Is my email being forwarded without me knowing?

I just tried to send an email to someone. Then I got the following error message from the send program on my web host (where I was sending from):

The problem is that in no way did I specify the message to go to that address. quintanaroo is apparently a mexican email provider. My guess is a spammer or virus writer address that’s been closed.

I don’t think it’s a trojan horse on my system, I’m running Gentoo Linux (all packages up to date) and using Thunderbird 0.8. I’m at work behind a NAT router, and I have brought this laptop home and connected it to my optonline network, which has a hardware firewall/router as well.

Does this mean my web host has a compromised server? I tried sending another message to the same person, and the error didn’t occur again. I’ve yet to hear a response from the person that I sent the original message to in order to see if they received it. I forwarded the error message to my hosting provider to see what they thought of it.

Any thoughts?

Just as an update, the person I sent the original message to did actually get it. So why the extra send to a mexico free email account? It can’t be good.

I wouldn’t rule out a more benign explanation just yet. Maybe the recipient just set up a .forward file (or a procmail recipe that forwards mail from known acquaintances) so that personal e-mail gets read at the designated quintanaroo address. I do that with my Gmail address.

But that wouldn’t the mail back to the OP’s account, it’d bounce to the account doing the forwarding.

Anyhow, more experimentation is necessary. Try sending test messages to other email addresses and see if you get similar responses, try sending more messages to the same address as the OP, etc. And, of course, take the standard anti-spyware precautions (as spelled out in the Read this First thread).

-lv

Actually, I have seen a malformed .forward file bounce the incoming mail to the sender, when the sendmail software on the receiving server identifies a syntax error or other cause for infinite forwarding loop. If procmail is already set up as the local delivery agent and a .forward file calls procmail with non-default arguments, a simple syntax error could prevent the mail delivery system from doing its task, and then the original sender is informed of the delivery failure as a courtesy.

I thought so too, and asked the person, but they don’t know that address. Plus the server that sent the failure notice was my SMTP server that I was sending through, not the recipient server.

I tried sending to the same person, and I’ve also been sending to other places throughout the day under normal work conditions. So far no repeat or other failure notice.

As far as spyware, I don’t see any unknown processes when doing “ps -ef”. I have a “New Mail Icon” extension in Thunderbird that I got from here but I doubt that’s the one doing it.

I did some more investigation and found so far that:

  • The IP it tried to send to (205.158.62.147) is not quintanaroo.com. It resolves to something on outblaze.com. Why would the server connect to that IP to send email to a different domain?

  • The failure notice definitely came from my SMTP server that I sent through, the headers in the failure notice are correct. Also the quoted message was exactly what I sent, and it arrived minutes after I sent it. So it couldn’t be a spammer using my email as the “from” field.

I suppose it could just be a glitch where my message got crossed in the spooler with someone else sending an email at the same time? It’s a shared web hosting plan, so its certainly possible another user was trying to send something to that location.

I have no clue what happened…