: Fake Bounce Spam Emails in Gmail - Are These Really That Fake? Are spam messages labeled by Gmail as "Fake Bounce Emails" really that fake in all cases? Is there a way they could actually

@Si4351233

Posted in: #BulkEmail #Email #Spam

Are spam messages labeled by Gmail as "Fake Bounce Emails" really that fake in all cases? Is there a way they could actually be legit?



We run a server with multiple domains which have all the classic email addresses such as admin@, webmaster@, postmaster@, support@ managed by a team inbox under a non-masked gmail account. There is 1 domain for which Gmail manages a POP for the support@, the rest of them are just forwarders into Gmail as an alias. For the sake of example, let's call it "ourmailer@gmail.com", although that address is never used. Instead, mail for each domain fires off into that inbox, and we are able to use each domain address normally.

Over the last few months, we have began to notice a lot of strange bounce mails going straight to spam that seem to be fakes. They are always trying to send via the un-used ourmailer@gmail.com address. I have performed 3 server audits to make sure nothing is up, but I can't help feeling like I missed something or that they have found a way to userp their way into the chain somehow.

Here is the contents of one of the emails received this morning. They always seem to be related to Comcast, as if a user on that ISP is trying to spam via us as a relay, to our own ourmailer acronym on the @comcast .net domain. The subject is always "Delivery report":


Hello, this is the mail server on server233.marketbox.org.

I am sending you this message to inform you on the delivery status of
a message you previously sent. Immediately below you will find a list
of the affected recipients; also attached is a Delivery Status
Notification (DSN) report in standard format, as well as the headers
of the original message.

delivery failed; will not continue trying

Final-Recipient: rfc822;ourmailer@comcast.net Action: failed Status:
5.3.2 (system not accepting network messages) Remote-MTA: dns;mx2.comcast.net (68.87.20.5) Diagnostic-Code: smtp;554
resimta-ch2-11v.sys.comcast.net comcast 23.227.123.207 found on one or
more DNSBLs, see
postmaster.comcast.net/smtp-error-codes.php#BL000010 X-PowerMTA-BounceCategory: spam-related


They come with an attachment, here is what is contained in that:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=2014; d=server233.marketbox.org;
h=Reply-To:From:To:Subject:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Date;
bh=e93hXRYq9rZhWCc86TP8tys4zgc=;
b=zuzPWcZK9atz/EzVmI0P28AMPvfOAw5fH7Mj2hzZeay+OtI+x1baocpgNetYrmxUWOxmV224xLjs
3+hcllzUdQx+KGbnhbKjbL4TPqnnawzZT7MVEpx+xEupvFr6lHbsko0RHmo3PELQx2g36f1W20p7
tOsr9R6TCnLTT8PwEDyL6LyGnzWx+EiemIutea2IJQq0ZjJqeuAN+/vR8pMOKmomCMlZ8XB0XSkA
5GB2HyQGwYsg0faMr1GOKMHj4lOXsOmkK0wAsBhrlPKBuifGyW9kD2SVB9isqXmmicT/K97EzVEt
MJGtPZPQnZG4D223BL0tiMAm1NdchA3pTjSVIw==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=2014; d=gmail.com;
b=7iJ8c9LGnHx41HeXBDcF+BfOo00JISLpAXWCgjb8gMsx3IMl3d3XmuQq1WjJUJMcv0F8elpyhlqx
Yi7El32waoPt+hdETL3RRAP+sIIg1m+3T2an0Ts9ybQrzyFygMSn3StJK50BmlD9JLWdf8yRczvV
idKNQSRdX70REbGeILbJfZGedTMyE5K6G3Z1lohK2TAertnQfMQriJ6gWp/JUKPLn7ANbjyBnGiY
ean8Bu2kAXT63xqIWi2qhgTp9rGLUJKDHnyPxe+XwgvW8+q573COsfOP4nO17xCVb6bYMrw0CXKS
jLUIqOil20SYEzmWsNP7PcqMze8Xz87JrK27dA==;
Reply-To: QVS <ourmailer@gmail.com>
From: Complete Cycle <ourmailer@gmail.com>
To: ourmailer@comcast.net
Subject: Quantum Vision System is not for everyone..
Message-ID: <20150609072032.3BCAC4CA918DF8F4@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 9 Jun 2015 05:58:14 -0400


Here is the full original email:

Delivered-To: ourmailer@gmail.com
Received: by 10.76.12.73 with SMTP id w9csp2094196oab;
Tue, 9 Jun 2015 02:58:10 -0700 (PDT)
X-Received: by 10.182.86.9 with SMTP id l9mr18546126obz.61.1433843890434;
Tue, 09 Jun 2015 02:58:10 -0700 (PDT)
Return-Path: <>
Received: from server233.marketbox.org (server233.marketbox.org. [23.227.123.207])
by mx.google.com with ESMTP id hm8si3687079obb.87.2015.06.09.02.58.10
for <ourmailer@gmail.com>;
Tue, 09 Jun 2015 02:58:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of server233.marketbox.org designates 23.227.123.207 as permitted sender) client-ip=23.227.123.207;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of server233.marketbox.org designates 23.227.123.207 as permitted sender) smtp.mail=;
dmarc=pass (p=REJECT dis=NONE) header.from=server233.marketbox.org
Message-Id: <5576b8b2.c86cb60a.7629.4259SMTPIN_ADDED_MISSING@mx.google.com>
Date: Tue, 9 Jun 2015 05:58:14 -0400
From: postmaster@server233.marketbox.org
Subject: Delivery report
To: ourmailer@gmail.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="report5576B8B6@server233.marketbox.org"


--report5576B8B6@server233.marketbox.org
Content-Type: text/plain

Hello, this is the mail server on server233.marketbox.org.

I am sending you this message to inform you on the delivery status of a
message you previously sent. Immediately below you will find a list of
the affected recipients; also attached is a Delivery Status Notification
(DSN) report in standard format, as well as the headers of the original
message.

<ourmailer@comcast.net> delivery failed; will not continue trying

--report5576B8B6@server233.marketbox.org
Content-Type: message/delivery-status

Reporting-MTA: dns;server233.marketbox.org
X-PowerMTA-VirtualMTA: mta233
Received-From-MTA: dns;gmail.com (85.17.28.66)
Arrival-Date: Tue, 9 Jun 2015 01:20:37 -0400

Final-Recipient: rfc822;ourmailer@comcast.net
Action: failed
Status: 5.3.2 (system not accepting network messages)
Remote-MTA: dns;mx2.comcast.net (68.87.20.5)
Diagnostic-Code: smtp;554 resimta-ch2-11v.sys.comcast.net comcast 23.227.123.207 found on one or more DNSBLs, see postmaster.comcast.net/smtp-error-codes.php#BL000010 X-PowerMTA-BounceCategory: spam-related

--report5576B8B6@server233.marketbox.org
Content-Type: text/rfc822-headers

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=2014; d=server233.marketbox.org;
h=Reply-To:From:To:Subject:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Date;
bh=e93hXRYq9rZhWCc86TP8tys4zgc=;
b=zuzPWcZK9atz/EzVmI0P28AMPvfOAw5fH7Mj2hzZeay+OtI+x1baocpgNetYrmxUWOxmV224xLjs
3+hcllzUdQx+KGbnhbKjbL4TPqnnawzZT7MVEpx+xEupvFr6lHbsko0RHmo3PELQx2g36f1W20p7
tOsr9R6TCnLTT8PwEDyL6LyGnzWx+EiemIutea2IJQq0ZjJqeuAN+/vR8pMOKmomCMlZ8XB0XSkA
5GB2HyQGwYsg0faMr1GOKMHj4lOXsOmkK0wAsBhrlPKBuifGyW9kD2SVB9isqXmmicT/K97EzVEt
MJGtPZPQnZG4D223BL0tiMAm1NdchA3pTjSVIw==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=2014; d=gmail.com;
b=7iJ8c9LGnHx41HeXBDcF+BfOo00JISLpAXWCgjb8gMsx3IMl3d3XmuQq1WjJUJMcv0F8elpyhlqx
Yi7El32waoPt+hdETL3RRAP+sIIg1m+3T2an0Ts9ybQrzyFygMSn3StJK50BmlD9JLWdf8yRczvV
idKNQSRdX70REbGeILbJfZGedTMyE5K6G3Z1lohK2TAertnQfMQriJ6gWp/JUKPLn7ANbjyBnGiY
ean8Bu2kAXT63xqIWi2qhgTp9rGLUJKDHnyPxe+XwgvW8+q573COsfOP4nO17xCVb6bYMrw0CXKS
jLUIqOil20SYEzmWsNP7PcqMze8Xz87JrK27dA==;
Reply-To: QVS <ourmailer@gmail.com>
From: Complete Cycle <ourmailer@gmail.com>
To: ourmailer@comcast.net
Subject: Quantum Vision System is not for everyone..
Message-ID: <20150609072032.3BCAC4CA918DF8F4@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 9 Jun 2015 05:58:14 -0400

--report5576B8B6@server233.marketbox.org--


Some things confirmed over the course of 3 audits:


In Gmail history, all users come from our in house IP, no one else is logging in
In Gmail history, there are no fishy/phishy sent emails
Our server is not an open mail nor DNS relay, remote mail is off, they don't seem to be using it like that (although there are many remote attempts)
Nothing obvious shows in server logs, no scripts/users/accounts are sending obscenely high amounts of mail


Is all this just me being paranoid that something is afoot, or is there not much to worry about regarding this?

Vote Up Vote Down

Login to post a comment!