E-mail Spam

[MrLinus]

Ok. The first one is an effect of probably Sobig.F. Unfortunately, there's not much you can do about it other than delete it.

The others have advice that you should follow:

Send your questions to [email protected]

Send your questions to [email protected]

Since both of those ISPs seem to be using SpamCop you may want to visit that. If you find your ISP is listed there, then get them to deal with this (it means they have an open relay). If [quote="http://www.spamcop.net/bl.shtml"]your IP[/url] is listed there, then you need to check your machine to see if you have port 25 open (this would indicate a SMTP server is running and potentially an open relay). Open relay means an SMTP server that sends emails even tho' the source address isn't valid and the IP doesn't match with the source (that is one that fits their range of IPs).

You did inadvertantly leave your IP in one of those messages so I did a check and lo' and behold I got this:

Query bl.spamcop.net - 24.xx.yy.zz
24.xx.yy.zz is ms-smtp.xx.yy.zz.rr.com

24.xx.yy.zz not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported about 20 times by less than 10 users. It has been sending mail consistently for at least 62.4 days. In the past 20.7 days, it has been listed once for a total of 23 hours

* In the past week, this system has: Been witnessed sending mail about 5580 times

A sample sent sometime during the 24 hours beginning Thu Apr 22 20:00:00 2004 -0400:
Received: from -.-.-.com (-.-.-.com [24.93.47.43])
by -.-.net (-.-.-.-.-) with - id -
for <[email protected]>- Fri, - Apr 2004 - -
Subject: attention - bonnie
From: li.. at ..h.com

A sample sent sometime during the 24 hours beginning Mon Apr 5 20:00:00 2004 -0400:
Received: from -.-.-.com (-.-.-.com [24.93.47.43])-
by -.-.net (-.-.-.-.-) with - id -
Mon, - Apr 2004 - -
Subject: - hello - sweetheart
From: sk.. at ..l.net

The bolded section is interesting. Unless you're running the email server, someone has. And given the name ms-smtp makes me think Microsoft SMTP (exchange?).

Do a quick netstat -a and see if port 25 is open. If not, then you need to go and talk with Road Runner about their policies (talk to a manager not one of the flakes on the front line)

[spellabc]

I have got these mysterious returned mails in my hotmail also. But hotmail.... I am not using Outlook express, how could this happen?

[rcgreen]

reason: 591 your host [24.93.47.43] is blacklisted by bl.spamcop.net.

Is this your IP address? When I checked it, it seemed to be roadrunner's mail server.

[rcgreen@acer rcgreen]$ telnet 24.93.47.43 25
Trying 24.93.47.43...
Connected to 24.93.47.43.
Escape character is '^]'.
220 ms-smtp-04.texas.rr.com ESMTP Welcome to Road Runner. WARNING: *** FOR AUTHORIZED USE ONLY! ***

Otherwise, you have a trojan running a mail relay on your machine.

[MrLinus]

I have got these mysterious returned mails in my hotmail also. But hotmail.... I am not using Outlook express, how could this happen?

spellabc, might be the same reason I pointed out earlier: someone else is infected with a virus (possibly Sobig.F) and it's generating fake returned mails or is using your address as the source of emails being sent out to fake destinations (thus resulting in you getting the return email along with the infected attachment -- although I believe that hotmail removes infected attachments).

[zetin]

MsMittens--
Funny you mentioned port 25. Yesterday I ran a scan with TDS-3 on my ports and 25 was open. TDS-3 closed it.

[zetin]

Ok..I just checked again this AM. Port 25 is open again. How do I close it and keep it closed?

[MrLinus]

Zetin, sounds like there is indeed a mail server running on your machine then. One way to find it would be to run netstat -aop (in respective order, this will show all connections and listening ports, what process is running each service that is listening and what protocols are being used -- usually UDP or TCP). Another tool that might be helpful is ProcessExplorer which also might show "unusual" processes.

Are you by any chance running IIS and which version of Windows are you running?

[zetin]

IIs? We are running Windows XP

[MrLinus]

IIS is Internet Information Services and is an add-on that provides web, ftp, gopher and smtp. I asked because often when it's setup the default is to have SMTP on. You need to find the process running SMTP (simple mail transfer protocol)