BleepingComputer.com: Returned Mail

Hi Buddy,
Since posting my first comment I've done some more rooting around. The problem is becoming pretty pervasive certainly in the UK and, as far as I can make out (I amd not by any means a techie!), is caused by a service that identifies servers that have sent out spam and then gives the identity of the server to ISP's who use this information to block e mail from the named servers. If no more spam comes from the server in 24 hours it is unblocked. SpamCop is one of these service providers and I have not been able to get e mails to a contact in South Africa either using my normal ISP, Orange, or Yahoo mail. I should add that I checked all the possible faults you identified.

I am going to try again this morning using Hotmail.

Go here to learn what a zombie is: http://en.wikipedia.org/wiki/Zombie_computer This is why I suggested performing some security scans. This is one to start with: http://www.ewido.net/en/download/
It is best to run it in safe mode. http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

I have to agree with buddy215 on this and also recommend reading Wikipedia's decription of a botnet: http://en.wikipedia.org/wiki/Botnet

There are several botnet trojans out now that will install a mailer daemon on your PC and send out spam and/or infectious email. The other explanations in this thread are also possible, but IMO you should first check that there isn't something on your machine. Unfortunately, these trojans have become very sophiscticated, using techniques to bypass firewalls and avoid detection by antivirus, antispyware and other security scanners. Even Ewido (which is now known as AVG Anti-Spyware), which is probably the best general anti-malware app out there, won't find everything.

My suggestion would be to go thru the procedure in the Prep guide that jgweed linked to and post a HijackThis log along with a good description of what is happening. Once that is ruled out, then look for other explanations. IOW, do this before changing your email address, altho that should probably be done also.

BTW, because of botnets spewing out spam on zombie computers is why some legit servers get blacklisted. All the more reason to get your machine off the botnet if it is infected to help the general internet community.

gleet, you may be able to get some idea by looking at the email headers. I don't use Mailwasher and don't know if you get the returned emails as attachments so not sure what the steps are in your case. But if you set OE to open the email in plain text you can do so safely. With OE open go to Tools>Options and on the Read tab check Read all messages in plain text>OK.

I leave mine on html, but once I have a message in a mail folder (usually my inbox), I'll right click on the message, choose Properties>Details tab>Message Source and there is the message in plain text complete with headers.

Thank you Papakid for an interesting reply. Mailwasher is very good. Without downloading a message you can display full header and message source.

I have looked at one or two "returned mail" headers and source, but I have not learned anything useful. My internet provider has an article on its website about the growing problem of infected computers putting out spam in someone else's eMail address. It seems to think that the infection is very rarely with the computer which is getting these "returns". I have requested my providerer to give me a trial new eMail address just to check whether the spammers pick up the new address from my computer. I am still awaiting a reply to my request made on the 3rd October. I will post the results of the trial after I have been able to conduct it.

If you want a Gmail address pm me and I will send you an invitation to get it.

Thanks for your help enthusiast. gMail is not a term I am familiar with. Is it something I can use to get a temporary address? I could get free non Broadband eMail address with Freewire. I have Broadband with my current internet provider. I have an acknowledgement from them (Plusnet) to my request for a temporary new address and should be getting a full reply within the next 12 hours. My impression is that they are both UK providers and I reside here in the UK.

I am pleased to be able to report that I have resolved my problem to my satisfaction with the help of my account providers (Plusnet). They asked me to create an additional mailbox (what they mean by that is a mailbox on their server) giving it a name exactly as I want my mail to be addressed. The default Mail box allows any mail with anything@username.plus.com to be sent on to me, but if the additional mailbox which I create on their server gives an address such as specificname@username.plus.com, they will send all mail which is correctly addressed to my computer and will blackhole any mail which is not correctly addressed (eg. to - xyg@username.plus.com). Virtually all the returned mail does not use my correct pre @ name. and therefore is not downloaded when I look for mail.

This post has been edited by gleet: 11 October 2006 - 06:11 AM