[Hidden-tech] Can anyone explain what is going on here and what I should do about it?
Elijah Gwynn
eli at egwynn.com
Wed Mar 27 16:29:11 UTC 2019
Shel, I regret that my plate is too full to take on a new job at the
moment. Perhaps others on the HT list would know of an IT / Hosting
specialist who could help?
Eli
PS
I apologize for mis-inferring your third-person pronoun earlier. In the
future I'll use the one(s) used on your website.
On 27 Mar 2019, at 7:10, Shel Horowitz wrote:
> @Michael. I have zero connection with the birdseyedeal address. @Eli I
> am
> out of my depth here. What would it cost for me to hire you to fix the
> security issue and check that the four addresses I use consistently
> are all
> protected?
>
> Shel Horowitz - "The Transformpreneur"(sm)
> ________________________________________________
> Watch (and please share) my TEDx Talk,
> "Impossible is a Dare: Business for a Better World"
> *http://www.ted.com/tedx/events/11809
> <http://www.ted.com/tedx/events/11809>*
>
> Contact me to bake in profitability while addressing hunger,
> poverty, war, and catastrophic climate change
>
> Twitter: @shelhorowitz
>
> * First business ever to be Green America Gold Certified
> * Inducted into the National Environmental Hall of Fame
>
> http://goingbeyondsustainability.com
> http://transformpreneur.com
> mailto:shel at greenandprofitable.com * 413-586-2388
> Award-winning, best-selling author of 10 books. Latest:
> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
> Levinson)
>
> _________________________________________________
>
>
> On Mon, Mar 25, 2019 at 9:18 AM Michael Muller
> <tech at montaguewebworks.com>
> wrote:
>
>> Eli,
>>
>> Yes, I read the original message Shel posted, but thought he was
>> trying to
>> find the original sender to see how the emails were bouncing back to
>> him.
>>
>> Totally agree this is just run of the mill spam by a bot. But
>> sometimes
>> seeing the headers of an original email can help determine if there
>> are any
>> holes in his mailserver bona fides, such as SPF and DKIM.
>>
>> Perhaps more bounces will come in with more of the original headers
>> intact. Google appears to wipe them out before bouncing, which is
>> unfortunate.
>>
>> Thanks,
>>
>> Mik
>>
>> ---
>> Mik Muller, president
>> Montague WebWorks
>> 50 Miles Street, Greenfield, MA
>> 413-320-5336http://MontagueWebWorks.com
>> Powered by ROCKETFUSION
>>
>> On 3/25/2019 9:13 AM, Elijah Gwynn wrote:
>>
>> Mik,
>>
>> Not sure if you read the original, but a big part of the problem is
>> that
>> this looks like backscatter spam. She's getting a delivery failure
>> notification despite not having attempted to initiate the delivery in
>> question. That means that she doesn't have original headers. One
>> theory I
>> had was that this was indirect backscatter — i.e., someone else
>> initiated
>> the original delivery using a from/reply-to that was an alias for
>> Shel's
>> address. I wanted to see headers for the bounce message because that
>> might
>> shed some light on my hypothesis. Looking through those headers now
>> though,
>> it looks legit.
>>
>> Shel, I'm not sure what else to recommend. Have you checked your
>> security
>> settings recently and made sure that all recent activity on your
>> account
>> comes from IPs / devices you know and recognize? I don't want to
>> alarm, but
>> it's always worth double checking your account's security status.
>>
>> Eli
>>
>> On 25 Mar 2019, at 8:54, Michael Muller wrote:
>>
>> Shel,
>>
>> We actually need the headers of the email that went to
>> many at birdseyedeal.com. The headers we see here are for the email that
>> Google sent to you, regarding the non-existence of the address
>> many at birdseyedeal.com.
>>
>> What is your connection to that email address? Another unknown?
>>
>> Mik
>>
>> ---
>> Mik Muller, president
>> Montague WebWorks
>> 50 Miles Street, Greenfield, MA
>> 413-320-5336http://MontagueWebWorks.com
>> Powered by ROCKETFUSION
>>
>> On 3/23/2019 7:34 AM, Shel Horowitz wrote:
>>
>> Here's the second set of headers I referred to in the message I just
>> sent.
>> This is one of the ones that all were NDN to the same recipient
>> earlier
>> this week.
>>
>> Delivered-To: shelhoro at gmail.com
>> Received: by 2002:a02:9867:0:0:0:0:0 with SMTP id x36csp3724212jaj;
>> Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
>> X-Google-Smtp-Source:
>> APXvYqwEki+iX4fZOrJj0EnDYa/lI6w6aMRjtpVVL/YBUz+vgAiAdhR9LkDJg0GFqWsAcA+x7XQlpFosI9U=
>> X-Received: by 2002:a5d:88d3:: with SMTP id
>> i19mr1270283iol.187.1552998964724;
>> Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
>> Authentication-Results: mx.google.com;
>> spf=permerror (google.com: permanent error in processing
>> during lookup of postmaster: );
>> dkim=pass header.i=@googlemail.com header.s=20161025
>> header.b="m/1CW8s4"
>> Received-SPF: permerror (google.com: permanent error in processing
>> during lookup of postmaster: ) client-ip=209.85.221.67;
>> Received: by 2002:a6b:f104:: with POP3 id e4mf27692684iog.2;
>> Tue, 19 Mar 2019 05:36:04 -0700 (PDT)
>> X-Gmail-Fetch-Info: shel at shelhorowitz.com 3 mail.shelhorowitz.com 110
>> shel at shelhorowitz.com
>> Return-Path: <>
>> Delivered-To: shel at shelhorowitz.com
>> Received: from gator3323.hostgator.com by gator3323.hostgator.com
>> with LMTP id iP0SNZDdkFyX0AQATgj41w for <shel at shelhorowitz.com>; Tue,
>> 19 Mar 2019 07:16:16 -0500
>> Return-path: <>
>> Envelope-to: shel at shelhorowitz.com
>> Delivery-date: Tue, 19 Mar 2019 07:16:16 -0500
>> Received: from mail-wr1-f67.google.com ([209.85.221.67]:42978) by
>> gator3323.hostgator.com with esmtps
>> (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) id
>> 1h6DfE-001hZV-FS for shel at shelhorowitz.com; Tue, 19 Mar 2019 07:16:16
>> -0500
>> Received: by mail-wr1-f67.google.com with SMTP id n9so16746566wrr.9
>> for <shel at shelhorowitz.com>; Tue, 19 Mar 2019 05:16:10 -0700
>> (PDT)
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>> d=googlemail.com; s=20161025;
>> h=from:to:auto-submitted:subject:references:in-reply-to:message-id
>> :date;
>> bh=/qG46GoKbdMOG5n2Se6ehEGBfXQQBZfc4tj3SyPNU7Y=;
>> b=m/1CW8s47I2m61HgKHYrOUiTAY3TbPPFvE9nd/Y0cJsd4/qN8KPHkTrSZ5myFzAPwI
>> HP8d9kV+nWoG/HH5FvDeVmxoyNgG3fo7rVZSQQHIifDlSgQX9iTRVGWJ1JshBjPM/IfL
>> X6QH1KZo9ZHeG3jjsQrc211LCs4AajNDaCXnuYOyU8YU/IaHFdb5LpdDeBF4mi9iTi6H
>> 69Wt5g28OLNo3kUZpaqOh2VxRSGGdpLxOlRLe6TuI/RQBg+vqoNvB6VaYLvDFzEd0Uwf
>> ckWv0gzoeiLKu8nrhVL5PsPlqDnK4GD/kw3mf0agj6ishr1E7O1VG+R3MPkDs/uVT4JS
>> BzhA==
>> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>> d=1e100.net; s=20161025;
>> h=x-gm-message-state:from:to:auto-submitted:subject:references
>> :in-reply-to:message-id:date;
>> bh=/qG46GoKbdMOG5n2Se6ehEGBfXQQBZfc4tj3SyPNU7Y=;
>> b=h5bGIj9OF2xJ83xJuRQxr0lKOuYu/aZIlX7ygIZCRvTtcmwbNVM6DxuwnOj7+ldVuv
>> cnbwGCHBYR/PTzTU2fgmAbYU1a+BKbILaRyTWYy73ySFKz+W8xNTSc7Sc3N66TMQrOrp
>> PJL06abj4wMrrfMrmfs/jD+6YUREeWu8Ruf0cDg75TGNgs1roKx6Cj9U1lZqmRlI5TsL
>> WTygwMDeCfs3EkOp4xkpK1zhVs/AYXa5P2z0nPLkIJMG67lo8MmRo9YXawn0mGxJMApJ
>> 0gfyaJLRCWz1IX5Db1MSqX+qI0Sj1rJOGLmoXntF8ynVEgvMWWR4ogmfpM8HZ4Gquub/
>> XyMQ==
>> X-Gm-Message-State:
>> APjAAAXkQBkB5F2VWR2tUvRQbNP5g/IcceOfpB4FJn2OcaaKszVmifFm
>> OTDiyfU7frKVdNQMBWEKte2xRYxWtczZY5/eRAwQdQ==
>> X-Received: by 2002:adf:df92:: with SMTP id
>> z18mr8497137wrl.239.1552997761836;
>> Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
>> Content-Type: multipart/report;
>> boundary="000000000000ee5f810584717712"; report-type=delivery-status
>> Received: by 2002:adf:df92:: with SMTP id z18mr6807204wrl.239; Tue,
>> 19 Mar 2019 05:16:01 -0700 (PDT)
>> From: Mail Delivery Subsystem <mailer-daemon at googlemail.com>
>> To: shel at shelhorowitz.com
>> Auto-Submitted: auto-replied
>> Subject: Delivery Status Notification (Failure)
>> References: <138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com>
>> In-Reply-To: <138ee9b0-e3ad-7ecd-ef91-2ce68c0a73cf at shelhorowitz.com>
>> X-Failed-Recipients: many at birdseyedeal.com
>> Message-ID: <5c90dd81.1c69fb81.17867.b6da.GMR at mx.google.com>
>> Date: Tue, 19 Mar 2019 05:16:01 -0700 (PDT)
>>
>> --000000000000ee5f810584717712
>> Content-Type: multipart/related;
>> boundary="000000000000ee6039058471771b"
>>
>> --000000000000ee6039058471771b
>> Content-Type: multipart/alternative;
>> boundary="000000000000ee603d058471771c"
>>
>> --000000000000ee603d058471771c
>> Content-Type: text/plain; charset="UTF-8"
>>
>>
>> ** Address not found **
>>
>> Your message wasn't delivered to many at birdseyedeal.com because the
>> address couldn't be found, or is unable to receive mail.
>>
>> Learn more here: https://support.google.com/mail/?p=DisabledUser
>>
>> The response was:
>>
>> The email account that you tried to reach is disabled. Learn more at
>> https://support.google.com/mail/?p=DisabledUser f2sor8972495wro.20 -
>> gsmtp
>>
>> --000000000000ee603d058471771c
>> Content-Type: text/html; charset="UTF-8"
>>
>>
>>
>>
>> Shel Horowitz - "The Transformpreneur"(sm)
>> ________________________________________________
>> Watch (and please share) my TEDx Talk,
>> "Impossible is a Dare: Business for a Better World"
>> *http://www.ted.com/tedx/events/11809
>> <http://www.ted.com/tedx/events/11809>*
>>
>> Contact me to bake in profitability while addressing hunger,
>> poverty, war, and catastrophic climate change
>>
>> Twitter: @shelhorowitz
>>
>> * First business ever to be Green America Gold Certified
>> * Inducted into the National Environmental Hall of Fame
>>
>> http://goingbeyondsustainability.com
>> http://transformpreneur.com
>> mailto:shel at greenandprofitable.com * 413-586-2388
>> Award-winning, best-selling author of 10 books. Latest:
>> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
>> Levinson)
>>
>> _________________________________________________
>>
>>
>> On Wed, Mar 20, 2019 at 2:09 PM Elijah Gwynn <eli at egwynn.com> wrote:
>>
>>> Shel, the header from the automated bounce message might still
>>> indicate
>>> which mail system decided the bounce message should go to you and,
>>> potentially, by what means it made that decision.
>>>
>>> If you follow the steps here
>>> <https://support.google.com/mail/answer/29436?hl=en> you should be
>>> able
>>> to get some more headers to paste to us.
>>>
>>> Eli
>>>
>>> On 20 Mar 2019, at 13:31, Shel Horowitz via Hidden-discuss wrote:
>>>
>>> No human being sent this. Pretty sure it was a bot and I didn't
>>> recognize
>>> any of the addresses mentioned.I got four or five of those messages.
>>>
>>>
>>> Shel Horowitz - "The Transformpreneur"(sm)
>>> ________________________________________________
>>> Watch (and please share) my TEDx Talk,
>>> "Impossible is a Dare: Business for a Better World"
>>> *http://www.ted.com/tedx/events/11809
>>> <http://www.ted.com/tedx/events/11809>*
>>>
>>> Contact me to bake in profitability while addressing hunger,
>>> poverty, war, and catastrophic climate change
>>>
>>> Twitter: @shelhorowitz
>>>
>>> * First business ever to be Green America Gold Certified
>>> * Inducted into the National Environmental Hall of Fame
>>>
>>> http://goingbeyondsustainability.com
>>> http://transformpreneur.com
>>> mailto:shel at greenandprofitable.com * 413-586-2388
>>> Award-winning, best-selling author of 10 books. Latest:
>>> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
>>> Levinson)
>>>
>>> _________________________________________________
>>>
>>>
>>> On Wed, Mar 20, 2019 at 1:15 PM Michael Muller
>>> <tech at montaguewebworks.com>
>>> wrote:
>>>
>>>> Shel,
>>>>
>>>> So... someone forwarded you the bounced email? Do you know this
>>>> person?
>>>>
>>>> If the answer to both questions is yes, then one theory is the
>>>> original
>>>> email was sent ...
>>>>
>>>> - *From:* "Shel Horowitz" <friend at myip92.asyncjs.date>
>>>> <friend at myip92.asyncjs.date>
>>>>
>>>> ... and the person who owns the friend at myip92.asyncjs.date email
>>>> address received a bunch of bounces, and saw your name associated
>>>> with the
>>>> original email and forwarded it to you wondering why they were
>>>> getting a
>>>> bunch of bounces.
>>>>
>>>> Sometimes this stuff is so difficult to trace.
>>>>
>>>> Mik
>>>>
>>>> ---
>>>> Mik Muller, president
>>>> Montague WebWorks
>>>> 50 Miles Street, Greenfield, MA
>>>> 413-320-5336http://MontagueWebWorks.com
>>>> Powered by ROCKETFUSION
>>>>
>>>> On 3/20/2019 12:54 PM, Shel Horowitz wrote:
>>>>
>>>> Rob, I have Gmail. Mik, this is all I can get resembling a header,
>>>> sincde it came as a forward.:
>>>>
>>>> The response was:
>>>>
>>>> The email account that you tried to reach is disabled. Learn more
>>>> at
>>>> https://support.google.com/mail/?p=DisabledUser v2sor1434906wrw.17
>>>> -
>>>> gsmtp
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: friend at myip92.asyncjs.date
>>>> To: discuss at alias18.per2domain.live
>>>> Cc:
>>>> Bcc:
>>>> Date: Tue, 19 Mar 2019 12:04:13 +0000
>>>> Subject:
>>>> Sed et ut
>>>>
>>>> Shel Horowitz - "The Transformpreneur"(sm)
>>>> ________________________________________________
>>>> Watch (and please share) my TEDx Talk,
>>>> "Impossible is a Dare: Business for a Better World"
>>>> *http://www.ted.com/tedx/events/11809
>>>> <http://www.ted.com/tedx/events/11809>*
>>>>
>>>> Contact me to bake in profitability while addressing hunger,
>>>> poverty, war, and catastrophic climate change
>>>>
>>>> Twitter: @shelhorowitz
>>>>
>>>> * First business ever to be Green America Gold Certified
>>>> * Inducted into the National Environmental Hall of Fame
>>>>
>>>> http://goingbeyondsustainability.com
>>>> http://transformpreneur.com
>>>> mailto:shel at greenandprofitable.com * 413-586-2388
>>>> Award-winning, best-selling author of 10 books. Latest:
>>>> Guerrilla Marketing to Heal the World (co-authored with Jay Conrad
>>>> Levinson)
>>>>
>>>> _________________________________________________
>>>>
>>>>
>>>> On Wed, Mar 20, 2019 at 11:51 AM Rob Laporte <rob at 2disc.com> wrote:
>>>>
>>>>> Hi Shell and All,
>>>>>
>>>>> My firm has been getting a dribbling of these same types of emails
>>>>> for
>>>>> a few weeks now, and we use Microsoft hosted email, so wonder if
>>>>> they are
>>>>> being hacked. Shell, what is your email service? We're
>>>>> investigating this
>>>>> problem today or tomorrow, and I'll share what we find.
>>>>>
>>>>> Best Regards,
>>>>>
>>>>>
>>>>> Rob Laporte| SEO Specialist, CEO
>>>>>
>>>>> DISC, Inc. - Making Websites Make Money
>>>>>
>>>>> 413-584-6500
>>>>>
>>>>> rob at 2disc.com
>>>>>
>>>>> www.2disc.com
>>>>>
>>>>> *NOTE:* Emails can be blocked by spam filters throughout the web.
>>>>> If
>>>>> you don’t get a reply within an expected span of time, please
>>>>> call.
>>>>>
>>>>> ------------------------------
>>>>> *From:* Hidden-discuss
>>>>> <hidden-discuss-bounces at lists.hidden-tech.net>
>>>>> on behalf of Shel Horowitz via Hidden-discuss <
>>>>> hidden-discuss at lists.hidden-tech.net>
>>>>> *Sent:* Wednesday, March 20, 2019 9:23 AM
>>>>> *To:* Hidden-Tech Tech
>>>>> *Subject:* [Hidden-tech] Can anyone explain what is going on here
>>>>> and
>>>>> what I should do about it?
>>>>>
>>>>>
>>>>> Below is a forwarded non-delivery message to an address I've never
>>>>> heard of and seemingly in response to something sent by someone
>>>>> I've never
>>>>> heard of. I don't see that they are spoofing my email address. Can
>>>>> anyone
>>>>> explain why I am getting these and if I need to do anything? I got
>>>>> a bunch
>>>>> of them today.
>>>>>
>>>>> ---------- Forwarded message ---------
>>>>> From: *Mail Delivery Subsystem* <mailer-daemon at googlemail.com>
>>>>> Date: Tue, Mar 19, 2019, 8:16 AM
>>>>> Subject: Delivery Status Notification (Failure)
>>>>> To: <shel at shelhorowitz.com>
>>>>>
>>>>>
>>>>> [image: Error Icon]
>>>>> Address not found
>>>>> Your message wasn't delivered to *many at birdseyedeal.com* because
>>>>> the
>>>>> address couldn't be found, or is unable to receive mail.
>>>>> LEARN MORE <https://support.google.com/mail/?p=DisabledUser>
>>>>> The response was:
>>>>>
>>>>> The email account that you tried to reach is disabled. Learn more
>>>>> at
>>>>> https://support.google.com/mail/?p=DisabledUser f2sor8972495wro.20
>>>>> -
>>>>> gsmtp
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: friend at myip19.masterload.loan
>>>>> To: many at alias16.per2domain.live
>>>>> Cc:
>>>>> Bcc:
>>>>> Date: Tue, 19 Mar 2019 09:37:04 +0000
>>>>> Subject:
>>>>> Et ut
>>>>>
>>>> _______________________________________________
>>> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
>>> Hidden-discuss at lists.hidden-tech.net
>>>
>>> You are receiving this because you are on the Hidden-Tech Discussion
>>> list.
>>> If you would like to change your list preferences, Go to the Members
>>> page on the Hidden Tech Web site.
>>> http://www.hidden-tech.net/members
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20190327/810bde7e/attachment-0001.html>
More information about the Hidden-discuss
mailing list