Puzzling "returned" email ...
I've got a puzzle. Today I received two "returned" emails, both quite similar. And of course, the kicker is that I've not sent any email to either of those recipients. The email is coming back to an email 'tappers@megatar.com' which is an address on which I get a fair amount of spam, so it's an address which is out there.
The "returned" email said this:
Envelope-to: tappers@megatar.com
X-Failed-Recipients: support@activision.com
From: Mail Delivery System <Mailer-Daemon@mailcore.pol.net.uk>
To: tappers@megatar.com
Subject: Mail delivery failed: returning message to sender
Date: Sat, 17 May 2003 20:12:03 +0100
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
support@activision.com
This message has been rejected because it has an apparently executable attachment color.exe
This is a virus prevention measure.
If you meant to send this file then please package it up as a zip file and resend it.
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 157303 characters long; only the first
------ 65536 or so are included here.
Return-path: <tappers@megatar.com>
Received: from modem-6.anthias-fish.dialup.pol.co.uk ([62.136.224.6] helo=Kdfdlfn)
by mail18.svr.pol.co.uk with smtp (Exim 4.14)
id 19H75a-0004cP-JN
for support@activision.com; Sat, 17 May 2003 20:11:27 +0100
From: tea_43 <tea_43@hotmail.com>
To: support@activision.com
Subject: Gear Solid Greates...
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=K93r47P9S55bBy6K8W31Q75YB0753
Message-Id: <E19H75a-0004cP-JN.2003-05-17-20-11-27@mail18.svr.pol.co.uk>
Date: Sat, 17 May 2003 20:11:27 +0100
--K93r47P9S55bBy6K8W31Q75YB0753
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Z7202X822335W7kN height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--K93r47P9S55bBy6K8W31Q75YB0753
Content-Type: audio/x-midi;
name=color.exe
Content-Transfer-Encoding: base64
Content-ID: <Z7202X822335W7kN>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAA
UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAAAAAFiEAAAAEAAAANAAAAAA
QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAYAkAABAAAAAAAAACAAAAAAAQAAAQAAAAABAA
ABAAAAAAAAAQAAAAAAAAAAAAAAAg1gAAZAAAAABQCQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<snip>
Lots more of this, the header says it was 157,000 bytes long originally.
X-Failed-Recipients: support@activision.com
From: Mail Delivery System <Mailer-Daemon@mailcore.pol.net.uk>
To: tappers@megatar.com
Subject: Mail delivery failed: returning message to sender
Date: Sat, 17 May 2003 20:12:03 +0100
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
support@activision.com
This message has been rejected because it has an apparently executable attachment color.exe
This is a virus prevention measure.
If you meant to send this file then please package it up as a zip file and resend it.
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 157303 characters long; only the first
------ 65536 or so are included here.
Return-path: <tappers@megatar.com>
Received: from modem-6.anthias-fish.dialup.pol.co.uk ([62.136.224.6] helo=Kdfdlfn)
by mail18.svr.pol.co.uk with smtp (Exim 4.14)
id 19H75a-0004cP-JN
for support@activision.com; Sat, 17 May 2003 20:11:27 +0100
From: tea_43 <tea_43@hotmail.com>
To: support@activision.com
Subject: Gear Solid Greates...
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=K93r47P9S55bBy6K8W31Q75YB0753
Message-Id: <E19H75a-0004cP-JN.2003-05-17-20-11-27@mail18.svr.pol.co.uk>
Date: Sat, 17 May 2003 20:11:27 +0100
--K93r47P9S55bBy6K8W31Q75YB0753
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:Z7202X822335W7kN height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--K93r47P9S55bBy6K8W31Q75YB0753
Content-Type: audio/x-midi;
name=color.exe
Content-Transfer-Encoding: base64
Content-ID: <Z7202X822335W7kN>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAA
UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAAAAAFiEAAAAEAAAANAAAAAA
QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAYAkAABAAAAAAAAACAAAAAAAQAAAQAAAAABAA
ABAAAAAAAAAQAAAAAAAAAAAAAAAg1gAAZAAAAABQCQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<snip>
Lots more of this, the header says it was 157,000 bytes long originally.
My first fear was that somebody had managed to use my server for sending spam. However, searching in /var/logs in the exim_mainlog and a couple other logs there revealed no traffic to 'activision' of any kind. Further I in those logs I examined each email sent *out* from my email address above, and found nothing unaccountable.
While fairly ignorant of these matters, I would assume that this is a spam sent by somebody -- perhaps sent from a dialup line in England (from modem-6.anthias-fish.dialup.pol.co.uk) from somebody identifying themself as tea_43@hotmail, but with forged headers so that the return address pointed to my email address above.
Am I reading/interpreting this correctly, or is there some completely other place I should look, or a different way I should interpret this?
I've always thought 'forged headers' were usually just made-up places. I've never considered that the spammer might choose to grab a true address of some other party as the address to forge.
Does anyone here have any information that might clarify this mystery?
