troubleshooting and e-mail failure notice - Webmaster General forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

troubleshooting and e-mail failure notice

odd bounce message

bill

7:47 am on Nov 2, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I'm at somewhat of a loss at to how to troubleshoot this one.

Yesterday Mr. X sent out a message to 5 people.
Mr. X received a bounce message but it was not from any of the original recipients.
All intended recipients confirmed that they received the message.
The bounce message came from the mail server of two of the message's recipients.
The address being bounced is completely unknown and not in anyone's address books.

The bounce message looks like this:

From: <MAILER-DAEMON@mail.example.cn>
To: <mr.x@example.co.jp>
Sent: 1 Nov 2005 06:45:03 -0000
Subject: failure notice
Hi. This is Rockmail at mail.example.cn.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<example@some-usa-based-isp.net>:
204.127.x.x does not like recipient.
Remote host said: 551 not our customer
Giving up on 204.127.x.x.
--- Enclosed is a copy of the message.
........

I've done spyware and virus scans on the sender's PC. Nothing shows up. Is it possible that one of the recipient's machines is doing this?

Leosghost

7:56 am on Nov 2, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Yes..and spoofing it's headers ..very very common last year and earlier part of this ..cant remember the name of the virii/worm tho ..

bill

8:16 am on Nov 2, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

So could I reasonably deduct that the virus is on one of the two machines sharing that mail server?

Leosghost

9:18 am on Nov 2, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

yes ..and probably on all the machines that are unprotected that were in the address book of the infected machine ..strangely enough I just realised in about 1 hour I have meeting with a friend in the gendarmerie national ( french national police force ..one of them anyway ..complex the police system here ) ..
the regional law courts had this virus last year and I spotted it's behaviour ( like your "returns" ) in his emails to me ..no one else had the entries in their address book that would make sense as they were from his colleagues and motorcycle clubs ..but also from internal departments of the french judicial system ..

tracked it to the regional criminal law courts machines ..took a lot of persuading them that they had a problem ..they were as most french do using norton Av on millenium ( can you beleive it millenium! )..

I'll ask him and wrack my brains a bit to try and get the name for you of the critter ..

meanwhile suggest to your correspondants that they download nod 32 and run it ..

bill

10:02 am on Nov 2, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The culprits here are using Norton it seems. My first thought was to get them onto NOD32. Glad to see we're thinking along the same lines there.

If you or your gendarmerie national friend remembers the name of this one I'd appreciate it.