cancel
Showing results for 
Search instead for 
Did you mean: 
Alanrf
Aspiring Expert
2,197 Views
Message 1 of 7

Odd MAILER-DAEMON messages

Getting strange messages from MAILER-DAEMON@btinternet.com


Not a new issue really, but just over the last couple of weeks I have been getting intermittent messages, both to a couple of my accounts, my primary account as well as one secondary account.


The strange thing is that the messages purport to come from [myemailname]@btopenworld.com and are being 'sent' to non-existent 'btinternet.com' and 'talk21.com' addresses.


Strange because both of these accounts have been around since the last century, literally, and have always used the 'btinternet.com' suffix.

I have never used the '@btopenworld' suffix at any time so presumably these are being generated by some unwanted and unwelcome third party.


I have changed passwords as a first step in trying to stop the problems.  Let's hope that works!


A couple of 'headers' contained within the bodies of the mail were as follows - not sure if it makes much sense regarding origin and so on.

-------------------------------------------------------

X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1058.bt.mail.ir2.yahoo.com  from=btopenworld.com; domainkeys=neutral (no sig);  from=btopenworld.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin09.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1058.bt.mail.ir2.yahoo.com with SMTP; Thu, 04 Jul 2013 15:20:43 +0000
Received: from [117.196.197.163] (117.196.197.163) by smtpin09.bt.ext.cpcloud.co.uk (8.6.100.01)
        id 51C27D6F05E01368; Thu, 4 Jul 2013 15:20:42 +0000
Received: from [192.168.0.156] ([192.168.0.156]) by phoenixsrv6.miyabinosato.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 04 Jul 2013 11:20:39 -0500

-------------------------------------------------------


X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1012.bt.mail.ir2.yahoo.com  from=; domainkeys=neutral (no sig);  from=btopenworld.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpout03.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1012.bt.mail.ir2.yahoo.com with SMTP; Thu, 04 Jul 2013 15:52:05 +0000
Received: from 178-137-227-36-feod.broadband.kyivstar.net (178.137.227.36) by smtpout03.bt.ext.cpcloud.co.uk (8.6.100.01)
        id 51D4CEAB0028E6C5; Thu, 4 Jul 2013 15:52:05 +0000
Received: from 192.168.0.223 [192.168.0.223]
    by mailguard.tomtill.com
    with XWall v3.37f ;
    Thu, 04 Jul 2013 11:52:10 -0500

_________________________

Alan
0 Ratings
Reply
6 REPLIES 6
Distinguished Guru
Distinguished Guru
2,180 Views
Message 2 of 7

Re: Odd MAILER-DAEMON messages

Someone somewhere has hijacked your email address to send spam. They send messages to large numbers of random addresses; some of these will be non-existent, meaning that the messages are 'returned' to you. It's unlikely that your email has been hacked, and there's not much you can do about it other than wait for the undelivered messages to tail off as the spammer moves on to someone else's address.

--
You can click the thumbs up icon below this message if you think it was helpful.
0 Ratings
Reply
vofsanity2
Recognised Expert
2,157 Views
Message 3 of 7

Re: Odd MAILER-DAEMON messages


@Alanrf wrote:

Getting strange messages from MAILER-DAEMON@btinternet.com


Not a new issue really, but just over the last couple of weeks I have been getting intermittent messages, both to a couple of my accounts, my primary account as well as one secondary account.


The strange thing is that the messages purport to come from [myemailname]@btopenworld.com and are being 'sent' to non-existent 'btinternet.com' and 'talk21.com' addresses.


Strange because both of these accounts have been around since the last century, literally, and have always used the 'btinternet.com' suffix.

I have never used the '@btopenworld' suffix at any time so presumably these are being generated by some unwanted and unwelcome third party.


I have changed passwords as a first step in trying to stop the problems.  Let's hope that works!


A couple of 'headers' contained within the bodies of the mail were as follows - not sure if it makes much sense regarding origin and so on.

-------------------------------------------------------

X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1058.bt.mail.ir2.yahoo.com  from=btopenworld.com; domainkeys=neutral (no sig);  from=btopenworld.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin09.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1058.bt.mail.ir2.yahoo.com with SMTP; Thu, 04 Jul 2013 15:20:43 +0000
Received: from [117.196.197.163] (117.196.197.163) by smtpin09.bt.ext.cpcloud.co.uk (8.6.100.01)
        id 51C27D6F05E01368; Thu, 4 Jul 2013 15:20:42 +0000
Received: from [192.168.0.156] ([192.168.0.156]) by phoenixsrv6.miyabinosato.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 04 Jul 2013 11:20:39 -0500

-------------------------------------------------------


X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1012.bt.mail.ir2.yahoo.com  from=; domainkeys=neutral (no sig);  from=btopenworld.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpout03.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1012.bt.mail.ir2.yahoo.com with SMTP; Thu, 04 Jul 2013 15:52:05 +0000
Received: from 178-137-227-36-feod.broadband.kyivstar.net (178.137.227.36) by smtpout03.bt.ext.cpcloud.co.uk (8.6.100.01)
        id 51D4CEAB0028E6C5; Thu, 4 Jul 2013 15:52:05 +0000
Received: from 192.168.0.223 [192.168.0.223]
    by mailguard.tomtill.com
    with XWall v3.37f ;
    Thu, 04 Jul 2013 11:52:10 -0500


Alan,

 

If you go into your Account Information and then Mail Options, Mail Accounts you will find that BT has created an extra address for you that is "Your Username"@btopenworld.com

 

I suggest you use the following link

 

 https://api.login.yahoo.com/login/history?

 

to check the login history of your account.

 

Interestingly the source of the spam emails being sent (probably) from your account is hosted by

 

Critical Path Inc

 

I think your Mailer-Daemon messages are worthy of more detailed investigation.

 

 

 

 

 

0 Ratings
Reply
Alanrf
Aspiring Expert
2,132 Views
Message 4 of 7

Re: Odd MAILER-DAEMON messages

I was aware that the 'btinternet'com' and 'btopenworld.com' suffixes are interchangeable but as I noted, I have never used the latter suffix on the two specific accounts.

 

Anyway, I did log in to the Yahoo page referred above with both versions and the 'activity' is identical; all times were within my 'normal' window, as it were, and in every case the IP address recorded was my own.  Noting obviously suspicious there, I think.

 

 

Haven't had any more bounces today (yet!) but whether or not that is a coincidence after changing passwords only time will tell,I suppose.

_________________________

Alan
0 Ratings
Reply
Distinguished Guru
2,111 Views
Message 5 of 7

Re: Odd MAILER-DAEMON messages


@Alanrf wrote:

I was aware that the 'btinternet'com' and 'btopenworld.com' suffixes are interchangeable but as I noted, I have never used the latter suffix on the two specific accounts.

 

Anyway, I did log in to the Yahoo page referred above with both versions and the 'activity' is identical; all times were within my 'normal' window, as it were, and in every case the IP address recorded was my own.  Noting obviously suspicious there, I think.

 

 

Haven't had any more bounces today (yet!) but whether or not that is a coincidence after changing passwords only time will tell,I suppose.


Hi.

 

Altering the password will have no bearing on the receipt of mailer-daemon or other non delivery messages. As has been mentioned, your email address has been spoofed as the from/reply-to address in a spam run, meaning that all bounces end up at your email address. As you've noticed, the btopenworld version was used by the spammers, and since it's effectively the same as the btinternet version, then you will receive them.

 

It doesn't actually matter whether you've used btopenworld or not, there's no activiation for it as it just exists.

 

When some spam is received, it is very likely that you can get get two versions, one sent to each address suffix - spammers neither worry or care.

0 Ratings
Reply
Distinguished Guru
2,110 Views
Message 6 of 7

Re: Odd MAILER-DAEMON messages


@vofsanity2 wrote:

@Alanrf wrote:

Getting strange messages from MAILER-DAEMON@btinternet.com


Not a new issue really, but just over the last couple of weeks I have been getting intermittent messages, both to a couple of my accounts, my primary account as well as one secondary account.


The strange thing is that the messages purport to come from [myemailname]@btopenworld.com and are being 'sent' to non-existent 'btinternet.com' and 'talk21.com' addresses.


Strange because both of these accounts have been around since the last century, literally, and have always used the 'btinternet.com' suffix.

I have never used the '@btopenworld' suffix at any time so presumably these are being generated by some unwanted and unwelcome third party.


I have changed passwords as a first step in trying to stop the problems.  Let's hope that works!


A couple of 'headers' contained within the bodies of the mail were as follows - not sure if it makes much sense regarding origin and so on.

-------------------------------------------------------

X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1058.bt.mail.ir2.yahoo.com  from=btopenworld.com; domainkeys=neutral (no sig);  from=btopenworld.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpin09.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1058.bt.mail.ir2.yahoo.com with SMTP; Thu, 04 Jul 2013 15:20:43 +0000
Received: from [117.196.197.163] (117.196.197.163) by smtpin09.bt.ext.cpcloud.co.uk (8.6.100.01)
        id 51C27D6F05E01368; Thu, 4 Jul 2013 15:20:42 +0000
Received: from [192.168.0.156] ([192.168.0.156]) by phoenixsrv6.miyabinosato.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 04 Jul 2013 11:20:39 -0500

-------------------------------------------------------


X-Originating-IP: [65.20.0.12]
Authentication-Results: mta1012.bt.mail.ir2.yahoo.com  from=; domainkeys=neutral (no sig);  from=btopenworld.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO smtpout03.bt.ext.cpcloud.co.uk) (65.20.0.12)
  by mta1012.bt.mail.ir2.yahoo.com with SMTP; Thu, 04 Jul 2013 15:52:05 +0000
Received: from 178-137-227-36-feod.broadband.kyivstar.net (178.137.227.36) by smtpout03.bt.ext.cpcloud.co.uk (8.6.100.01)
        id 51D4CEAB0028E6C5; Thu, 4 Jul 2013 15:52:05 +0000
Received: from 192.168.0.223 [192.168.0.223]
    by mailguard.tomtill.com
    with XWall v3.37f ;
    Thu, 04 Jul 2013 11:52:10 -0500


Alan,

 

If you go into your Account Information and then Mail Options, Mail Accounts you will find that BT has created an extra address for you that is "Your Username"@btopenworld.com

 

I suggest you use the following link

 

 https://api.login.yahoo.com/login/history?

 

to check the login history of your account.

 

Interestingly the source of the spam emails being sent (probably) from your account is hosted by

 

Critical Path Inc

 

I think your Mailer-Daemon messages are worthy of more detailed investigation.

 

 

 


Critical Path are the new BT Mail providers - there is nothing at issue here with regard this.

 

The spam injection point for the 2nd report is (probably) an infected machine in the Ukraine, the first report is India.

Alanrf
Aspiring Expert
2,096 Views
Message 7 of 7

Re: Odd MAILER-DAEMON messages

Thanks for the responses which are somewhat reassuring.   At least it seems likely that there are no 'infections' on my box hereHopefully my AV software is doing its job on a daily basis and during the weekly scan.

 

Interesting that you mention the password issue Andy.   That password change strategy seems to be the only solid piece of 'advice' on the BT site although they do seem rather vague altogether on the issue of spoofed addresses.

_________________________

Alan
0 Ratings
Reply