[Hidden-tech] Can anyone explain what is going on here and what I should do about it?
Elijah Gwynn
eli at egwynn.com
Mon Mar 25 13:50:51 UTC 2019
Shel, I just had another thought. The SPF record for shelhorowitz.com
ends with `~all` (SPF soft fail), which tells most mail systems that you
don't really mind if people claim to be sending mail as you, even if
they're not sending from whitelisted sources (which, also according to
your SPF record, are the hosts shelhorowitz.com and websitewelcome.com).
It's possible that someone's spoofing your email address from a
completely different place. Unless you have a lot of email origins that
can't, for some reason, go through one of the two whitelisted systems,
I'd recommend changing the end of your SPF record to `-all` (SPF hard
fail).
Eli
On 25 Mar 2019, at 9:13, Elijah Gwynn wrote:
> Mik,
>
> Not sure if you read the original, but a big part of the problem is
> that this looks like backscatter spam. She's getting a delivery
> failure notification despite not having attempted to initiate the
> delivery in question. That means that she doesn't have original
> headers. One theory I had was that this was indirect backscatter —
> i.e., someone else initiated the original delivery using a
> from/reply-to that was an alias for Shel's address. I wanted to see
> headers for the bounce message because that might shed some light on
> my hypothesis. Looking through those headers now though, it looks
> legit.
>
> Shel, I'm not sure what else to recommend. Have you checked your
> security settings recently and made sure that all recent activity on
> your account comes from IPs / devices you know and recognize? I don't
> want to alarm, but it's always worth double checking your account's
> security status.
>
> Eli
>
> On 25 Mar 2019, at 8:54, Michael Muller wrote:
>
>> Shel,
>>
>> We actually need the headers of the email that went to
>> many at birdseyedeal.com. The headers we see here are for the email that
>> Google sent to you, regarding the non-existence of the address
>> many at birdseyedeal.com.
>>
>> What is your connection to that email address? Another unknown?
>>
>> Mik
>>
>> ---
>> Mik Muller, president
>> Montague WebWorks
>> 50 Miles Street, Greenfield, MA
>> 413-320-5336
>> http://MontagueWebWorks.com
>> Powered by ROCKETFUSION
>>
>> On 3/23/2019 7:34 AM, Shel Horowitz wrote:
>>> Here's the second set of headers I referred to in the message I just
>>> sent. This is one of the ones that all were NDN to the same
>>> recipient earlier this week.
>>>
>>> Delivered-To:shelhoro at gmail.com <mailto:shelhoro at gmail.com>
>>> Received: by 2002:a02:9867:0:0:0:0:0 with SMTP id x36csp3724212jaj;
>>> Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
>>> X-Google-Smtp-Source:
>>> APXvYqwEki+iX4fZOrJj0EnDYa/lI6w6aMRjtpVVL/YBUz+vgAiAdhR9LkDJg0GFqWsAcA+x7XQlpFosI9U=
>>> X-Received: by 2002:a5d:88d3:: with SMTP id
>>> i19mr1270283iol.187.1552998964724;
>>> Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
>>> Authentication-Results:mx.google.com <http://mx.google.com>;
>>> spf=permerror (google.com <http://google.com>: permanent
>>> error in processing during lookup of postmaster: );
>>> dkim=pass header.i=@googlemail.com <http://googlemail.com>
>>> header.s=20161025 header.b="m/1CW8s4"
>>> Received-SPF: permerror (google.com <http://google.com>: permanent
>>> error in processing during lookup of postmaster: )
>>> client-ip=209.85.221.67;
>>> Received: by 2002:a6b:f104:: with POP3 id e4mf27692684iog.2;
>>> Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
>>> X-Gmail-Fetch-Info:shel at shelhorowitz.com
>>> <mailto:shel at shelhorowitz.com> 3mail.shelhorowitz.com
>>> <http://mail.shelhorowitz.com> 110shel at shelhorowitz.com
>>> <mailto:shel at shelhorowitz.com>
>>> Return-Path: <>
>>> Delivered-To:shel at shelhorowitz.com <mailto:shel at shelhorowitz.com>
>>> Received: fromgator3323.hostgator.com
>>> <http://gator3323.hostgator.com> bygator3323.hostgator.com
>>> <http://gator3323.hostgator.com> with LMTP id
>>> iP0SNZDdkFyX0AQATgj41w for <shel at shelhorowitz.com
>>> <mailto:shel at shelhorowitz.com>>; Tue, 19 Mar 2019 07:16:16 -0500
>>> Return-path: <>
>>> Envelope-to:shel at shelhorowitz.com <mailto:shel at shelhorowitz.com>
>>> Delivery-date: Tue, 19 Mar 2019 07:16:16 -0500
>>> Received: frommail-wr1-f67.google.com
>>> <http://mail-wr1-f67.google.com> ([209.85.221.67]:42978)
>>> bygator3323.hostgator.com <http://gator3323.hostgator.com> with
>>> esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) id
>>> 1h6DfE-001hZV-FS forshel at shelhorowitz.com
>>> <mailto:shel at shelhorowitz.com>; Tue, 19 Mar 2019 07:16:16 -0500
>>> Received: bymail-wr1-f67.google.com
>>> <http://mail-wr1-f67.google.com> with SMTP id n9so16746566wrr.9
>>> for <shel at shelhorowitz.com
>>> <mailto:shel at shelhorowitz.com>>; Tue, 19 Mar 2019 05:16:10 -0700
>>> (PDT)
>>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>>> d=googlemail.com <http://googlemail.com>; s=20161025;
>>> h=from:to:auto-submitted:subject:references:in-reply-to:message-id
>>> :date;
>>> bh=/qG46GoKbdMOG5n2Se6ehEGBfXQQBZfc4tj3SyPNU7Y=;
>>> b=m/1CW8s47I2m61HgKHYrOUiTAY3TbPPFvE9nd/Y0cJsd4/qN8KPHkTrSZ5myFzAPwI
>>> HP8d9kV+nWoG/HH5FvDeVmxoyNgG3fo7rVZSQQHIifDlSgQX9iTRVGWJ1JshBjPM/IfL
>>> X6QH1KZo9ZHeG3jjsQrc211LCs4AajNDaCXnuYOyU8YU/IaHFdb5LpdDeBF4mi9iTi6H
>>> 69Wt5g28OLNo3kUZpaqOh2VxRSGGdpLxOlRLe6TuI/RQBg+vqoNvB6VaYLvDFzEd0Uwf
>>> ckWv0gzoeiLKu8nrhVL5PsPlqDnK4GD/kw3mf0agj6ishr1E7O1VG+R3MPkDs/uVT4JS
>>> BzhA==
>>> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>>> d=1e100.net <http://1e100.net>; s=20161025;
>>> h=x-gm-message-state:from:to:auto-submitted:subject:references
>>> :in-reply-to:message-id:date;
>>> bh=/qG46GoKbdMOG5n2Se6ehEGBfXQQBZfc4tj3SyPNU7Y=;
>>> b=h5bGIj9OF2xJ83xJuRQxr0lKOuYu/aZIlX7ygIZCRvTtcmwbNVM6DxuwnOj7+ldVuv
>>> cnbwGCHBYR/PTzTU2fgmAbYU1a+BKbILaRyTWYy73ySFKz+W8xNTSc7Sc3N66TMQrOrp
>>> PJL06abj4wMrrfMrmfs/jD+6YUREeWu8Ruf0cDg75TGNgs1roKx6Cj9U1lZqmRlI5TsL
>>> WTygwMDeCfs3EkOp4xkpK1zhVs/AYXa5P2z0nPLkIJMG67lo8MmRo9YXawn0mGxJMApJ
>>> 0gfyaJLRCWz1IX5Db1MSqX+qI0Sj1rJOGLmoXntF8ynVEgvMWWR4ogmfpM8HZ4Gquub/
>>> XyMQ==
>>> X-Gm-Message-State:
>>> APjAAAXkQBkB5F2VWR2tUvRQbNP5g/IcceOfpB4FJn2OcaaKszVmifFm
>>> OTDiyfU7frKVdNQMBWEKte2xRYxWtczZY5/eRAwQdQ==
>>> X-Received: by 2002:adf:df92:: with SMTP id
>>> z18mr8497137wrl.239.1552997761836;
>>> Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
>>> Content-Type: multipart/report;
>>> boundary="000000000000ee5f810584717712"; report-type=delivery-status
>>> Received: by 2002:adf:df92:: with SMTP id z18mr6807204wrl.239; Tue,
>>> 19 Mar 2019 05:16:01 -0700 (PDT)
>>> From: Mail Delivery Subsystem <mailer-daemon at googlemail.com
>>> <mailto:mailer-daemon at googlemail.com>>
>>> To:shel at shelhorowitz.com <mailto:shel at shelhorowitz.com>
>>> Auto-Submitted: auto-replied
>>> Subject: Delivery Status Notification (Failure)
>>> References: <138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com
>>> <mailto:138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com>>
>>> In-Reply-To: <138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com
>>> <mailto:138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com>>
>>> X-Failed-Recipients:many at birdseyedeal.com
>>> <mailto:many at birdseyedeal.com>
>>> Message-ID: <5c90dd81.1c69fb81.17867.b6da.GMR at mx.google.com
>>> <mailto:5c90dd81.1c69fb81.17867.b6da.GMR at mx.google.com>>
>>> Date: Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
>>>
>>> --000000000000ee5f810584717712
>>> Content-Type: multipart/related;
>>> boundary="000000000000ee6039058471771b"
>>>
>>> --000000000000ee6039058471771b
>>> Content-Type: multipart/alternative;
>>> boundary="000000000000ee603d058471771c"
>>>
>>> --000000000000ee603d058471771c
>>> Content-Type: text/plain; charset="UTF-8"
>>>
>>>
>>> ** Address not found **
>>>
>>> Your message wasn't delivered tomany at birdseyedeal.com
>>> <mailto:many at birdseyedeal.com> because the address couldn't be
>>> found, or is unable to receive mail.
>>>
>>> Learn more here:https://support.google.com/mail/?p=DisabledUser
>>>
>>> The response was:
>>>
>>> The email account that you tried to reach is disabled. Learn more
>>> athttps://support.google.com/mail/?p=DisabledUser
>>> f2sor8972495wro.20 - gsmtp
>>>
>>> --000000000000ee603d058471771c
>>> Content-Type: text/html; charset="UTF-8"
>>>
>>>
>>>
>>> Shel Horowitz - "The Transformpreneur"(sm)
>>> ________________________________________________
>>> Watch (and please share) my TEDx Talk,
>>> "Impossible is a Dare: Business for a Better World"
>>> _http://www.ted.com/tedx/events/11809_
>>>
>>> Contact me to bake in profitability while addressing hunger,
>>> poverty, war, and catastrophic climate change
>>>
>>> Twitter: @shelhorowitz
>>>
>>> * First business ever to be Green America Gold Certified
>>> * Inducted into the National Environmental Hall of Fame
>>>
>>> http://goingbeyondsustainability.com
>>> <http://goingbeyondsustainability.com/>
>>> http://transformpreneur.com <http://transformpreneur.com/>
>>> mailto:shel at greenandprofitable.com
>>> <mailto:shel at greenandprofitable.com> * 413-586-2388
>>> <tel:413-586-2388>
>>> Award-winning, best-selling author of 10 books. Latest:
>>> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
>>> Levinson)
>>>
>>> _________________________________________________
>>>
>>>
>>> On Wed, Mar 20, 2019 at 2:09 PM Elijah Gwynn <eli at egwynn.com
>>> <mailto:eli at egwynn.com>> wrote:
>>>
>>> Shel, the header from the automated bounce message might still
>>> indicate which mail system decided the bounce message should go
>>> to
>>> you and, potentially, by what means it made that decision.
>>>
>>> If you follow the steps here
>>> <https://support.google.com/mail/answer/29436?hl=en> you should
>>> be
>>> able to get some more headers to paste to us.
>>>
>>> Eli
>>>
>>> On 20 Mar 2019, at 13:31, Shel Horowitz via Hidden-discuss
>>> wrote:
>>>
>>> No human being sent this. Pretty sure it was a bot and I
>>> didn't recognize any of the addresses mentioned.I got four
>>> or
>>> five of those messages.
>>>
>>>
>>> Shel Horowitz - "The Transformpreneur"(sm)
>>> ________________________________________________
>>> Watch (and please share) my TEDx Talk,
>>> "Impossible is a Dare: Business for a Better World"
>>> _http://www.ted.com/tedx/events/11809_
>>>
>>> Contact me to bake in profitability while addressing hunger,
>>> poverty, war, and catastrophic climate change
>>>
>>> Twitter: @shelhorowitz
>>>
>>> * First business ever to be Green America Gold Certified
>>> * Inducted into the National Environmental Hall of Fame
>>>
>>> http://goingbeyondsustainability.com
>>> <http://goingbeyondsustainability.com/>
>>> http://transformpreneur.com <http://transformpreneur.com/>
>>> mailto:shel at greenandprofitable.com
>>> <mailto:shel at greenandprofitable.com> * 413-586-2388
>>> <tel:413-586-2388>
>>> Award-winning, best-selling author of 10 books. Latest:
>>> Guerrilla Marketing to Heal the World (co-authored with Jay
>>> Conrad Levinson)
>>>
>>> _________________________________________________
>>>
>>>
>>> On Wed, Mar 20, 2019 at 1:15 PM Michael Muller
>>> <tech at montaguewebworks.com
>>> <mailto:tech at montaguewebworks.com>>
>>> wrote:
>>>
>>> Shel,
>>>
>>> So... someone forwarded you the bounced email? Do you
>>> know
>>> this person?
>>>
>>> If the answer to both questions is yes, then one theory
>>> is
>>> the original email was sent ...
>>>
>>> * *From:* "Shel Horowitz" <friend at myip92.asyncjs.date>
>>> <mailto:friend at myip92.asyncjs.date>
>>>
>>> ... and the person who owns the
>>> friend at myip92.asyncjs.date
>>> <mailto:friend at myip92.asyncjs.date> email address
>>> received
>>> a bunch of bounces, and saw your name associated with
>>> the
>>> original email and forwarded it to you wondering why
>>> they
>>> were getting a bunch of bounces.
>>>
>>> Sometimes this stuff is so difficult to trace.
>>>
>>> Mik
>>>
>>> ---
>>> Mik Muller, president
>>> Montague WebWorks
>>> 50 Miles Street, Greenfield, MA
>>> 413-320-5336
>>> http://MontagueWebWorks.com
>>> Powered by ROCKETFUSION
>>>
>>> On 3/20/2019 12:54 PM, Shel Horowitz wrote:
>>>> Rob, I have Gmail. Mik, this is all I can get
>>>> resembling
>>>> a header, sincde it came as a forward.:
>>>>
>>>> The response was:
>>>>
>>>> The email account that you tried to reach is disabled.
>>>> Learn more at
>>>> https://support.google.com/mail/?p=DisabledUser
>>>> v2sor1434906wrw.17 - gsmtp
>>>>
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: friend at myip92.asyncjs
>>>> <mailto:friend at myip92.asyncjs>.date
>>>> To: discuss at alias18.per2domain.live
>>>> Cc:
>>>> Bcc:
>>>> Date: Tue, 19 Mar 2019 12:04:13 +0000
>>>> Subject:
>>>> Sed et ut
>>>>
>>>> Shel Horowitz - "The Transformpreneur"(sm)
>>>> ________________________________________________
>>>> Watch (and please share) my TEDx Talk,
>>>> "Impossible is a Dare: Business for a Better World"
>>>> _http://www.ted.com/tedx/events/11809_
>>>>
>>>> Contact me to bake in profitability while addressing
>>>> hunger,
>>>> poverty, war, and catastrophic climate change
>>>>
>>>> Twitter: @shelhorowitz
>>>>
>>>> * First business ever to be Green America Gold
>>>> Certified
>>>> * Inducted into the National Environmental Hall of Fame
>>>>
>>>> http://goingbeyondsustainability.com
>>>> <http://goingbeyondsustainability.com/>
>>>> http://transformpreneur.com
>>>> <http://transformpreneur.com/>
>>>> mailto:shel at greenandprofitable.com
>>>> <mailto:shel at greenandprofitable.com> * 413-586-2388
>>>> <tel:413-586-2388>
>>>> Award-winning, best-selling author of 10 books. Latest:
>>>> Guerrilla Marketing to Heal the World (co-authored with
>>>> Jay Conrad Levinson)
>>>>
>>>> _________________________________________________
>>>>
>>>>
>>>> On Wed, Mar 20, 2019 at 11:51 AM Rob Laporte
>>>> <rob at 2disc.com <mailto:rob at 2disc.com>> wrote:
>>>>
>>>> Hi Shell and All,
>>>>
>>>> My firm has been getting a dribbling of these same
>>>> types of emails for a few weeks now, and we use
>>>> Microsoft hosted email, so wonder if they are being
>>>> hacked. Shell, what is your email service? We're
>>>> investigating this problem today or tomorrow, and
>>>> I'll share what we find.
>>>>
>>>> Best Regards,
>>>>
>>>>
>>>> Rob Laporte| SEO Specialist, CEO
>>>>
>>>> DISC, Inc. - Making Websites Make Money
>>>>
>>>> 413-584-6500
>>>>
>>>> rob at 2disc.com <mailto:rob at 2disc.com>
>>>>
>>>> www.2disc.com <https://www.2disc.com/>
>>>>
>>>>
>>>> *NOTE:* Emails can be blocked by spam filters
>>>> throughout the web. If you don’t get a reply
>>>> within
>>>> an expected span of time, please call.
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Hidden-discuss
>>>> <hidden-discuss-bounces at lists.hidden-tech.net
>>>> <mailto:hidden-discuss-bounces at lists.hidden-tech.net>>
>>>> on behalf of Shel Horowitz via Hidden-discuss
>>>> <hidden-discuss at lists.hidden-tech.net
>>>> <mailto:hidden-discuss at lists.hidden-tech.net>>
>>>> *Sent:* Wednesday, March 20, 2019 9:23 AM
>>>> *To:* Hidden-Tech Tech
>>>> *Subject:* [Hidden-tech] Can anyone explain what is
>>>> going on here and what I should do about it?
>>>>
>>>> Below is a forwarded non-delivery message to an
>>>> address I've never heard of and seemingly in
>>>> response
>>>> to something sent by someone I've never heard of. I
>>>> don't see that they are spoofing my email address.
>>>> Can anyone explain why I am getting these and if I
>>>> need to do anything? I got a bunch of them today.
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: *Mail Delivery Subsystem*
>>>> <mailer-daemon at googlemail.com
>>>> <mailto:mailer-daemon at googlemail.com>>
>>>> Date: Tue, Mar 19, 2019, 8:16 AM
>>>> Subject: Delivery Status Notification (Failure)
>>>> To: <shel at shelhorowitz.com
>>>> <mailto:shel at shelhorowitz.com>>
>>>>
>>>>
>>>> Error Icon
>>>>
>>>>
>>>> Address not found
>>>>
>>>> Your message wasn't delivered to
>>>> *many at birdseyedeal.com* because the address
>>>> couldn't
>>>> be found, or is unable to receive mail.
>>>> LEARN MORE
>>>> <https://support.google.com/mail/?p=DisabledUser>
>>>>
>>>> The response was:
>>>>
>>>> The email account that you tried to reach is
>>>> disabled. Learn more at
>>>> https://support.google.com/mail/?p=DisabledUser
>>>> f2sor8972495wro.20 - gsmtp
>>>>
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: friend at myip19.masterload.loan
>>>> <mailto:friend at myip19.masterload.loan>
>>>> To: many at alias16.per2domain.live
>>>> <mailto:many at alias16.per2domain.live>
>>>> Cc:
>>>> Bcc:
>>>> Date: Tue, 19 Mar 2019 09:37:04 +0000
>>>> Subject:
>>>> Et ut
>>>>
>>> _______________________________________________
>>> Hidden-discuss mailing list - home page:
>>> http://www.hidden-tech.net
>>> Hidden-discuss at lists.hidden-tech.net
>>> <mailto:Hidden-discuss at lists.hidden-tech.net>
>>>
>>> You are receiving this because you are on the Hidden-Tech
>>> Discussion list.
>>> If you would like to change your list preferences, Go to the
>>> Members
>>> page on the Hidden Tech Web site.
>>> http://www.hidden-tech.net/members
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20190325/87550fc1/attachment-0001.html>
More information about the Hidden-discuss
mailing list