eigbox.net with esmtp (Exim)
id 1SG1aD-0006DH-IJ
for remy525@yahoo.com; Fri, 06 Apr 2012 01:19:37 -0400
Received: from bosauthsmtp01.eigbox.net ([10.20.18.1])
by bosimpout01.eigbox.net with NO UCE
id uVKd1i00301P9Sa01VKddX; Fri, 06 Apr 2012 01:19:37 -0400
X-Authority-Analysis: v=2.0 cv=eq1oOPVX c=1 sm=1
a=z5zA2GEyXHX4FYSAKYr2NA==:17 a=7UmD-tR_JRgA:10 a=VG0OwtqChsEA:10
a=8AlaD7fTCjEA:10 a=8nJEP1OIZ-IA:10 a=Sh_hsHRGdUoA:10 a=qrrI46oVAAAA:8
a=IIUmFY3D8pfpmdMjRkQA:9 a=gBDzBF7yGH2_iO3muJQA:7 a=wPNLvfGTeEIA:10
a=NTIIGRmZMWAA:10 a=P3BRNhQXk_0A:10 a=gYNu_iXhhMS5DrdM:21
a=St506IR-4_hhMAsl:21 a=FLmnjis/JmE4jomwi6pJ+A==:117
X-EN-OrigOutIP: 10.20.18.1
X-EN-IMPSID: uVKd1i00301P9Sa01VKddX
Received: from 141.24.27.77.dynamic.mundo-r.com ([77.27.24.141] helo=Servidor)
by bosauthsmtp01.eigbox.net with esmtpsa (TLSv1:RC4-MD5:128)
(Exim)
id 1SG1aD-0008JG-FT
for remy525@yahoo.com; Fri, 06 Apr 2012 01:19:37 -0400
MIME-Version: 1.0
Date: Fri, 06 Apr 2012 07:19:33 +0200
X-Priority: 3 (Normal)
X-Mailer: The Bat! (v2.00.3) Personal
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: eyes," is caused now."Astute build raised its Carvers' to Lord idea or tell "Someone cried, "But ritual emptiness marring the foolish of this endless uncles,
From: my.address
To: remy525@yahoo.com
Message-ID:
X-EN-UserInfo: c996fca110e1529a133127fe8b9b68eb:71b24f1eHey Roger, It looks like someone in northern Spain is sending out bulk e-mails and the Yahoo server is rejecting them. The mails are most likely originating from an innocent individual infected with a botnet mailer. There is a little more to it than that... based on the mail header you posted... it appears that the mail server at bosauthsmtp01.eigbox.net is a misconfigured mail server. It looks like the assigned ip block where the mail server lives is 38.113.1.0/24 and is owned by 'Endurance International Group' according to the records[^]. The registered AS number for that IP block is AS29873[^] and you could attempt to contact them. In my experience... nobody every responds to abuse complaints unless there is a warrant attached. The reason nobody responds to complaints probably has something to do with the fact that poor little Brian appears to be responsible for 79,461[^] domains within that ip range. And thats just one of the 51 ip blocks he appears to be responsible for.
Roger Wright wrote:
Should I be concerned?
There isn't much you can do about it... the SMTP protocols were not very well designed and the protocol allows spoofing. It is up to the mail server software to prevent this. Your ISP or web hosting provider should be diligent with keeping the mail servers properly configured. By the way you should probably remove your rawright.net[^] e-mail address from the mail header you posted. But because you left it there... I was able to determine that your domain name rawright.net at 66.96.146.82 is on the 66.96.128.0/18 ip block[^] which poor little Brian is responsible for[^]. I hope you don't mind... I ha
-
Hey Roger, It looks like someone in northern Spain is sending out bulk e-mails and the Yahoo server is rejecting them. The mails are most likely originating from an innocent individual infected with a botnet mailer. There is a little more to it than that... based on the mail header you posted... it appears that the mail server at bosauthsmtp01.eigbox.net is a misconfigured mail server. It looks like the assigned ip block where the mail server lives is 38.113.1.0/24 and is owned by 'Endurance International Group' according to the records[^]. The registered AS number for that IP block is AS29873[^] and you could attempt to contact them. In my experience... nobody every responds to abuse complaints unless there is a warrant attached. The reason nobody responds to complaints probably has something to do with the fact that poor little Brian appears to be responsible for 79,461[^] domains within that ip range. And thats just one of the 51 ip blocks he appears to be responsible for.
Roger Wright wrote:
Should I be concerned?
There isn't much you can do about it... the SMTP protocols were not very well designed and the protocol allows spoofing. It is up to the mail server software to prevent this. Your ISP or web hosting provider should be diligent with keeping the mail servers properly configured. By the way you should probably remove your rawright.net[^] e-mail address from the mail header you posted. But because you left it there... I was able to determine that your domain name rawright.net at 66.96.146.82 is on the 66.96.128.0/18 ip block[^] which poor little Brian is responsible for[^]. I hope you don't mind... I ha
Fived as I'm impressed. :)
Luc Pattyn [My Articles] Nil Volentibus Arduum
-
Hey Roger, It looks like someone in northern Spain is sending out bulk e-mails and the Yahoo server is rejecting them. The mails are most likely originating from an innocent individual infected with a botnet mailer. There is a little more to it than that... based on the mail header you posted... it appears that the mail server at bosauthsmtp01.eigbox.net is a misconfigured mail server. It looks like the assigned ip block where the mail server lives is 38.113.1.0/24 and is owned by 'Endurance International Group' according to the records[^]. The registered AS number for that IP block is AS29873[^] and you could attempt to contact them. In my experience... nobody every responds to abuse complaints unless there is a warrant attached. The reason nobody responds to complaints probably has something to do with the fact that poor little Brian appears to be responsible for 79,461[^] domains within that ip range. And thats just one of the 51 ip blocks he appears to be responsible for.
Roger Wright wrote:
Should I be concerned?
There isn't much you can do about it... the SMTP protocols were not very well designed and the protocol allows spoofing. It is up to the mail server software to prevent this. Your ISP or web hosting provider should be diligent with keeping the mail servers properly configured. By the way you should probably remove your rawright.net[^] e-mail address from the mail header you posted. But because you left it there... I was able to determine that your domain name rawright.net at 66.96.146.82 is on the 66.96.128.0/18 ip block[^] which poor little Brian is responsible for[^]. I hope you don't mind... I ha
I thought I'd removed all those references. :-O I'm quite impressed by the amount of information you were able to glean. FYI, I don't control the SMTP server - webhost4life.com does that. Perhaps it's time for another move, painful as the last one was.
Will Rogers never met me.
-
Fived as I'm impressed. :)
Luc Pattyn [My Articles] Nil Volentibus Arduum
Ditto, 5 just because of the results of your investigation :)