View Full Version : Recent bunch of "MAILER-DAEMON" msgs lately

02-02-2004, 03:47 PM
I have been getting a bunch of messages to my domain that look like a message bounce for a message sent *from* a non existant user on my domain. I copied one below that was address to 'applause@junga.com' I have never used that as an email. I get it in my catch-all account.

Can someone help me analyse this sample message to see what they are. At first I thought they ware a type of spam to scan a domain to see what addresses are being used or maybe a trojan horse, but upon closer inspection, I don't see any feedback mechanism or suspicious payload.

My next thought is that the security of my smtp server has been comprimised and someone is sending out spam that looks like it came from someuser@junga.com and whenever they send to a bad address, I am getting the notification.

What do you think?

Here is the example of what I am getting (about a dozen a day).

(begin headers)
Return-Path: <MAILER-DAEMON@junga.com>
Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [])
by junga.com (8.11.6/8.11.6) with ESMTP id i12IAZO28007
for <applause@junga.com>; Mon, 2 Feb 2004 11:10:35 -0700
Received: from rly-xh02.mx.aol.com (rly-xh02.mail.aol.com []) by omr-m10.mx.aol.com (v97.10) with ESMTP id RELAYIN10-b401e928628e; Mon, 02 Feb 2004 13:10:14 -0500
Received: from localhost (localhost)
by rly-xh02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id NAA07656;
Mon, 2 Feb 2004 13:10:14 -0500 (EST)
Date: Mon, 2 Feb 2004 13:10:14 -0500 (EST)
From: Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
Message-Id: <200402021810.NAA07656@rly-xh02.mx.aol.com>
To: <applause@junga.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-UIDL: "GU!!n2&#!Lkp"!_Ud"!
(end headers)

(begin body)

Your e-mail is being returned to you because there was a problem with its delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could not be delivered. The next line contains a second error message which is a general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail administrator.

--AOL Postmaster

----- The following addresses had permanent fatal errors ----- <bkcmpr@cs.com>

----- Transcript of session follows -----
... while talking to air-xh04.mail.aol.com.:
>>> RCPT To:<bkcmpr@cs.com>
&lt;&lt;&lt; 550 MAILBOX NOT FOUND
550 <bkcmpr@cs.com>... User unknown
(end body)

(start attachment details.txt)
Reporting-MTA: dns; rly-xh02.mx.aol.com
Arrival-Date: Mon, 2 Feb 2004 13:09:58 -0500 (EST)

Final-Recipient: RFC822; bkcmpr@cs.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-xh04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Mon, 2 Feb 2004 13:10:14 -0500 (EST)
(end attachment details.txt)

(start attachment ATT00826.txt)
Received: from dyn-81-166-245-94.ppp.tiscali.fr (dyn-81-166-245-94.ppp.tiscali.fr []) by rly-xh02.mx.aol.com (v97.10) with ESMTP id MAILRELAYINXH27-48f401e9267188; Mon, 02 Feb 2004 13:09:44 -0500
Received: from unknown (HELO CAB) (
by dyn-81-166-245-94.ppp.tiscali.fr with SMTP; 2 Feb 2004 18:09:20 +0000
Message-ID: &lt;002b01c3e9b7$a26f5c80$a38a50d5@CAB>
From: "sotl hnax" &lt;applause@junga.com>
To: "bkcmpr@cs.com" <bkcmpr@cs.com>
Subject: Fwd: Oirignal dsiocunt - ifldia.
Date: Mon, 2 Feb 2004 18:09:01 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
(end attachment ATT00826.txt)

02-02-2004, 10:37 PM
I get these all the time. And yes, they freaked me out at first too! I'm fairly confident that they are an odd sort of spam. I believe they use the mailer-daemon because it can slip past most spam-filters. I think the senders want you to open the "original message" to see what "you" sent, and the spam message is in there.

02-03-2004, 02:20 PM
But the attachments are really plain text (as far as I can see) and contain no message other than details of the error. I have recieved fake bounces that have contained a virus in an attachment named something like details.txt.pif. But that is not the case with these. I can't see the point in them.

My Brother who has his own domain also, started getting these about the same time I did (a couple of weeks ago).

When did you start getting them?

I snooped around my VDS for a sendmail log file and could not find one. How can I get it to log all outgoing (relay'd) email so that I see if there is any unauthorized access?

02-03-2004, 03:31 PM
I've gotten them on and off over the past couple years, on different domains hosted by different web hosts. No evidence of unauthorized access that I could find (although I am not an expert).

I often get spam that is not logical -- no link, no message. One had no information at all (completely blank, including all headers except the To:). Spammers are odd ducks. Who knows why they do what they do?

02-06-2004, 09:28 AM
I now believe that some spammer has started using my domain when he forges the From header. This is why I get these bounces. They are not intentional spam (hence no ad or other payload) but instead, the by product of spam.

I realize now that he does not need to use my MTA to send out mail on behalf of a user on my domain. He just needs an MTA that does not enforce do any checks to ensure that the 'From' address is not forged.

So he's out there spamming poeple with mail that appears to come from a junga.com user. The only thing he needed was the name of my domain!

Eventually, because of him, my domain will end up on the blacklists!

I am hoping that I am wrong. Is there any mechanism that would prevent a spammer from doing this?

02-06-2004, 10:33 AM
You are right in most respects... but no, you won't get blacklisted. Spam lists are not based on the from address but on the envelope from address, which is probably some poor sod with a dial up account in Brazil or something.

Here, approximately, is how it works. Someone with a broadband, mostly online account (comcast and rr seem popular) gets Trojan'd. The trojan connects to its master server and downloads a list of email addesses to spam and a list of domain names as From addresses. It then sends out the emails using a random name at one of the domain names. The From address is (e.g.) john@junga.com so if the mail gets bounced it returns to you as undelivered. However, the spam lists will be looking at the envelope address (which is someone at tiscali.fr on your sample).
But because it is a dial up account, they can't really black list anyone at all, unless they want to blacklist the whole of tiscali.fr.

02-20-2004, 04:52 PM
I believe what is happening is...

1. A spammer is using your domain in the "From:" line of spam being sent.

2. The recipient, AOL in this case, is receiving the e-mail and rather than rejecting it while the spammer is still connected, is accepting it.

3. Sometime later, AOL is analyzing the message and rejecting it for some reason, perhaps because it is recognized as spam.

4. AOL is no longer connected to the spammer who sent the message and attempts to send a bounce message by originating an outgoing e-mail message to the sender.

5. AOL mistakenly assumes that the "From:" address is correct and sends their bounce e-mail to you.

6. Because AOL wants you to think this is a "normal" bounce that would usually be rejected at the time of connection, they fraudulently change the "From:" address of the bounce message to say MAILER-DAEMON@yourdomain.com" instead of the correct MAILER-DAEMON@aol.com

I have contacted Westhost technical support about this because I believe AOL is acting badly by

a. Failing to send the bounce message back to the server that delivered the original e-mail (they knew who it was when they were connected, they're choosing to ignore this information.)

b. Using a false domain in the "From:" line of the e-mail they are sending as a bounce message.

Westhost technical support chose to do nothing, but I suspect that is mostly because they don't understand what is going on. Of course, it could be me that doesn't understand.

AOL is the only organization that I have seen do this. When a spammer uses my domain, the *only* bounces of this type that I get are from AOL. I have to believe that millions of spam messages went out to other domains. It seems to be only AOL that either can't or won't send the bounces to the right place.

I would love to hear from anyone else if they have a better explanation for what is going on.


02-20-2004, 06:38 PM
AOL simply bounce it back, not because it is spam, but because it is undeliverable. And they bounce it back to the From: address because that is what they are supposed to do. They don't know that it is spam they are bouncing, so they don't know that the return address is faked.

When they get spam, it is simply trashed. No responsible ISP is going to bounce spam around the Internet.

02-20-2004, 10:32 PM

I will grant that they are probably bouncing it because it is undeliverable and not because it is spam. You make a valid point that if they detect that it is spam, they are not likely to bounce it.

However I disagree that they are "supposed to" bounce it back to the "From:" address. The SMTP server at most domains detects an invalid address while the sending server is still connected. That is usually what sendmail does at Westhost. In those cases, the sending server is notified and the connection is broken. It is up to the sending server to notify the actual sender (by sending a bounce) that the address is invalid. The sending server does not use the "From:" address in the body of the message. The sending server uses the sender information that it knows about because the sender is a local user with an account.

Since AOL accepts the message, the sending server doesn't notify the actual sender. It is up to AOL to notify the actual sender (if it chooses to.) How does AOL know who the actual sender is? Because the sending server passed the information when it made the connection. That information is not passed in the "From:" line of the message. It is passed before the message itself is even transmitted. It is commonly called the "envelope" information.

Can the envelope information be forged so that it looks like the message is coming from someone other than the spammer? Yes it can. But when the connection is made, AOL can tell if the domain in the envelope sender matches the domain of the sending server by doing a reverse lookup of the IP address of the sending server. Many SMTP servers will not accept e-mail at all if the lookup doesn't match or if the lookup is unavailable. There are pros and cons to this approach. But even if AOL chooses to accept e-mail without a match, it seems terribly irresponsible to send bounce messages to an address that should already be suspected as being forged.

Either way, I think AOL is part of the problem. Others may disagree.

None of this excuses, in my mind, AOL doing some forging of their own by setting the "From:" header of the bounce message to MAILER-DAEMON@yourdomain.com when it is should say aol.com.