Mail Delivery Failed Notice

1

I am using custom email addresses formed with my domain name. I am using POP but with the option to not delete the emails from the server (the server is on the cloud not my own) so email clients in different PCs can still get the same email.

Today I received a "Mail Delivery Failed" notice for an email I have definitely not sent, to a what seems to be a random email address. The message of the email I supposedly sent is just "doc".

I have checked cpanel's track delivery and there is no email sent from my address, only the delivery failed notice. How is that possible?

What is happening and what can I do?

Below is the notification.

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:

  nik7784527485@gmail.com
    host gmail-smtp-in.l.google.com [74.125.195.27]
    SMTP error from remote mail server after RCPT TO:<nik7784527485@gmail.com>:
    550-5.1.1 The email account that you tried to reach does not exist. Please try
    550-5.1.1 double-checking the recipient's email address for typos or
    550-5.1.1 unnecessary spaces. Learn more at
    550 5.1.1  https://support.google.com/mail/?p=NoSuchUser v11si20495962pfm.249 - gsmtp

Reporting-MTA: dns; server205.web-hosting.com

Action: failed Final-Recipient: rfc822;nik7784527485@gmail.com Status:
5.0.0 Remote-MTA: dns; gmail-smtp-in.l.google.com Diagnostic-Code: smtp; 550-5.1.1 The email account that you tried to reach does not
exist. Please try  550-5.1.1 double-checking the recipient's email
address for typos or  550-5.1.1 unnecessary spaces. Learn more at  550
5.1.1  https://support.google.com/mail/?p=NoSuchUser v11si20495962pfm.249 - gsmtp

Below is the email header.

To:  nik7784527485@gmail.com 
Return-path:  (I have deleted thi)
Received:  from (I have deleted this)
helo=(I have deleted this) by server205.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from "This is my actual email address") id 1iMvws-0034EY-Fe for nik7784527485@gmail.com; Tue, 22 Oct 2019 11:19:55 -0400 
Message-ID: <c7346356-3178-340a-75fd-e1966ccb2063@"This is my actual email address"> 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
Thunderbird/68.1.2 
MIME-Version: 1.0 
Content-Type:  text/plain; charset=utf-8; format=flowed 
Content-Transfer-Encoding:  8bit 
Content-Language:  en-US
X-OutGoing-Spam-Status:  No, score=0.8

Adam

Posted 2019-10-22T16:41:40.030

Reputation: 155

I think we need more detail on your setup.

Is this a personal gmail account set up with a domain name by forwarding mail in cPanel? Or gsuite? Or something else?

How have you got the email set up in thunderbird? If it's pop and is set to delete items from the server then it's possible one client got there first and removed the mail before the other clients had a chance to grab a copy, but hard to say without knowing more.

Also normally mail delivery failed notifications will give more information than just that, if you could post that it may help identify the source of the mail. – Ciaran McKenzie – 2019-10-22T16:47:26.720

@CiaranMcKenzie I will edit my question. – Adam – 2019-10-22T16:48:18.203

1Possibly a spammer spoofing your email address as the source of the email (so that recipients will think it's a known address). – Steve Rindsberg – 2019-10-22T17:03:12.533

I am still unsure of the answer here. It’s possible that someone spoofed your address and tried to send the mail. If that mail had your address as the return path then DNS lookups would have directed this notification to you. All I can advise to prevent this in future is to ensure you properly configure spf and dkim records for your domain to prevent the spoofing of your address, and configuring DMARC reports to get feedback on unauthorised or spoofed senders. It may also be prudent to change your password. With the current information and without Dmarc reports it’s hard to tell any further. – Ciaran McKenzie – 2019-10-22T17:39:35.583

@CiaranMcKenzie I am trying to understand whether this is a spoofing attack or my PC is compromised. I have a signature text in all my emails and the returned one had that text. If that was spoofing I guess that this wouldn't be the case. – Adam – 2019-10-22T18:19:51.797

Answers

2

This is usually a phishing email which may contain two attack vectors:

  1. Should you examine the contents of the "rejected" mail, they may direct you to a harmful website. This is using your natural curiosity against you.

  2. There may be one or more email addresses mentioned in the message or its headers, with the purpose of getting you to email them. The whole purpose here is just to discover your real address in the domain. Once the address is known, it will then be more seriously attacked or spammed or even sold to other hackers.

The best protection is to delete this email and to take no other action than ignoring it.

harrymc

Posted 2019-10-22T16:41:40.030

Reputation: 306 093

Not sure if ignoring is the best course of action if the OP is worried about people spoofing his email address. He should ensure he has sender authentication set up for his domain to prevent this if he has not already. I am still not sure of the exact circumstances in this case though. – Ciaran McKenzie – 2019-10-22T17:50:04.387

Thanks for your answer. The contents is just text saying "doc" and also my signature text. – Adam – 2019-10-22T18:28:45.090

I get such emails every week. Some of them are very badly done and just laughable. I suppose Nigerian princes are just not that good at it. – harrymc – 2019-10-22T18:35:11.393

Asked: 2019-10-22T16:41:40.030

Viewed: 70 times

Active: 2019-10-22T17:54:41.303