every now and then, over the past few weeks, i’ll get an email saying it was returned undeliverable, like i was trying to send it. i know you can spoof the FROM on an email (and the Reply-To, etc) but looking at the headers it does seem like it’s actually coming from my email account. can anyone look at this and give an opinion before i contact support? (note that i’m bashsoftware.net)

[quote]From - Sun Aug 27 22:55:13 2006
X-Account-Key: account2
X-UIDL: UID8039-1133333474
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <>
X-Original-To: contact@bashsoftware.net
Delivered-To: bashsof@spunkymail-mx2.dreamhost.com
Received: from server5.anon-dns.net (server5.anon-dns.net [67.136.25.40])
by spunkymail-mx2.dreamhost.com (Postfix) with ESMTP id C29F46F5D1
for contact@bashsoftware.net; Sun, 27 Aug 2006 19:51:16 -0700 (PDT)
Received: from localhost (localhost) by server5.anon-dns.net (8.12.9) id k7S2pFpS003021 sender MAILER-DAEMON; Sun, 27 Aug 2006 19:51:15 -0700
Date: Sun, 27 Aug 2006 19:51:15 -0700
From: MAILER-DAEMON@server5.anon-dns.net (Mail Delivery Subsystem)
Subject: Returned mail: see transcript for details
Message-Id: 200608280251.k7S2pFpS003021@server5.anon-dns.net
To: contact@bashsoftware.net
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="k7S2pFpS003021.1156733475/server5.anon-dns.net"
Content-Transfer-Encoding: 8bit
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

–k7S2pFpS003021.1156733475/server5.anon-dns.net

The original message was received at Sun, 27 Aug 2006 19:51:11 -0700
from mail@localhost

----- The following addresses had permanent fatal errors -----
contact@mlb.co.uk
(reason: 550 contact@mlb.co.uk: Recipient address rejected: User unknown in virtual mailbox table)

----- Transcript of session follows -----
… while talking to mailserver.mlb.co.uk.:

[/quote]

<<< 550 contact@mlb.co.uk: Recipient address rejected: User unknown in virtual mailbox table
550 5.1.1 contact@mlb.co.uk… User unknown
<<< 554 Error: no valid recipients

–k7S2pFpS003021.1156733475/server5.anon-dns.net
Content-Type: message/delivery-status

Reporting-MTA: dns; server5.anon-dns.net
Arrival-Date: Sun, 27 Aug 2006 19:51:11 -0700

Final-Recipient: rfc822; contact@mlb.co.uk
Action: failed
Status: 5.1.1
Remote-MTA: dns; mailserver.mlb.co.uk
Diagnostic-Code: smtp; 550 contact@mlb.co.uk: Recipient address rejected: User unknown in virtual mailbox table
Last-Attempt-Date: Sun, 27 Aug 2006 19:51:14 -0700

–k7S2pFpS003021.1156733475/server5.anon-dns.net
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: contact@bashsoftware.net
Received: (mail@localhost) by server5.anon-dns.net (8.12.9) id k7S2pBpT003019 sender contact@bashsoftware.net for contact@mlb.co.uk; Sun, 27 Aug 2006 19:51:11 -0700
Received: from [201.7.74.116] (helo=mail.webreform.co.uk)
by server5.anon-dns.net with smtp (Exim 4.31)
id 1GHXCq-0000ke-7u
for contact@baseballsoftballuk.com; Sun, 27 Aug 2006 19:51:11 -0700
Received: from mx1.balanced.spunky.mail.dreamhost.com
by 201-7-84-7.spopa302.dial.brasiltelecom.net.br (Exim 4.05) with ESMTP id eECKl54CqGbQb
for contact@baseballsoftballuk.com; Mon, 28 Aug 2006 02:49:27 -0300
Received: from [105.149.225.147]
by mx1.balanced.spunky.mail.dreamhost.com with ESMTP (8.12.3 da nor stuldap/8.12.3) id 6oNaNnS6ugF2k
for contact@baseballsoftballuk.com; Mon, 28 Aug 2006 02:44:32 -0300
From: "contact@bashsoftware.net" contact@bashsoftware.net
Date: Mon, 28 Aug 2006 02:41:14 -0300
X-Mailer-Version: 20040906
X-From: contact@bashsoftware.net
X-Recipient: contact@baseballsoftballuk.com
Message-ID: UcxbRdExXAKuP.4uf2YyTabOauh@bashsoftware.net
To: contact@baseballsoftballuk.com
Content-type: text/html;
Charset=Windows-1251
Subject: Obtain the career you have always wanted with the University Degree you deserve.
MIME-Version: 1.0

A Genuine University Degree in 4-6 weeks!

sliding off the bed on to his feet - but a split second later it occurred

–k7S2pFpS003021.1156733475/server5.anon-dns.net–

[/quote]

It is spoofed. When looking at the Recieved headers, you can’t trust the ones on the bottom - they can be faked so that it looks like it came from else where. You have to backtrack.

1. Received: (mail@localhost) by server5.anon-dns.net (8.12.9) id k7S2pBpT003019 sender contact@bashsoftware.net for contact@mlb.co.uk; Sun, 27 Aug 2006 19:51:11 -0700

This looks OK. The anon-dns.net server is telling us it got the message but the actual recipient will be contact@mlb.co.uk - this server appears to be in Washington state.

2. Received: from [201.7.74.116] (helo=mail.webreform.co.uk)
by server5.anon-dns.net with smtp (Exim 4.31)
id 1GHXCq-0000ke-7u
for contact@baseballsoftballuk.com; Sun, 27 Aug 2006 19:51:11 -0700

anon-dns.net tells us it got the message from a server that claims it was mail.webreform.co.uk.
But the IP address is to a Brazilian machine, will call it Brazil-A.

The next headers are the spoofed headers, claiming a Brazilian machine, we’ll call it Brazil-B, got the message from DreamHost.

So think about it. All the headers imply the message came from DreamHost in California, went through a network in Brazil, then to back to the US. You know, Brazil sounds like quite a detour to get from California to Washington. No doubt the message actually originated in Brazil.

[color=#6600CC]Atropos[/color] | openvein.org