This event suggests to me that something sinister has got fingers somewhere in the email chain. But can I determine exactly who has the problem? (Names have been made generic for privacy.) The players: Me: 001@earthlink.net Friend1: 002@ComercialDomain.com Friend2: 003@gmail.com So I sent an email to: Friend1, with a cc: to Friend2. And I almost immediately got back an error from "Mail Administrator" with subject "Mail System Error - Returned Mail". The text: The attached "details.txt" file said: This indicated to me that something in the email chain was forwarding the email I sent to a mysterious box in .ru (Russia!). Or that was what it tried to do, except the destination box either didn't exist or had fallen off line, resulting in a bounce back to the "sender" name, which is me. If the email had gone through successfully, then I would never have known about it. My immediate sense is this indicates sinister activity somewhere along the line. Or am I panicked over nothing, and there's a perfectly reasonable explanation for a reference to .ru in a bounced email? (We are in the U.S. If our email is being processed by a Russian server, even "legitimately", I want to know about it!) Assuming it's not benign, what could cause this? The general possibilities that come to mind: 1) A virus on my own PC, which surreptitiously sends my emails to the bad guy. 2) A virus on my outgoing email server. This is smtp.charter.net, which I would expect to be secure. Charter is my ISP, and it's a huge company. 3) A virus on the pop email receiver at CommercialDomain.com (this is a small company, and thus presumably less secure than Charter). 4) A virus on the receiving computer of Friend1 5) I think we can assume the pop email receiver at gmail.com is secure 6) A virus on the receiving computer of Friend2 Do I know enough to determine which system has been compromised? I'm speculating... Case (1): I *think* my own PC is secure. I run Microsoft Security Essentials. After this incident, I ran MalwareBytes, and caught several Internet adware and PUP cases, but nothing flagged as serious. My email program is Microsoft Outlook. In looking at my "Sent" email, I don't see any additional addresses being visibly tacked on to the email I sent that triggered this response. I haven't had any security violations on my system that I know of. I'm a tech guy, although not an expert in security, but I've got understanding and general instincts. Case (3): This struck me as the most likely possibility; that the pop server on this private company has been compromised, and was forwarding incoming email to a Russian drop. Forwarding emails to another address is a normal pop feature, so this isn't even necessarily a sophisticated hack; something like this could happen if anyone with access to the server just entered a forwarding address. Case (4): This is Friend1, the recipient, and the error text specifically indicates the email to him went to Russia. Could a virus on his personal PC have quietly forwarded it, spoofing my return address? Case (6): The other friend, Friend2, who was cc:'d, is not named in the error report. I suppose it's possible that a virus on his PC could have quietly forwarded the original email, spoofing my return address? I would think Friend2 is unlikely to be the source of the forward, but he did mention having had a virus (presumably removed) in recent memory. I asked Friend1 to run this by the tech contact for the CommercialDomain.com website, and he was told the pop server was fine and the problem must be in my own PC, and he should delete all future emails from me. I don't know the quality of this tech contact, but that response -- or at least the part that I'm reporting here, and which is all I know -- either doesn't make much sense or isn't useful. Part of my mind wonders if his tech support is covering its fault by telling him not to listen to the guy who noticed their problem. Sorry for the verbosity; I'm just trying to set down what I know. Is there a smoking gun anywhere in this morass?
This event suggests to me that something sinister has got fingers somewhere in the email chain. But can I determine exactly who has the problem? (Names have been made generic for privacy.) The players: Me: 001@earthlink.net Friend1: 002@ComercialDomain.com Friend2: 003@gmail.com So I sent an email to: Friend1, with a cc: to Friend2. And I almost immediately got back an error from "Mail Administrator" with subject "Mail System Error - Returned Mail". The text: The attached "details.txt" file said: This indicated to me that something in the email chain was forwarding the email I sent to a mysterious box in .ru (Russia!). Or that was what it tried to do, except the destination box either didn't exist or had fallen off line, resulting in a bounce back to the "sender" name, which is me. If the email had gone through successfully, then I would never have known about it. My immediate sense is this indicates sinister activity somewhere along the line. Or am I panicked over nothing, and there's a perfectly reasonable explanation for a reference to .ru in a bounced email? (We are in the U.S. If our email is being processed by a Russian server, even "legitimately", I want to know about it!) Assuming it's not benign, what could cause this? The general possibilities that come to mind: 1) A virus on my own PC, which surreptitiously sends my emails to the bad guy. 2) A virus on my outgoing email server. This is smtp.charter.net, which I would expect to be secure. Charter is my ISP, and it's a huge company. 3) A virus on the pop email receiver at CommercialDomain.com (this is a small company, and thus presumably less secure than Charter). 4) A virus on the receiving computer of Friend1 5) I think we can assume the pop email receiver at gmail.com is secure 6) A virus on the receiving computer of Friend2 Do I know enough to determine which system has been compromised? I'm speculating... Case (1): I *think* my own PC is secure. I run Microsoft Security Essentials. After this incident, I ran MalwareBytes, and caught several Internet adware and PUP cases, but nothing flagged as serious. My email program is Microsoft Outlook. In looking at my "Sent" email, I don't see any additional addresses being visibly tacked on to the email I sent that triggered this response. I haven't had any security violations on my system that I know of. I'm a tech guy, although not an expert in security, but I've got understanding and general instincts. Case (3): This struck me as the most likely possibility; that the pop server on this private company has been compromised, and was forwarding incoming email to a Russian drop. Forwarding emails to another address is a normal pop feature, so this isn't even necessarily a sophisticated hack; something like this could happen if anyone with access to the server just entered a forwarding address. Case (4): This is Friend1, the recipient, and the error text specifically indicates the email to him went to Russia. Could a virus on his personal PC have quietly forwarded it, spoofing my return address? Case (6): The other friend, Friend2, who was cc:'d, is not named in the error report. I suppose it's possible that a virus on his PC could have quietly forwarded the original email, spoofing my return address? I would think Friend2 is unlikely to be the source of the forward, but he did mention having had a virus (presumably removed) in recent memory. I asked Friend1 to run this by the tech contact for the CommercialDomain.com website, and he was told the pop server was fine and the problem must be in my own PC, and he should delete all future emails from me. I don't know the quality of this tech contact, but that response -- or at least the part that I'm reporting here, and which is all I know -- either doesn't make much sense or isn't useful. Part of my mind wonders if his tech support is covering its fault by telling him not to listen to the guy who noticed their problem. Sorry for the verbosity; I'm just trying to set down what I know. Is there a smoking gun anywhere in this morass?