| 9:37 pm on Feb 17, 2003 (gmt 0)|
Are you using a formmail script?
| 9:50 pm on Feb 17, 2003 (gmt 0)|
not on that site, I just have an email address listed on it. It's not a site I've done much with lately. On other sites/domains that share the same account I have the bignosebird mail script set up, but I have never used any of the "Matt's" scripts.
| 9:59 pm on Feb 17, 2003 (gmt 0)|
It might be somebody using your domain or email address as the sender or reply-to on spam, so you get the bounces. Many spammers do that.
I once got 30000 bounces over two days, because some criminal pulled that stunt on me. Since most spammers are US based and work through mail relays in China or similar places, there is really nothing you can do. 80% of the bounces I got were from yahoo.com, so I blocked yahoo for a month.
| 10:16 pm on Feb 17, 2003 (gmt 0)|
seindal has a good point.
I have a feeling that spammers are somehow spreading out the return addresses. That way they don't overwhelm one mail box. I've received some bounced mail in my dsl provider email box. A few here and there. This may be a new tactic.
Also, if you're using bnbform under version 4.0, then you may still be vulnerable.
BNBForm 4.0 remote exploit
You also may want to take a look at this [hysteria.sk]. Or this one. (um, sorry. Better not. It's toys for bad kiddies. It has files for exploiting bnbform.)
You can always search for bnb exploit and find out about it.
| 10:24 pm on Feb 17, 2003 (gmt 0)|
seindal - that's kind of what I thought might be happening.
the "Received: from unknown" line has domains with the following endings:
(I'm guessing tw is taiwan, don't know what kr is)
Although one is:
One is from a .com (the one with the 'Want to boost your sales' subject line). I looked at the site, they are apparently in the Philippines and are involved with "INTERNET SPORTS BETTING".
So how do they pick their targets for whose email to use? Why me?
| 10:33 pm on Feb 17, 2003 (gmt 0)|
martinibuster - the bnbform version I use says "bnbform v4.0" and updated "January 31, 2000". It looks like that is still the newest version there is. Is it ok?
I've gotten 6 bounced mails altogether from yesterday and today. I got a few last week too.
| 10:45 pm on Feb 17, 2003 (gmt 0)|
.kr is Corea, one of the spam havens of this world. I block all of Corea on my mail-server.
.tw is Taiwan, another spammers paradise.
Most spam seem to pass through Corea, Taiwan or China.
Try to feed some of the mails to spamcom.net . They're very good at tracking down the origin.
| 12:48 am on Feb 18, 2003 (gmt 0)|
Make that spamcop.net
| 5:35 pm on Feb 20, 2003 (gmt 0)|
This is my first post. I did a search on Google for "ad_ad_path" and came across this thread.
I run a website and for the past week or so have been also getting return emails from "ad_ad_path@mydomain"
My most recent email returned a bunch of lines like this:
This user doesn't have a yahoo.com.tw account (email@example.com) 
Looks like it's a bunch of spam for an emailer, ironically enough. Should I be at all concerned about this? Can my web host think they're coming from me?
| 6:15 pm on Feb 20, 2003 (gmt 0)|
Thanks seindal - that's what I thought you meant.
JCary - Welcome to Webmaster World! That was a good idea to search Google I should have done it also to learn more, but I guess I got a little lazy. Did you find out anything in addition to this thread about it? Some of mine look just like yours - I got a bunch of the 'yahoo.com.tw' ones also.
Someone also stickied me that they started getting these emails over the weekend also.
I haven't gotten any of them yet today though, maybe they will leave me alone now.
| 6:52 pm on Feb 20, 2003 (gmt 0)|
by the way, I just can't resist:
corea = korea
| 7:56 pm on Feb 20, 2003 (gmt 0)|
When I did a search on Google for "ad_ad_path" believe it or not this site was the only returned result! Perhaps "ad ad path" would get more results....
| 8:28 am on Feb 21, 2003 (gmt 0)|
Just to add another voice ~ we also have been suffering from these emails over the last week or so. About 3-5 a day, containing (usually) 20 bad addresses. My main point is that they all seem to be related to the HiMailer "product" ('Want to boost your sales' as mentioned by Trisha), is this true for you as well?
Will look into the formmail issue, that was new to me. Can anyone answer Trisha's question about the latest version of "bnbform v4.0" and updated "January 31, 2000"?
...and I also found this site by searching for ad_ad_path on google and it was (this morning) still the only hit.
~ Mark C
| 6:44 pm on Feb 21, 2003 (gmt 0)|
Mine have slowed down now, although I did get another one yesterday. Some of mine were from the HiMailer thing as you (MCooke) mentioned. (Welcome to Webmaster World MCooke!) Many of them I didn't actually open and look at before deleting them, so I don't really know. If I get any today I'll look more closely.
I'm kind of curious about how they chose the sites to do this to. Any common themes? I've found stuff in my logs lately that look unusual to me also, but maybe I'm getting too paranoid.
| 8:16 pm on Feb 21, 2003 (gmt 0)|
I've received two today
One targeting emails of the domain neosoft.com, going through alphabetically with M names. Subject in characters not displaying correctly on my computer. And "Received: from unknown (HELO Vishal-2001) (18.104.22.168)"
The other looking for newbern.nc.com, with: "Received: from unknown (HELO www.highspeedfx.net) (22.214.171.124)"
No mention of Himailer on either. I hope it is ok to post that information here. I don't really understand what it all means anyway. I'm guessing the people with email from the domains of neosoft.com and newbern.nc.com got a lot of spam today, except for the ones that got bounced back to me. But what does HELO indicate? Is that who is responsible for sending these? Or are they just like us and someone put their information in there also?
I thought about setting that ad_ad_path address up to forward to himailer or something, or to go back to whoever sent it, but maybe that would start some sort of infinite loop of bounced mails?
| 9:39 pm on Feb 21, 2003 (gmt 0)|
Yesterday I had the same idea! I thought, hmm what would happen if I created email account "ad_ad_path@mydomain" and had it forward somewhere else? Sounds like a good idea on the surface, right? Are we missing something?!
Would it though somehow verify something to them - I can't imagine what!?!
Also, isn't there a way to set up "ad_ad_path@mydomain" account as a non-working/null account? Where anymail sent to that address would get bounced to the sender as "account doesn't exist?"
| 9:51 pm on Feb 21, 2003 (gmt 0)|
I have had this going on for a while. As of today we got our first email back (one that we sent) stating that we had been black listed. This is a case of a small isp banning based on domain name and not the true sender. It is a problem.
The thing you have to be sure of is that the spammers have not been using your mail server to send mail. Our server is set up to not relay mail at all. A month or so ago roadrunner ran tests on our mail server checking for an open relay, at least they are looking for where the problem is. My mail log consistently shows relaying denyed.
Its a problem, and I am not sure what else to do .
| 10:09 pm on Feb 21, 2003 (gmt 0)|
Luckily this is not a domain that I use for anything real important. Still, I don't want it to get black listed.
I don't think they are using my server to send it. I guess I should contact my host and let him know about it, just in case. From my hosts control panel I don't see anything suspicious, like a new email account having been made. What else should we look for to find out if they are using our mail servers to send the mail?
| 10:35 pm on Feb 21, 2003 (gmt 0)|
To Me this mail server thing is the most cryptic part of the server setup. I have choosen not to send mail with the server because I was not comfortable in configuring it properly. It was easier not to relay mail and be sure the door was closed.
It seems to me is you open the server for you to send mail as firstname.lastname@example.org using mail.mydomain.com , and you can send mail from any isp connection then anyone can setup their mail client with your email stuff and slam out what ever they want.
| 10:58 pm on Feb 21, 2003 (gmt 0)|
I don't really understand your last comment. How can I tell how I have mail set up to send and/or receive?
Should I contact my webhost and alert them to this ad_ad_path thing happening? Can they do anything?
Also, what about the idea Trisha and I mentioned about setting up an e-mail account ad_ad_path@mydomain to forward elsewhere?
| 11:34 pm on Feb 21, 2003 (gmt 0)|
What I was saying is, if you send mail through your server by setting up your mail client with the smtp set to "mail.yourdomain.com" and your email address as email@example.com to send mail. Then if you went to your friends house and configured their mail cleint just like yours at home, you could then send mail from your friends house using your server. If thats the case then anyone can use your domain to send mail with your server.
If you relay/forward the mail by seting up a dummy account I think you would be then putting your footprint on the spam.
| 12:03 am on Feb 22, 2003 (gmt 0)|
|if you send mail through your server by setting up your mail client with the smtp set to "mail.yourdomain.com" and your email address as firstname.lastname@example.org to send mail. Then if you went to your friends house and configured their mail cleint just like yours at home, you could then send mail from your friends house using your server. If thats the case then anyone can use your domain to send mail with your server. |
Yes, but for someone else to be able to do that they would need your account name and password, wouldn't they?
Maybe part of the problem is from having set up a catch-all address. If I had not done that, those emails would not be coming to me, since I did not specifically set up an account with that address.
As I was writing this I got another:
"Want to boost your sales with Internet Marketing? Try HiMailer."
| 12:25 am on Feb 22, 2003 (gmt 0)|
>> Yes, but for someone else to be able to do that they would need your account name and password, wouldn't they? <<
Do they to send Mail? Or is the password for retriving mail via imap or pop?
Now I know some hosts are set up with a window of time that you can send mail after it has been checked, for us that would leave the relay open most of the time. Like I said earlier this is an area that I am not real clear on.
Perhaps we have an expert here that could share?
| 12:57 am on Feb 23, 2003 (gmt 0)|
|Do they to send Mail? Or is the password for retriving mail via imap or pop? |
That's a good point, honestly I don't know. I'm sure there are people who hang out here who do know these things, but they must not be following this thread. It was only recently that my host had an outgoing mail server for us to use, we used to have to use our ISP's SMTP for outgoing mail
| 12:11 pm on Feb 23, 2003 (gmt 0)|
I am completely new to this forum. I also found the "ad_ad_path" discussion as the only hit with Google.
I get a couple of these mails per day through ad_ad_path@mydomain. I just want to add some info to your discussion and tell you that more domain owners are suffering from it, like me.
I did not read all these spam mails, most I threw away, but I think most of them come from Taiwan. The last one shows Chinese advertisment with a Chinese girl, Chinese texts and a company logo from "Open Online". There is a mail address email@example.com, which tells me indeed it is from Taiwan. Another one is a Taiwan mail from www.sciformosa.com.tw about "Minitab". A third one is from firstname.lastname@example.org about a Free Trial Version of "HiMailer", also with Chinese text in it. I have a feeling that it is all caused by just one annoying Taiwanese spammer or a small group.
All these spam mails come to ONE of our domain names, which is a short dot com. Maybe that is part of the reason why I am suffering? Do you guys also have short domain names?
I hope you guys can find a solution somehow. I am not technical and I do not understand anything about your discussion, but I will inform my hosting company about this and your discussion thread. Hope they can use this discussion to help me.
| 8:26 am on Feb 24, 2003 (gmt 0)|
Good morning folks,
over the weekend we received a load more failed delivery notifications plus our first 'you are listed as an open relay'. I checked with the web site cited (ordb.org) and we are not listed, so I guess that this proves that the originator faked the return address?
In the meantime I have contacted our host for their words of wisdom and will keep you posted.
It is my understanding that the reply address is easily faked but is there no record of the true originating address available in the headers of the original email? I guess you would need a copy of the original message being sent out and that is not usually included in the bounce replies.
Ho, well, hope you all have a spam free week...
| 2:13 pm on Feb 24, 2003 (gmt 0)|
Well, I e-mailed my host regarding this and after I sent them one of the e-mails to see, I got this reply back from them:
"Looks like himailer.net is sending out spam and, for some reason, using actorpoint.com as the return path. There is not a lot that can be done to prevent this, other than to set up a mail rule blocking further bounc messages, and to complain to the contact address for himailer.net:
I thought they'd be able to shed a little more light on the issue... but they don't seem too concerned, which is a good thing!
| 7:05 pm on Feb 24, 2003 (gmt 0)|
Mine increased over the weekend too, 8 on Sat. and 7 sun., of course some of those had multiple emails within them. 3 today so far.
Walt_G - the domain of mine they are using is kind of long so I don't think that's it. I'd still like to know what it is though.
|It is my understanding that the reply address is easily faked but is there no record of the true originating address available in the headers of the original email? |
This is what I really wasn't sure about because I don't know what all the header information means.
If we set up something so that we don't receive the emails we will not know if they stopped though. Our domains could be blacklisted and we wouldn't really know what was going on.
| 12:06 am on Feb 25, 2003 (gmt 0)|
For me the number of error mails is increasing slowly, alas. In the last couple of hours there were 9 of them.
I really wonder how they select their 'victim' addresses.
Trisha, I think you are right not to auto-forward the mails, because you'd not see whether it stops. But if I would get hundreds of mails per day, I would probably think differently, I guess. Fortunately it's not that bad yet.
Today I got several mails regarding:
- email@example.com / FlashCA94 / Open Online
- Remote-MTA: DNS; mx.pchome.com.tw
Maybe this can help someone tracing them or finding a solution? It's getting rather annoying.
Is there any way to 'bomb' these sites with large mails? Maybe that would make them reconsider their strategy. But Jesus and Buddha would say not to take revenge, so maybe we should just send these guys lots of love? :-)
Does anyone still have an old "I love you" virus mail? ;-)
| This 71 message thread spans 3 pages: 71 (  2 3 ) > > |