[Hidden-tech] Can anyone explain what is going on here and what I should do about it?

Shel Horowitz shel at shelhorowitz.com
Wed Mar 27 11:10:56 UTC 2019 

@Michael. I have zero connection with the birdseyedeal address. @Eli I am
out of my depth here. What would it cost for me to hire you to fix the
security issue and check that the four addresses I use consistently are all
protected?

Shel Horowitz - "The Transformpreneur"(sm)
________________________________________________
Watch (and please share) my TEDx Talk,
"Impossible is a Dare: Business for a Better World"
*http://www.ted.com/tedx/events/11809
<http://www.ted.com/tedx/events/11809>*

Contact me to bake in profitability while addressing hunger,
poverty, war, and catastrophic climate change

Twitter: @shelhorowitz

* First business ever to be Green America Gold Certified
* Inducted into the National Environmental Hall of Fame

http://goingbeyondsustainability.com
http://transformpreneur.com
mailto:shel at greenandprofitable.com * 413-586-2388
Award-winning, best-selling author of 10 books. Latest:
Guerrilla Marketing to Heal the World (co-authored with Jay Conrad Levinson)

_________________________________________________


On Mon, Mar 25, 2019 at 9:18 AM Michael Muller <tech at montaguewebworks.com>
wrote:

> Eli,
>
> Yes, I read the original message Shel posted, but thought he was trying to
> find the original sender to see how the emails were bouncing back to him.
>
> Totally agree this is just run of the mill spam by a bot. But sometimes
> seeing the headers of an original email can help determine if there are any
> holes in his mailserver bona fides, such as SPF and DKIM.
>
> Perhaps more bounces will come in with more of the original headers
> intact. Google appears to wipe them out before bouncing, which is
> unfortunate.
>
> Thanks,
>
> Mik
>
> ---
> Mik Muller, president
> Montague WebWorks
> 50 Miles Street, Greenfield, MA
> 413-320-5336http://MontagueWebWorks.com
> Powered by ROCKETFUSION
>
> On 3/25/2019 9:13 AM, Elijah Gwynn wrote:
>
> Mik,
>
> Not sure if you read the original, but a big part of the problem is that
> this looks like backscatter spam. She's getting a delivery failure
> notification despite not having attempted to initiate the delivery in
> question. That means that she doesn't have original headers. One theory I
> had was that this was indirect backscatter — i.e., someone else initiated
> the original delivery using a from/reply-to that was an alias for Shel's
> address. I wanted to see headers for the bounce message because that might
> shed some light on my hypothesis. Looking through those headers now though,
> it looks legit.
>
> Shel, I'm not sure what else to recommend. Have you checked your security
> settings recently and made sure that all recent activity on your account
> comes from IPs / devices you know and recognize? I don't want to alarm, but
> it's always worth double checking your account's security status.
>
> Eli
>
> On 25 Mar 2019, at 8:54, Michael Muller wrote:
>
> Shel,
>
> We actually need the headers of the email that went to
> many at birdseyedeal.com. The headers we see here are for the email that
> Google sent to you, regarding the non-existence of the address
> many at birdseyedeal.com.
>
> What is your connection to that email address? Another unknown?
>
> Mik
>
> ---
> Mik Muller, president
> Montague WebWorks
> 50 Miles Street, Greenfield, MA
> 413-320-5336http://MontagueWebWorks.com
> Powered by ROCKETFUSION
>
> On 3/23/2019 7:34 AM, Shel Horowitz wrote:
>
> Here's the second set of headers I referred to in the message I just sent.
> This is one of the ones that all were NDN to the same recipient earlier
> this week.
>
> Delivered-To: shelhoro at gmail.com
> Received: by 2002:a02:9867:0:0:0:0:0 with SMTP id x36csp3724212jaj;
>         Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
> X-Google-Smtp-Source: APXvYqwEki+iX4fZOrJj0EnDYa/lI6w6aMRjtpVVL/YBUz+vgAiAdhR9LkDJg0GFqWsAcA+x7XQlpFosI9U=
> X-Received: by 2002:a5d:88d3:: with SMTP id i19mr1270283iol.187.1552998964724;
>         Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
> Authentication-Results: mx.google.com;
>        spf=permerror (google.com: permanent error in processing during lookup of postmaster: );
>        dkim=pass header.i=@googlemail.com header.s=20161025 header.b="m/1CW8s4"
> Received-SPF: permerror (google.com: permanent error in processing during lookup of postmaster: ) client-ip=209.85.221.67;
> Received: by 2002:a6b:f104:: with POP3 id e4mf27692684iog.2;
>         Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
> X-Gmail-Fetch-Info: shel at shelhorowitz.com 3 mail.shelhorowitz.com 110 shel at shelhorowitz.com
> Return-Path: <>
> Delivered-To: shel at shelhorowitz.com
> Received: from gator3323.hostgator.com by gator3323.hostgator.com with LMTP id iP0SNZDdkFyX0AQATgj41w for <shel at shelhorowitz.com>; Tue, 19 Mar 2019 07:16:16 -0500
> Return-path: <>
> Envelope-to: shel at shelhorowitz.com
> Delivery-date: Tue, 19 Mar 2019 07:16:16 -0500
> Received: from mail-wr1-f67.google.com ([209.85.221.67]:42978) by gator3323.hostgator.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) id 1h6DfE-001hZV-FS for shel at shelhorowitz.com; Tue, 19 Mar 2019 07:16:16 -0500
> Received: by mail-wr1-f67.google.com with SMTP id n9so16746566wrr.9
>         for <shel at shelhorowitz.com>; Tue, 19 Mar 2019 05:16:10 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=googlemail.com; s=20161025;
>         h=from:to:auto-submitted:subject:references:in-reply-to:message-id
>          :date;
>         bh=/qG46GoKbdMOG5n2Se6ehEGBfXQQBZfc4tj3SyPNU7Y=;
>         b=m/1CW8s47I2m61HgKHYrOUiTAY3TbPPFvE9nd/Y0cJsd4/qN8KPHkTrSZ5myFzAPwI
>          HP8d9kV+nWoG/HH5FvDeVmxoyNgG3fo7rVZSQQHIifDlSgQX9iTRVGWJ1JshBjPM/IfL
>          X6QH1KZo9ZHeG3jjsQrc211LCs4AajNDaCXnuYOyU8YU/IaHFdb5LpdDeBF4mi9iTi6H
>          69Wt5g28OLNo3kUZpaqOh2VxRSGGdpLxOlRLe6TuI/RQBg+vqoNvB6VaYLvDFzEd0Uwf
>          ckWv0gzoeiLKu8nrhVL5PsPlqDnK4GD/kw3mf0agj6ishr1E7O1VG+R3MPkDs/uVT4JS
>          BzhA==
> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=1e100.net; s=20161025;
>         h=x-gm-message-state:from:to:auto-submitted:subject:references
>          :in-reply-to:message-id:date;
>         bh=/qG46GoKbdMOG5n2Se6ehEGBfXQQBZfc4tj3SyPNU7Y=;
>         b=h5bGIj9OF2xJ83xJuRQxr0lKOuYu/aZIlX7ygIZCRvTtcmwbNVM6DxuwnOj7+ldVuv
>          cnbwGCHBYR/PTzTU2fgmAbYU1a+BKbILaRyTWYy73ySFKz+W8xNTSc7Sc3N66TMQrOrp
>          PJL06abj4wMrrfMrmfs/jD+6YUREeWu8Ruf0cDg75TGNgs1roKx6Cj9U1lZqmRlI5TsL
>          WTygwMDeCfs3EkOp4xkpK1zhVs/AYXa5P2z0nPLkIJMG67lo8MmRo9YXawn0mGxJMApJ
>          0gfyaJLRCWz1IX5Db1MSqX+qI0Sj1rJOGLmoXntF8ynVEgvMWWR4ogmfpM8HZ4Gquub/
>          XyMQ==
> X-Gm-Message-State: APjAAAXkQBkB5F2VWR2tUvRQbNP5g/IcceOfpB4FJn2OcaaKszVmifFm OTDiyfU7frKVdNQMBWEKte2xRYxWtczZY5/eRAwQdQ==
> X-Received: by 2002:adf:df92:: with SMTP id z18mr8497137wrl.239.1552997761836;
>         Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
> Content-Type: multipart/report; boundary="000000000000ee5f810584717712"; report-type=delivery-status
> Received: by 2002:adf:df92:: with SMTP id z18mr6807204wrl.239; Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
> From: Mail Delivery Subsystem <mailer-daemon at googlemail.com>
> To: shel at shelhorowitz.com
> Auto-Submitted: auto-replied
> Subject: Delivery Status Notification (Failure)
> References: <138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com>
> In-Reply-To: <138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com>
> X-Failed-Recipients: many at birdseyedeal.com
> Message-ID: <5c90dd81.1c69fb81.17867.b6da.GMR at mx.google.com>
> Date: Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
>
> --000000000000ee5f810584717712
> Content-Type: multipart/related; boundary="000000000000ee6039058471771b"
>
> --000000000000ee6039058471771b
> Content-Type: multipart/alternative; boundary="000000000000ee603d058471771c"
>
> --000000000000ee603d058471771c
> Content-Type: text/plain; charset="UTF-8"
>
>
> ** Address not found **
>
> Your message wasn't delivered to many at birdseyedeal.com because the address couldn't be found, or is unable to receive mail.
>
> Learn more here: https://support.google.com/mail/?p=DisabledUser
>
> The response was:
>
> The email account that you tried to reach is disabled. Learn more at https://support.google.com/mail/?p=DisabledUser f2sor8972495wro.20 - gsmtp
>
> --000000000000ee603d058471771c
> Content-Type: text/html; charset="UTF-8"
>
>
>
>
> Shel Horowitz - "The Transformpreneur"(sm)
> ________________________________________________
> Watch (and please share) my TEDx Talk,
> "Impossible is a Dare: Business for a Better World"
> *http://www.ted.com/tedx/events/11809
> <http://www.ted.com/tedx/events/11809>*
>
> Contact me to bake in profitability while addressing hunger,
> poverty, war, and catastrophic climate change
>
> Twitter: @shelhorowitz
>
> * First business ever to be Green America Gold Certified
> * Inducted into the National Environmental Hall of Fame
>
> http://goingbeyondsustainability.com
> http://transformpreneur.com
> mailto:shel at greenandprofitable.com * 413-586-2388
> Award-winning, best-selling author of 10 books. Latest:
> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
> Levinson)
>
> _________________________________________________
>
>
> On Wed, Mar 20, 2019 at 2:09 PM Elijah Gwynn <eli at egwynn.com> wrote:
>
>> Shel, the header from the automated bounce message might still indicate
>> which mail system decided the bounce message should go to you and,
>> potentially, by what means it made that decision.
>>
>> If you follow the steps here
>> <https://support.google.com/mail/answer/29436?hl=en> you should be able
>> to get some more headers to paste to us.
>>
>> Eli
>>
>> On 20 Mar 2019, at 13:31, Shel Horowitz via Hidden-discuss wrote:
>>
>> No human being sent this. Pretty sure it was a bot and I didn't recognize
>> any of the addresses mentioned.I got four or five of those messages.
>>
>>
>> Shel Horowitz - "The Transformpreneur"(sm)
>> ________________________________________________
>> Watch (and please share) my TEDx Talk,
>> "Impossible is a Dare: Business for a Better World"
>> *http://www.ted.com/tedx/events/11809
>> <http://www.ted.com/tedx/events/11809>*
>>
>> Contact me to bake in profitability while addressing hunger,
>> poverty, war, and catastrophic climate change
>>
>> Twitter: @shelhorowitz
>>
>> * First business ever to be Green America Gold Certified
>> * Inducted into the National Environmental Hall of Fame
>>
>> http://goingbeyondsustainability.com
>> http://transformpreneur.com
>> mailto:shel at greenandprofitable.com * 413-586-2388
>> Award-winning, best-selling author of 10 books. Latest:
>> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
>> Levinson)
>>
>> _________________________________________________
>>
>>
>> On Wed, Mar 20, 2019 at 1:15 PM Michael Muller <tech at montaguewebworks.com>
>> wrote:
>>
>>> Shel,
>>>
>>> So... someone forwarded you the bounced email? Do you know this person?
>>>
>>> If the answer to both questions is yes, then one theory is the original
>>> email was sent ...
>>>
>>>    - *From:* "Shel Horowitz" <friend at myip92.asyncjs.date>
>>>    <friend at myip92.asyncjs.date>
>>>
>>> ... and the person who owns the friend at myip92.asyncjs.date email
>>> address received a bunch of bounces, and saw your name associated with the
>>> original email and forwarded it to you wondering why they were getting a
>>> bunch of bounces.
>>>
>>> Sometimes this stuff is so difficult to trace.
>>>
>>> Mik
>>>
>>> ---
>>> Mik Muller, president
>>> Montague WebWorks
>>> 50 Miles Street, Greenfield, MA
>>> 413-320-5336http://MontagueWebWorks.com
>>> Powered by ROCKETFUSION
>>>
>>> On 3/20/2019 12:54 PM, Shel Horowitz wrote:
>>>
>>> Rob, I have Gmail. Mik, this is all I can get resembling a header,
>>> sincde it came as a forward.:
>>>
>>> The response was:
>>>
>>> The email account that you tried to reach is disabled. Learn more at
>>> https://support.google.com/mail/?p=DisabledUser v2sor1434906wrw.17 -
>>> gsmtp
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: friend at myip92.asyncjs.date
>>> To: discuss at alias18.per2domain.live
>>> Cc:
>>> Bcc:
>>> Date: Tue, 19 Mar 2019 12:04:13 +0000
>>> Subject:
>>> Sed et ut
>>>
>>> Shel Horowitz - "The Transformpreneur"(sm)
>>> ________________________________________________
>>> Watch (and please share) my TEDx Talk,
>>> "Impossible is a Dare: Business for a Better World"
>>> *http://www.ted.com/tedx/events/11809
>>> <http://www.ted.com/tedx/events/11809>*
>>>
>>> Contact me to bake in profitability while addressing hunger,
>>> poverty, war, and catastrophic climate change
>>>
>>> Twitter: @shelhorowitz
>>>
>>> * First business ever to be Green America Gold Certified
>>> * Inducted into the National Environmental Hall of Fame
>>>
>>> http://goingbeyondsustainability.com
>>> http://transformpreneur.com
>>> mailto:shel at greenandprofitable.com * 413-586-2388
>>> Award-winning, best-selling author of 10 books. Latest:
>>> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
>>> Levinson)
>>>
>>> _________________________________________________
>>>
>>>
>>> On Wed, Mar 20, 2019 at 11:51 AM Rob Laporte <rob at 2disc.com> wrote:
>>>
>>>> Hi Shell and All,
>>>>
>>>> My firm has been getting a dribbling of these same types of emails for
>>>> a few weeks now, and we use Microsoft hosted email, so wonder if they are
>>>> being hacked. Shell, what is your email service? We're investigating this
>>>> problem today or tomorrow, and I'll share what we find.
>>>>
>>>> Best Regards,
>>>>
>>>>
>>>> Rob Laporte| SEO Specialist, CEO
>>>>
>>>> DISC, Inc. - Making Websites Make Money
>>>>
>>>> 413-584-6500
>>>>
>>>> rob at 2disc.com
>>>>
>>>> www.2disc.com
>>>>
>>>> *NOTE:* Emails can be blocked by spam filters throughout the web. If
>>>> you don’t get a reply within an expected span of time, please call.
>>>>
>>>> ------------------------------
>>>> *From:* Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net>
>>>> on behalf of Shel Horowitz via Hidden-discuss <
>>>> hidden-discuss at lists.hidden-tech.net>
>>>> *Sent:* Wednesday, March 20, 2019 9:23 AM
>>>> *To:* Hidden-Tech Tech
>>>> *Subject:* [Hidden-tech] Can anyone explain what is going on here and
>>>> what I should do about it?
>>>>
>>>>
>>>> Below is a forwarded non-delivery message to an address I've never
>>>> heard of and seemingly in response to something sent by someone I've never
>>>> heard of. I don't see that they are spoofing my email address. Can anyone
>>>> explain why I am getting these and if I need to do anything? I got a bunch
>>>> of them today.
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: *Mail Delivery Subsystem* <mailer-daemon at googlemail.com>
>>>> Date: Tue, Mar 19, 2019, 8:16 AM
>>>> Subject: Delivery Status Notification (Failure)
>>>> To: <shel at shelhorowitz.com>
>>>>
>>>>
>>>> [image: Error Icon]
>>>> Address not found
>>>> Your message wasn't delivered to *many at birdseyedeal.com* because the
>>>> address couldn't be found, or is unable to receive mail.
>>>> LEARN MORE <https://support.google.com/mail/?p=DisabledUser>
>>>> The response was:
>>>>
>>>> The email account that you tried to reach is disabled. Learn more at
>>>> https://support.google.com/mail/?p=DisabledUser f2sor8972495wro.20 -
>>>> gsmtp
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: friend at myip19.masterload.loan
>>>> To: many at alias16.per2domain.live
>>>> Cc:
>>>> Bcc:
>>>> Date: Tue, 19 Mar 2019 09:37:04 +0000
>>>> Subject:
>>>> Et ut
>>>>
>>> _______________________________________________
>> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>> Hidden-discuss at lists.hidden-tech.net
>>
>> You are receiving this because you are on the Hidden-Tech Discussion list.
>> If you would like to change your list preferences, Go to the Members
>> page on the Hidden Tech Web site.
>> http://www.hidden-tech.net/members
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20190327/1012ccc3/attachment-0001.html>

Google
More information about the Hidden-discuss mailing list