Fake Bounce Spam Emails in Gmail - Are These Really That Fake?

by dhaupin   Last Updated June 10, 2015 01:01 AM

Are spam messages labeled by Gmail as "Fake Bounce Emails" really that fake in all cases? Is there a way they could actually be legit?

Example of the notice found when Gmail labels an email as fake bounce.

We run a server with multiple domains which have all the classic email addresses such as [email protected], [email protected], [email protected], [email protected] managed by a team inbox under a non-masked gmail account. There is 1 domain for which Gmail manages a POP for the [email protected], the rest of them are just forwarders into Gmail as an alias. For the sake of example, let's call it "[email protected]", although that address is never used. Instead, mail for each domain fires off into that inbox, and we are able to use each domain address normally.

Over the last few months, we have began to notice a lot of strange bounce mails going straight to spam that seem to be fakes. They are always trying to send via the un-used [email protected] address. I have performed 3 server audits to make sure nothing is up, but I can't help feeling like I missed something or that they have found a way to userp their way into the chain somehow.

Here is the contents of one of the emails received this morning. They always seem to be related to Comcast, as if a user on that ISP is trying to spam via us as a relay, to our own ourmailer acronym on the @comcast.net domain. The subject is always "Delivery report":

Hello, this is the mail server on server233.marketbox.org.

I am sending you this message to inform you on the delivery status of a message you previously sent. Immediately below you will find a list of the affected recipients; also attached is a Delivery Status Notification (DSN) report in standard format, as well as the headers of the original message.

delivery failed; will not continue trying

Final-Recipient: rfc822;[email protected] Action: failed Status: 5.3.2 (system not accepting network messages) Remote-MTA: dns;mx2.comcast.net (68.87.20.5) Diagnostic-Code: smtp;554 resimta-ch2-11v.sys.comcast.net comcast 23.227.123.207 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-error-codes.php#BL000010 X-PowerMTA-BounceCategory: spam-related

They come with an attachment, here is what is contained in that:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=2014; d=server233.marketbox.org;
 h=Reply-To:From:To:Subject:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Date;
 bh=e93hXRYq9rZhWCc86TP8tys4zgc=;
 b=zuzPWcZK9atz/EzVmI0P28AMPvfOAw5fH7Mj2hzZeay+OtI+x1baocpgNetYrmxUWOxmV224xLjs
   3+hcllzUdQx+KGbnhbKjbL4TPqnnawzZT7MVEpx+xEupvFr6lHbsko0RHmo3PELQx2g36f1W20p7
   tOsr9R6TCnLTT8PwEDyL6LyGnzWx+EiemIutea2IJQq0ZjJqeuAN+/vR8pMOKmomCMlZ8XB0XSkA
   5GB2HyQGwYsg0faMr1GOKMHj4lOXsOmkK0wAsBhrlPKBuifGyW9kD2SVB9isqXmmicT/K97EzVEt
   MJGtPZPQnZG4D223BL0tiMAm1NdchA3pTjSVIw==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=2014; d=gmail.com;
 b=7iJ8c9LGnHx41HeXBDcF+BfOo00JISLpAXWCgjb8gMsx3IMl3d3XmuQq1WjJUJMcv0F8elpyhlqx
   Yi7El32waoPt+hdETL3RRAP+sIIg1m+3T2an0Ts9ybQrzyFygMSn3StJK50BmlD9JLWdf8yRczvV
   idKNQSRdX70REbGeILbJfZGedTMyE5K6G3Z1lohK2TAertnQfMQriJ6gWp/JUKPLn7ANbjyBnGiY
   ean8Bu2kAXT63xqIWi2qhgTp9rGLUJKDHnyPxe+XwgvW8+q573COsfOP4nO17xCVb6bYMrw0CXKS
   jLUIqOil20SYEzmWsNP7PcqMze8Xz87JrK27dA==;
Reply-To: QVS  <[email protected]>
From: Complete Cycle <[email protected]>
To: [email protected]
Subject: Quantum Vision System is not for everyone..
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 9 Jun 2015 05:58:14 -0400

Here is the full original email:

Delivered-To: [email protected]
Received: by 10.76.12.73 with SMTP id w9csp2094196oab;
        Tue, 9 Jun 2015 02:58:10 -0700 (PDT)
X-Received: by 10.182.86.9 with SMTP id l9mr18546126obz.61.1433843890434;
        Tue, 09 Jun 2015 02:58:10 -0700 (PDT)
Return-Path: <>
Received: from server233.marketbox.org (server233.marketbox.org. [23.227.123.207])
        by mx.google.com with ESMTP id hm8si3687079obb.87.2015.06.09.02.58.10
        for <[email protected]>;
        Tue, 09 Jun 2015 02:58:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of server233.marketbox.org designates 23.227.123.207 as permitted sender) client-ip=23.227.123.207;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of server233.marketbox.org designates 23.227.123.207 as permitted sender) smtp.mail=;
       dmarc=pass (p=REJECT dis=NONE) header.from=server233.marketbox.org
Message-Id: <[email protected]>
Date: Tue, 9 Jun 2015 05:58:14 -0400
From: [email protected]
Subject: Delivery report
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="[email protected]"


[email protected]
Content-Type: text/plain

Hello, this is the mail server on server233.marketbox.org.

I am sending you this message to inform you on the delivery status of a
message you previously sent.  Immediately below you will find a list of
the affected recipients;  also attached is a Delivery Status Notification
(DSN) report in standard format, as well as the headers of the original
message.

  <[email protected]>  delivery failed; will not continue trying

[email protected]
Content-Type: message/delivery-status

Reporting-MTA: dns;server233.marketbox.org
X-PowerMTA-VirtualMTA: mta233
Received-From-MTA: dns;gmail.com (85.17.28.66)
Arrival-Date: Tue, 9 Jun 2015 01:20:37 -0400

Final-Recipient: rfc822;[email protected]
Action: failed
Status: 5.3.2 (system not accepting network messages)
Remote-MTA: dns;mx2.comcast.net (68.87.20.5)
Diagnostic-Code: smtp;554 resimta-ch2-11v.sys.comcast.net comcast 23.227.123.207 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-error-codes.php#BL000010
X-PowerMTA-BounceCategory: spam-related

[email protected]
Content-Type: text/rfc822-headers

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=2014; d=server233.marketbox.org;
 h=Reply-To:From:To:Subject:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Date;
 bh=e93hXRYq9rZhWCc86TP8tys4zgc=;
 b=zuzPWcZK9atz/EzVmI0P28AMPvfOAw5fH7Mj2hzZeay+OtI+x1baocpgNetYrmxUWOxmV224xLjs
   3+hcllzUdQx+KGbnhbKjbL4TPqnnawzZT7MVEpx+xEupvFr6lHbsko0RHmo3PELQx2g36f1W20p7
   tOsr9R6TCnLTT8PwEDyL6LyGnzWx+EiemIutea2IJQq0ZjJqeuAN+/vR8pMOKmomCMlZ8XB0XSkA
   5GB2HyQGwYsg0faMr1GOKMHj4lOXsOmkK0wAsBhrlPKBuifGyW9kD2SVB9isqXmmicT/K97EzVEt
   MJGtPZPQnZG4D223BL0tiMAm1NdchA3pTjSVIw==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=2014; d=gmail.com;
 b=7iJ8c9LGnHx41HeXBDcF+BfOo00JISLpAXWCgjb8gMsx3IMl3d3XmuQq1WjJUJMcv0F8elpyhlqx
   Yi7El32waoPt+hdETL3RRAP+sIIg1m+3T2an0Ts9ybQrzyFygMSn3StJK50BmlD9JLWdf8yRczvV
   idKNQSRdX70REbGeILbJfZGedTMyE5K6G3Z1lohK2TAertnQfMQriJ6gWp/JUKPLn7ANbjyBnGiY
   ean8Bu2kAXT63xqIWi2qhgTp9rGLUJKDHnyPxe+XwgvW8+q573COsfOP4nO17xCVb6bYMrw0CXKS
   jLUIqOil20SYEzmWsNP7PcqMze8Xz87JrK27dA==;
Reply-To: QVS  <[email protected]>
From: Complete Cycle <[email protected]>
To: [email protected]
Subject: Quantum Vision System is not for everyone..
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 9 Jun 2015 05:58:14 -0400

[email protected]

Some things confirmed over the course of 3 audits:

  • In Gmail history, all users come from our in house IP, no one else is logging in
  • In Gmail history, there are no fishy/phishy sent emails
  • Our server is not an open mail nor DNS relay, remote mail is off, they don't seem to be using it like that (although there are many remote attempts)
  • Nothing obvious shows in server logs, no scripts/users/accounts are sending obscenely high amounts of mail

Is all this just me being paranoid that something is afoot, or is there not much to worry about regarding this?



Answers 1


Return-Path: <>

This is what is causing the problem. It seems some of headers are ill configured.

The missing Reply-To header is also a serious downfall for mail being masked as spam.

Koushik Ghattamaneni
Koushik Ghattamaneni
September 22, 2015 18:40 PM

Related Questions




Offering opt-out for core business emails

Updated January 25, 2018 16:04 PM

Effect of email address on spam filters

Updated August 28, 2018 15:04 PM