Menu
Reply
Foxface
  • 5
  • 0
  • 0
Joining in
834 Views
Message 1 of 6
Flag for a moderator

Postmaster/mailer-daemon undeliverable spam

Keep me informed of what VM is doing to stop this proliferation of spam 'undeliverable' emails.

0 Kudos
Reply
ravenstar68
  • 19.02K
  • 1.11K
  • 8.23K
Very Insightful Person
Very Insightful Person
801 Views
Message 2 of 6
Flag for a moderator
Helpful Answer

Re: Postmaster/mailer-daemon undeliverable spam

@Foxface

If you are seeing bounce emails from mailer-daemon@virginmedia.com or postmaster@virginmedia.com then these mails have come from Virgin Media's outbound SMTP servers.

In order to use those servers for mailer-daemon@virginmedia.com the spammers need one of two things

Access to a PC on the Virgin Media network 

OR - and this is usually the most common

A Virgin Media email address and password combination.  If they have this then they can send emails from a Virgin Media email address from anywhere in the world.

If you look at the mailer-daemon messages you will see three attachments.  Download these and open them in a text editor

One contains the error message from the server
One contains just the headers of the sent email
One contains the sent email including the headers.

In the Headers you will find this:

X-Authenticated-User: some-user@virginmedia.com (or possibly one of the other 3 Virgin Media domains)

This address can't be faked as it's the username that's used to authenticate the SMTP connection prior to sending mail.  So I'd start by looking at this line.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Foxface
  • 5
  • 0
  • 0
Joining in
783 Views
Message 3 of 6
Flag for a moderator

Re: Postmaster/mailer-daemon undeliverable spam

Dear Ravenstar, Thanks for info. I think I've sorted my problem, have just put in new filter rules to discard any mail with the all or almost all of the subject heading words, such as Undeliverable, Mail Delivery Status, etc. I don't send out much mail and only get one or two returns in a year, so this should get rid of the immediate problem of 500+ spam mails flooding my phone or PC.  I don't think it's just one sender, sounds like quite a few people have been affected by this kind of spam attack, so even if I went through 1500+ emails (do I really have the time, predilection or eyesight to go through so many attachments?!), I might still get similar spam from another or missed address. 

The real issue is why isn't Virgin Media doing more about it.  It was widely reported around the turn of the year that one of  VM's address lists had been hacked in 2019, and my old ntlworld address has had more spam in the last 4 months than in the last 20 years.  One of the other forum members said that changing passwords won't help as the spammers are using a backdoor in VM's own system.  If I can adjust my spam filter rules, isn't it about time VM did something to weed out these spam mails as they go through VM's own servers? 

0 Kudos
Reply
ravenstar68
  • 19.02K
  • 1.11K
  • 8.23K
Very Insightful Person
Very Insightful Person
775 Views
Message 4 of 6
Flag for a moderator

Re: Postmaster/mailer-daemon undeliverable spam

Have you sorted the problem?

Or have you merely hidden it?  In doing so you've also ensured that legitimate bounce mails will also be hidden from you.

Did you check the X-Authenticated: line as requested?

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Foxface
  • 5
  • 0
  • 0
Joining in
714 Views
Message 5 of 6
Flag for a moderator

Re: Postmaster/mailer-daemon undeliverable spam

Dear Ravenstar, Thanks for reply. I'm not worried about legit non-delivery bounce mails, maybe get one a year and if I don't hear from recipient, it's their lookout.  One less thing to worry about!  Haven't checked out any of the fake mails, as I deleted them all & haven't received any more for 10 days, so my filter rules to discard are probably working. By 'text editor' I presume you mean something like Notebook (think that's the only one I've got - does 'View source' count as one)? However I have changed my password just in case.  Cheers, Ross

0 Kudos
Reply
ravenstar68
  • 19.02K
  • 1.11K
  • 8.23K
Very Insightful Person
Very Insightful Person
696 Views
Message 6 of 6
Flag for a moderator

Re: Postmaster/mailer-daemon undeliverable spam

Dear Foxface

The thing is you start with the wrong mindset.

Unless I've checked the mails themselves I would start by assuming they were genuine UNLESS there was evidence to the contrary.

This is because Virgin Media use use SPF and sign their mails with DKIM INCLUDING the mailer-daemon emails.  They also have a DMARC policy of Quarantine meaning spoofed bounce mails would end up in the spam folder.

So I will repeat what I said before:

If you are getting bounce mails with the address mailer-daemon@virginmedia.com then someone has been sending the emails using Virgin Media's mail servers.

To send from those servers you either need

A valid Virgin Media email address and password.
OR
A compromised computer on a Virgin Media IP address. (In which case the X-Authenticated header might be blank).

Worse if you are getting Bounce mails from postmaster@virginmedia.com then that would indicate that the webmail system is involved.

Now we've seen evidence of all three in the past (in fact I can go one better, back in the days when Gmail was hosting the account, I came across evidence of a mail sent using the Gmail system back in 2013 I think it was)  So we know that spammers have and still do use hacked Virgin Media email accounts to send mail.

Now if the bounce messages DON'T have virginmedia.com after the @Symbol, then that would indicate that someone had been spoofing using third party email servers.

With regards to view source.  If you know how to be sure you're reading the text of the attachments then by all means you can use this, otherwise I normally recommend saving the attachments and viewing them in Notepad or Wordpad.

If this were my account I would disable the filter rules and see if the password change has put a stop to the bounces.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks