Determine Email Address

[Domenick R. Lacertosa]

I don't know if this is the right ng for this but maybe someone here can
help me.

I own a domain and lately I have been receiving status = undeliverable
emails returned to ficticious accounts on my domain. i.e. email sent to
(e-mail address removed), (e-mail address removed) saying that email that was
sent from that address is undeliverable. I am sure that my email address
([email protected]) is in someone's address book who has a virus. I forgot
the name of the virus but it was the one that created email addresses from a
user's address book and sent email to permutations of those email addresses.
Anyhow, I am trying to figure out where the email is being sent from to no
avail. If I could find out who is sending it I could notifty them. Even if
I knew a general location of the first email server that the email was sent
from it would help. Does anyone have any ideas on how to trace one of the
aforementioned emails back to the original sender (although a virus actually
sent it)? Any help would be appreciated. Thanks in advance.

- Dom

 

[David W. Hodgins]

avail. If I could find out who is sending it I could notifty them. Even if

You need the full headers from one of the messages causing the bounces.
For info on how to read the email headers, checkout
http://www.stopspam.org/email/headers.html

If you have trouble figuring out which received line to use, post the
headers here.

Regards, Dave Hodgins

 

[Domenick Lacertosa]

Ok. Here is the header from the message. The ficticious "to" address
is (e-mail address removed). I don't know much about reading
headers, but other returned mail I get does start with
cluster1.charter.net like I think this one does. Thanks again in
advance.

- Dom


Microsoft Mail Internet Headers Version 2.0
Received: from ms-smtp-02.tampabay.rr.com ([65.32.5.132]) by
email01.alinean.local with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 13 Nov 2003 15:44:25 -0500
Received: from ms-mss-03 (ms-mss-03-pop [10.10.6.34])
by ms-smtp-02.tampabay.rr.com (8.12.10/8.12.7) with ESMTP id
hADKhIKD009930
for <[email protected]>; Thu, 13 Nov 2003 15:43:18 -0500 (EST)
Received: from tampabay.rr.com (localhost [127.0.0.1])
by ms-mss-03.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with ESMTP id <[email protected]> for
(e-mail address removed); Thu, 13 Nov 2003 15:43:18 -0500 (EST)
Received: from [10.10.6.26] by ms-mss-03.tampabay.rr.com (mshttpd);
Thu,
13 Nov 2003 15:43:18 -0500
Date: Thu, 13 Nov 2003 15:43:18 -0500
From: (e-mail address removed)
Subject: Fwd: Returned mail: see transcript for details
To: (e-mail address removed)
Reply-to: (e-mail address removed)
Message-id: <[email protected]>
MIME-version: 1.0
X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.12 (built Feb 13
2003)
Content-type: multipart/mixed;
boundary="Boundary_(ID_yZpuECJcqloxOrOMw6WmGg)"
Content-language: en
X-Accept-Language: en
Priority: normal
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Return-Path: (e-mail address removed)
X-OriginalArrivalTime: 13 Nov 2003 20:44:25.0757 (UTC)
FILETIME=[ECF69CD0:01C3AA26]

--Boundary_(ID_yZpuECJcqloxOrOMw6WmGg)
Content-type: message/rfc822

Return-path: <>
Received: from ms-mta-03 (ms-mta-03-smtp [10.10.4.11])
by ms-mss-03.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with ESMTP id <[email protected]> for
dlacertosa%cfl.rr.com@ims-ms-daemon; Thu, 13 Nov 2003 15:04:23 -0500
(EST)
Received: from flmx03.mgw.rr.com (flmx04.mgw.rr.com [65.32.1.50])
by ms-mta-03.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with ESMTP id <[email protected]> for
(e-mail address removed) (ORCPT (e-mail address removed)); Thu,
13 Nov 2003 15:04:23 -0500 (EST)
Received: from mail01c.rapidsite.net (mail01c.rapidsite.net
[208.55.43.100])
by flmx03.mgw.rr.com (8.12.10/8.12.8) with SMTP id hADK4GK7028439 for
<[email protected]>; Thu, 13 Nov 2003 15:04:21 -0500 (EST)
Received: from mxsf07.cluster1.charter.net (209.225.28.207)
by mail01c.rapidsite.net (RS ver 1.0.88vs) with SMTP id
0-0292353560 for
<[email protected]>; Thu, 13 Nov 2003 14:59:20 -0500
(EST)
Received: from localhost (localhost) by mxsf07.cluster1.charter.net
(8.12.10/8.12.8) id hADJo0uk024858; Thu,
13 Nov 2003 14:59:21 -0500 (EST envelope-from MAILER-DAEMON)
Date: Thu, 13 Nov 2003 14:59:21 -0500 (EST)
From: Mail Delivery Subsystem
<[email protected]>
Subject: Returned mail: see transcript for details
To: (e-mail address removed)
Message-id: <[email protected]>
Auto-submitted: auto-generated (failure)
MIME-version: 1.0
Content-type: multipart/report; report-type=delivery-status;
boundary="Boundary_(ID_4j4MOFzfql8k3uaZshi8ng)"
X-Loop-Detect: 1
Original-recipient: rfc822;[email protected]

--Boundary_(ID_4j4MOFzfql8k3uaZshi8ng)
Content-type: TEXT/PLAIN
Content-transfer-encoding: 7BIT

--Boundary_(ID_4j4MOFzfql8k3uaZshi8ng)
Content-type: message/delivery-status

--Boundary_(ID_4j4MOFzfql8k3uaZshi8ng)
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from cam-online.com (24-151-243-194.chartertn.net
[24.151.243.194])
by mxsf07.cluster1.charter.net (8.12.10/8.12.8) with ESMTP id
hADJmp9X023154
for <[email protected]>; Thu, 13 Nov 2003 14:49:45 -0500
Date: Thu, 13 Nov 2003 19:49:46 +0000
From: Monique Vinet <[email protected]>
Subject: are you nauhty kbqtdcdlmesjee
To: (e-mail address removed)
Message-id: <5a3001c3aa1f$15102c5c$79451aab@kxifdvc>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Content-type: multipart/alternative;
boundary="Boundary_(ID_e/AXKThsQkbZzRKxOp3Adw)"
X-Priority: 3
X-MSMail-priority: Normal

--Boundary_(ID_e/AXKThsQkbZzRKxOp3Adw)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT

--Boundary_(ID_e/AXKThsQkbZzRKxOp3Adw)
Content-type: text/html; charset=iso-8859-1
Content-transfer-encoding: 7BIT


--Boundary_(ID_e/AXKThsQkbZzRKxOp3Adw)--

--Boundary_(ID_4j4MOFzfql8k3uaZshi8ng)--

--Boundary_(ID_yZpuECJcqloxOrOMw6WmGg)--

 

[mzlindyone]

I own a domain and lately I have been receiving status = undeliverable
emails returned to ficticious accounts on my domain. i.e. email sent to
(e-mail address removed), (e-mail address removed) saying that email that was
sent from that address is undeliverable. I am sure that my email address
([email protected]) is in someone's address book who has a virus.

I'm about equally sure this is a stupid tactic spammers use in the
hopes of contacting ANY random user, OR padding their list so they can
tell a customer they sent 10 million e-mails to known good addresses
(because of course the spammer or his customer wouldn't be getting the
bounces, so they 'must be good'.).

(24-151-243-194.chartertn.net [24.151.243.194])

Appears to be the origin of the original message. These days there's
~80% chance that machine has a trojan on it that's participating in
sending the mail. Try (e-mail address removed) for this one - others will
probably vary.

Carol