Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: phranque
When I right click and go to options (in Outlook) the To: line is <firstname.lastname@example.org>
While I do have a catch-all set up, I never use that address and my sent items folder in outlook has nothing in it from that address. I checked the control panel at my host and it doesn't look like anyone has broken in there and added another address, and the site looks ok too. So what's going on? Are they faking this? If so why? Should I be concerned? Is someone trying to make it look like I am sending out spam?
I once got 30000 bounces over two days, because some criminal pulled that stunt on me. Since most spammers are US based and work through mail relays in China or similar places, there is really nothing you can do. 80% of the bounces I got were from yahoo.com, so I blocked yahoo for a month.
I have a feeling that spammers are somehow spreading out the return addresses. That way they don't overwhelm one mail box. I've received some bounced mail in my dsl provider email box. A few here and there. This may be a new tactic.
Also, if you're using bnbform under version 4.0, then you may still be vulnerable.
BNBForm 4.0 remote exploit
You also may want to take a look at this [hysteria.sk]. Or this one. (um, sorry. Better not. It's toys for bad kiddies. It has files for exploiting bnbform.)
You can always search for bnb exploit and find out about it.
the "Received: from unknown" line has domains with the following endings:
(I'm guessing tw is taiwan, don't know what kr is)
Although one is:
One is from a .com (the one with the 'Want to boost your sales' subject line). I looked at the site, they are apparently in the Philippines and are involved with "INTERNET SPORTS BETTING".
So how do they pick their targets for whose email to use? Why me?
This is my first post. I did a search on Google for "ad_ad_path" and came across this thread.
I run a website and for the past week or so have been also getting return emails from "ad_ad_path@mydomain"
My most recent email returned a bunch of lines like this:
This user doesn't have a yahoo.com.tw account (email@example.com) 
Looks like it's a bunch of spam for an emailer, ironically enough. Should I be at all concerned about this? Can my web host think they're coming from me?
JCary - Welcome to Webmaster World! That was a good idea to search Google I should have done it also to learn more, but I guess I got a little lazy. Did you find out anything in addition to this thread about it? Some of mine look just like yours - I got a bunch of the 'yahoo.com.tw' ones also.
Someone also stickied me that they started getting these emails over the weekend also.
I haven't gotten any of them yet today though, maybe they will leave me alone now.
Will look into the formmail issue, that was new to me. Can anyone answer Trisha's question about the latest version of "bnbform v4.0" and updated "January 31, 2000"?
...and I also found this site by searching for ad_ad_path on google and it was (this morning) still the only hit.
~ Mark C
I'm kind of curious about how they chose the sites to do this to. Any common themes? I've found stuff in my logs lately that look unusual to me also, but maybe I'm getting too paranoid.
One targeting emails of the domain neosoft.com, going through alphabetically with M names. Subject in characters not displaying correctly on my computer. And "Received: from unknown (HELO Vishal-2001) (220.127.116.11)"
The other looking for newbern.nc.com, with: "Received: from unknown (HELO www.highspeedfx.net) (18.104.22.168)"
No mention of Himailer on either. I hope it is ok to post that information here. I don't really understand what it all means anyway. I'm guessing the people with email from the domains of neosoft.com and newbern.nc.com got a lot of spam today, except for the ones that got bounced back to me. But what does HELO indicate? Is that who is responsible for sending these? Or are they just like us and someone put their information in there also?
I thought about setting that ad_ad_path address up to forward to himailer or something, or to go back to whoever sent it, but maybe that would start some sort of infinite loop of bounced mails?
Yesterday I had the same idea! I thought, hmm what would happen if I created email account "ad_ad_path@mydomain" and had it forward somewhere else? Sounds like a good idea on the surface, right? Are we missing something?!
Would it though somehow verify something to them - I can't imagine what!?!
Also, isn't there a way to set up "ad_ad_path@mydomain" account as a non-working/null account? Where anymail sent to that address would get bounced to the sender as "account doesn't exist?"
The thing you have to be sure of is that the spammers have not been using your mail server to send mail. Our server is set up to not relay mail at all. A month or so ago roadrunner ran tests on our mail server checking for an open relay, at least they are looking for where the problem is. My mail log consistently shows relaying denyed.
Its a problem, and I am not sure what else to do .
I don't think they are using my server to send it. I guess I should contact my host and let him know about it, just in case. From my hosts control panel I don't see anything suspicious, like a new email account having been made. What else should we look for to find out if they are using our mail servers to send the mail?
It seems to me is you open the server for you to send mail as firstname.lastname@example.org using mail.mydomain.com , and you can send mail from any isp connection then anyone can setup their mail client with your email stuff and slam out what ever they want.
I don't really understand your last comment. How can I tell how I have mail set up to send and/or receive?
Should I contact my webhost and alert them to this ad_ad_path thing happening? Can they do anything?
Also, what about the idea Trisha and I mentioned about setting up an e-mail account ad_ad_path@mydomain to forward elsewhere?
If you relay/forward the mail by seting up a dummy account I think you would be then putting your footprint on the spam.
if you send mail through your server by setting up your mail client with the smtp set to "mail.yourdomain.com" and your email address as email@example.com to send mail. Then if you went to your friends house and configured their mail cleint just like yours at home, you could then send mail from your friends house using your server. If thats the case then anyone can use your domain to send mail with your server.
Yes, but for someone else to be able to do that they would need your account name and password, wouldn't they?
Maybe part of the problem is from having set up a catch-all address. If I had not done that, those emails would not be coming to me, since I did not specifically set up an account with that address.
As I was writing this I got another:
"Want to boost your sales with Internet Marketing? Try HiMailer."
Do they to send Mail? Or is the password for retriving mail via imap or pop?
Now I know some hosts are set up with a window of time that you can send mail after it has been checked, for us that would leave the relay open most of the time. Like I said earlier this is an area that I am not real clear on.
Perhaps we have an expert here that could share?
Do they to send Mail? Or is the password for retriving mail via imap or pop?
That's a good point, honestly I don't know. I'm sure there are people who hang out here who do know these things, but they must not be following this thread. It was only recently that my host had an outgoing mail server for us to use, we used to have to use our ISP's SMTP for outgoing mail
I get a couple of these mails per day through ad_ad_path@mydomain. I just want to add some info to your discussion and tell you that more domain owners are suffering from it, like me.
I did not read all these spam mails, most I threw away, but I think most of them come from Taiwan. The last one shows Chinese advertisment with a Chinese girl, Chinese texts and a company logo from "Open Online". There is a mail address firstname.lastname@example.org, which tells me indeed it is from Taiwan. Another one is a Taiwan mail from www.sciformosa.com.tw about "Minitab". A third one is from email@example.com about a Free Trial Version of "HiMailer", also with Chinese text in it. I have a feeling that it is all caused by just one annoying Taiwanese spammer or a small group.
All these spam mails come to ONE of our domain names, which is a short dot com. Maybe that is part of the reason why I am suffering? Do you guys also have short domain names?
I hope you guys can find a solution somehow. I am not technical and I do not understand anything about your discussion, but I will inform my hosting company about this and your discussion thread. Hope they can use this discussion to help me.
over the weekend we received a load more failed delivery notifications plus our first 'you are listed as an open relay'. I checked with the web site cited (ordb.org) and we are not listed, so I guess that this proves that the originator faked the return address?
In the meantime I have contacted our host for their words of wisdom and will keep you posted.
It is my understanding that the reply address is easily faked but is there no record of the true originating address available in the headers of the original email? I guess you would need a copy of the original message being sent out and that is not usually included in the bounce replies.
Ho, well, hope you all have a spam free week...
"Looks like himailer.net is sending out spam and, for some reason, using actorpoint.com as the return path. There is not a lot that can be done to prevent this, other than to set up a mail rule blocking further bounc messages, and to complain to the contact address for himailer.net:
I thought they'd be able to shed a little more light on the issue... but they don't seem too concerned, which is a good thing!
Walt_G - the domain of mine they are using is kind of long so I don't think that's it. I'd still like to know what it is though.
It is my understanding that the reply address is easily faked but is there no record of the true originating address available in the headers of the original email?
If we set up something so that we don't receive the emails we will not know if they stopped though. Our domains could be blacklisted and we wouldn't really know what was going on.
Trisha, I think you are right not to auto-forward the mails, because you'd not see whether it stops. But if I would get hundreds of mails per day, I would probably think differently, I guess. Fortunately it's not that bad yet.
Today I got several mails regarding:
- firstname.lastname@example.org / FlashCA94 / Open Online
- Remote-MTA: DNS; mx.pchome.com.tw
Maybe this can help someone tracing them or finding a solution? It's getting rather annoying.
Is there any way to 'bomb' these sites with large mails? Maybe that would make them reconsider their strategy. But Jesus and Buddha would say not to take revenge, so maybe we should just send these guys lots of love? :-)
Does anyone still have an old "I love you" virus mail? ;-)