Why am I receiving emails from mailer-daemon@googlemail.com?

11.8K    Asked by AndrewJenkins in Cyber Security , Asked on Sep 27, 2022

Some months ago, I started to receive some emails from "Mail Delivery Subsystem" (mailer-daemon@googlemail.com). Despite this being an "automatic" failure email, I thought these emails were spam, so I just ignored them. But today I received many more emails, and this started to disturb me.


These emails are sent from mailer-daemon@googlemail.com (there is an icon that indicates a reply email) and says that "MYEMAIL@aol.com couldn't be found". "MYEMAIL" is the email that is receiving these messages, but with domain "aol.com" (I don't have any email from this domain).


In these emails, there is always an attached file about something attractive, like diets and wines. I think the most curious detail is that I was receiving these emails but in a "normal way". Before receiving mailer-daemon, I was receiving spam like normal, even with the same subject, and at some point this changed to mailer-daemon. Another detail is despite these emails always having an attached file, I can't see the attached file icon until I open the email. Only then, when I close the email, I can see the attached file icon. Obviously I never downloaded these files


I already changed my password, checked login's entries and everything seems to be normal. I can just block emails from mailer-daemon@googlemail.com, but I'm concerned about why this is happening

Answered by Anisha Dalal

Regarding the email id - mailer-daemon@googlemail -

I've had this issue before, with another email provider. In my case, someone was able to obtain my e-mail address, but not my password. Then, my email address was used as the "reply-to" or the "sent-from" address on a spam email. It is annoying, but your email itself is probably safe. (TFA helps).

Example for clarity:

Through whatever means, I notice that a valid e-mail address is Mycroft@googlemail.com.
Now, I can authenticate to another mail server, say postoffice.com. I can then use a sendmail program that does something like this:
to: JoeBloggs@aol.com
from: Mycroft@googlemail.com
Subject: Best Diet Program Ever!!
Body: blah, blah, blah.
For more info, click here!
EOT

You will then get the mailer-daemon message, and I have not compromised your email, but I have compromised your email ADDRESS.



Your Answer

Answer (1)

I got one too.  Here are the headers of the bottom message (with potential unsafe data replaced).
Significant replacements:
• MEMEME@gmail.com - stands in for my address
• themthemthem - stands in for the apparent target address.  (I, the fake "sender", might be the real target.)
• [10 digits], etc. - stands in for ... 10 digits (or whatever is described).
Notice the "softfail" messages all the way up.
Notice TWO "From:" headers.  Is that even valid?  Are the mailservers misconfigured?  Do mailservers vary on whether they believe the first "From:", the second one, or both??

==========
X-Google-Smtp-Source: [76char]
X-Received: by [ipv6 addr] with SMTP id eo5-[32hx]mr[8digits]qvb.23.[13digits];
        Wed, 14 Jun 2023 17:49:09 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=[10 digits]; cv=pass;
        d=google.com; s=arc-20160816;
        b=[long base64]
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:date:subject:to:from:message-id:from;
        bh=[short base64];
        b=[long base64]
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1);
       spf=softfail (google.com: domain of transitioning MEMEME@gmail.com does not designate 113.128.8.186 as permitted sender) smtp.mailfrom=MEMEME@gmail.com
Return-Path:
Received: from mailstream-east.mxrecord.io (mailstream-useast-egress001.mxrecord.io. [52.0.67.109])
        by mx.google.com with ESMTPS id r6-[41char hex][3 letters]qvj.61.2023.06.14.17.49.09
        for
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 14 Jun 2023 17:49:09 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning MEMEME@gmail.com does not designate 113.128.8.186 as permitted sender) client-ip=113.128.8.186;
Authentication-Results: mx.google.com;
       arc=pass (i=1);
      spf=softfail (google.com: domain of transitioning MEMEME@gmail.com does not designate 113.128.8.186 as permitted sender) smtp.mailfrom=MEMEME@gmail.com
Received: from mailstream027.us-east-1.production.area1.internal (localhost [127.0.0.1]) by mailstream-east.mxrecord.io (Postfix) with ESMTP id [15char hex] for ; Thu, 15 Jun 2023 00:49:08 +0000 (UTC)
ARC-Seal: i=1; cv=none; t=[10 digits]; a=rsa-sha256;
     d=mxrecord.io; s=arc202004;
     b=[long base64]
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mxrecord.io; s=arc202004;
     h=from:from:reply-to:reply-to:subject:subject:message-id:message-id:to:to:cc:mime-version
      :mime-version:content-type:content-type:x-area1security-disposition
      :x-area1security-disposition;
     bh=[short base64];
     b=[long base64];
ARC-Authentication-Results: i=1; mailstream-east.mxrecord.io;
     dmarc=fail (p=none) header.from=ray-ban.com;
     dmarc=fail (p=none) header.from=gmail.com;
     spf=softfail smtp.mailfrom=gmail.com;
     dkim=none
Received-SPF: softfail (mailstream-east.mxrecord.io: transitioning gmail.com does not designate 113.128.8.186 as permitted sender) client-ip=113.128.8.186; envelope-from=MEMEME@gmail.com; helo=hnrldpt;
Authentication-Results: mailstream-east.mxrecord.io;
     dmarc=fail (p=none) header.from=ray-ban.com;
     dmarc=fail (p=none) header.from=gmail.com;
     spf=softfail smtp.mailfrom=gmail.com;
     dkim=none
Received: from mailstream-east.mxrecord.io (localhost. [127.0.0.1])
        by localhost
        with SMTP (Area1Security-Mailstream 2.175.1) id LIWFAR7L
        for themthemthem@colpal.com;
        Thu, 15 Jun 2023 00:49:08 +0000 (GMT)
Received: from hnrldpt (unknown [113.128.8.186]) by mailstream-east.mxrecord.io (Postfix) with ESMTP id [15ch base64] for ; Thu, 15 Jun 2023 00:49:07 +0000 (UTC)
From: RAY-BAN
Message-ID: <[32char hex]@hnrldpt>
From: rdoudjdig
To: themthemthem
Subject: mnoefubvn
Date: Thu, 15 Jun 2023 08:48:59 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=[22char nonsense]=----"
X-Priority: 3
X-Mailer: Vpcud 0
X-Area1Security-Disposition: UCE [15ch base64]-2023-06-15T00:49:08
X-Area1Security-Origin: EXTERNAL [15ch base64]-2023-06-15T00:49:08
X-Area1Security-Processed: [32char hex];2;SPAM;2023-06-15T00:49:08;[GUID]

8 Months

Interviews

Parent Categories