Singapore Web Hosting Blog

If you are now having problem sending and receiving emails from/to China, you are not alone.

China is an isolated island when email is concerned at this moment. Apparently someone “up there” behind the routers/switches is tweaking something and GFW has gone wild.

We have customers in China reporting that they have been facing difficulties accessing emails hosted on our servers from yesterday. No issue found on our servers. No client from other countries is having any problem.

We thought, well, this is just another temporary connection issue in China, caused by GFW as usual. Then I found stunning news from most of the major hosting providers in China and realized it’s totally screwed up, big time.

Here’s announcement from the biggest host in China, xinnet.com:

Translation:

Drea Email Users,

We have detected unknown technical problems with international gateway which may cause these problems:

xinnet email users receive bounced back error emails while sending emails to overseas domains, bounced back email could indicate:

1)Connected to xxx.xxx.xxx.xxx but connection died. (#4.4.2)
I’m not going to try again; this message has been in the queue too long.

2)xxx.xxx.xxx.xxx does not like recipient.
Remote host said: 551 User not local; please try <forward-path>
Giving up on xxx.xxx.xxx.xxx

We’re actively reporting the issue to related Internet organizations and authorities, and will inform you once it’s solved.

We aplogize for inconvenience caused, thank you for understanding.

Now, annoucement from 2nd largest host of China, net.cn:

This one is more entertaining:

Dear net.cn Email Users,

Starting from July 16th, we have received reports from corporate mail users that large amount of emails sent to overseas are bounced back, with error messages:

1）I’m not going to try again; this message has been in the queue too long.

2）<xxx@xxx.com>: 551 User not local; please try <forward-path>

After caredul investigation, we found this in our logfile:

Connected to remote host, but connection died. (#4.4.2)

which means, the remote server disconnected without giving a reason.

Currently we are not able to know the exact reason, but we suspect that emails are blocked by unknown technism on top of SMTP protocol, because many hosting providers are having the same problem. Together with other providers, we have reported the issue to related Internet organizations and authorities, and will inform you once it’s solved. Thank you for you patience.

The most entertaining announcement is from 35.com:

I translate part of it here:

3)While sending email to overseas, the other party receives text “aaazzzaaazzz” only in email content. —– isn’t it funny? no, this is not in their announcement.

5)When someone overseas sends you email, you receive text “aaazzzaaazzz” only in email content. —– hey, at least it’s fair huh?

6)When you send email to overseas or someone overseas sends you email, the email received is blank.

So at 35.com, we suggest that you write email in simplified Chinese and simplify your email content, put body content in Word or PDF format, zip it using winrar and send it as attachment.

Ouch! Let’s shoot some videos and upload to youtube, you can communicate that way as well…

More announcements:

163：http://vip.163.com/vip/notice.html

sina：http://mail.sina.net/notice/050701.html

TOM：http://vip.tom.com/popup/070717.html

21CN：http://mail.21cn.com/banner/popunder_20070717_corp.html

263： http://gmail.263.net/news1-0.html

recently there’re more and more reports and complaints similar to this:

I have been receiving bounced back messages from email addresses I never sent to. When I look at the bounced back message, it mentions failed delivery of emails I didn’t send in the first place.

And the bounced back message says the original email was sent from my domain:

somebullshitnamehere[at]xxxxx.com

xxxxx.com being my domain name. That’s why I received the bounced back.

The original messages are pure spam.

Looks like someone is using my domain/email address to send out spam emails? How can I stop it?

the bad news is, you can do nothing about it. neither can we do anything. in fact, nobody can stop that, except the spammers themselves.

the good news is, the spams were NOT sent from your domain/email account, therefore you do not need to worry.

then why the spam emails look like from your domain and why you receive those bounces?

simply put, spammers forged the email header data. yes spammers can forge, or spoof, email header to make the email look like from your domain while actually it’s not.

i would not go into details on how to forge email header, for obvious reason :-), just let you know that email header forgery is very easy. i could easily send an email that looks like from bill.gates@microsoft.com, while of course i do not have access to bill.gates@microsoft.com email address. the best part is, Bill Gates has no way to stop me doing this.

most email client software allow you to view full email header.

in Outlook Express, right-click on the email, select “properties”, a new window would pop up, click on “details” tab, then you will see the full header data, which should include these typical fields:

From: who the message is from. this is the easiest to forge. email client shows this field as sender.

Reply-To: the address to which reply should be sent. often absent from the message as it is the same as Form: field most of the time. easily forgeable as well.

Return-Path: the email address for return mail. same as Reply-To:.

Message-ID: a unique string assigned by the mail system when the message is first created. also forgeable in most cases, but requires a little more knowledge.

Received: these are the most reliable lines in the header. they form a list of all nodes through which the message have to travel in order to reach destination. they are unforgeable after the point where it was injected. but up to that point, they may be forgeries.

Received: lines are read from bottom to top, the last non-forged Received: line is where the mail originated.

below is such a bounced back message i just received 5 minutes ago, which includes the header of original spam email:

Hi. This is the qmail-send program at mail.strathcom.com.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

<dewhcgme@kingswaylexustoyota.com>:
Sorry, no mailbox here by that name. (#5.1.1)

— Below this line is a copy of the message.

Return-Path: <ubkpng@singaporewebhosting.com>
Received: (qmail 1194 invoked from network); 22 Feb 2007 18:18:15 -0000
Received: from 80.192.76.241 by mail.strathcom.com (envelope-from <ubkpng@singaporewebhosting.com>, uid 502) with qmail-scanner-2.01
(clamdscan: 0.88.5/2081.
Clear:RC:0(80.192.76.241):.
Processed in 0.05686 secs); 22 Feb 2007 18:18:15 -0000
Received: from unknown (HELO 80-192-76-241.cable.ubr13.edin.blueyonder.co.uk) (80.192.76.241)
by mail.strathcom.com with SMTP; 22 Feb 2007 18:18:12 -0000
Received: (qmail 18642 invoked from network); Thu, 22 Feb 2007 18:18:20 +0000
Received: from unknown (HELO tawfij) (124.193.41.128)
by 80-192-76-241.cable.ubr13.edin.blueyonder.co.uk with SMTP; Thu, 22 Feb 2007 18:18:20 +0000
Message-ID: <45DDDE6C.7000802@singaporewebhosting.com>
Date: Thu, 22 Feb 2007 18:18:20 +0000
From: Matty <ubkpng@singaporewebhosting.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: dewhcgme@kingswaylexustoyota.com
Subject: secession mantel

so, the From: and Return-Path: fields are forged. a spammer, pretending to be Matty using ubkpng@singaporewebhosting.com, sent an spam email to dewhcgme@kingswaylexustoyota.com.

domain kingswaylexustoyota.com is hosted by strathcom.com:

Received: (qmail 1194 invoked from network); 22 Feb 2007 18:18:15 -0000
Received: from 80.192.76.241 by mail.strathcom.com

at least these two lines are real. a server at strathcom.com received the email and bounced it back as dewhcgme@kingswaylexustoyota.com does not exist.

there’re a few other Received: lines, none of which has anything to do with our domain or IP address.

this line is interesting:

Received: from unknown (HELO tawfij) (124.193.41.128)

IP 124.193.41.128 may reveal where the spamer is.

Message-ID: is also forged/fake.

we do not have a Matty here and ubkpng@singaporewebhosting.com does not exist. since we enabled catch-all account, we received the bounced back message sent to ubkpng@singaporewebhosting.com.

spammers are bad and they lie…

what is default email account?

default email account is also known as “catch-all account”.

the default/catch-all email account would “catch” any mail that is sent to an invalid email address for your domain. all mail that is sent to an address that does not exist will go to the default email account.

for example, lets say your domain is xyzcompany.com, main hosting account username is xyzcom, you have set up three email addresses, aaa@xyzcompany.com, bbb@xyzcompany.com, ccc@xyzcompany.com.

when someone sends email to, say, ddd@xyzcompany.com (which does not exist), the email will be delivered to the so called default/catch-all email account.

who would send email to email address that does not exist? well, sometimes that could be a typo, or more frequently, spam emails. those spammers scan domain records and then send spams to common-names@any-existing-domain-names, for example, john@yourdomain, alice@yourdomain, sales@yourdomain, etc.

so there’s pros and cons to have default/catch-all account. you would not miss any email even if your partner mis-spelled your name, however, the majority (more than 99.9%), in default account are spam emails.

we provide the facility. you decide if you would like to use it yourself.

how to enable/disable default/catch-all account?

you can enable/disable/configure default account yourself in control panel.

1)login to your control panel, (cpanel), at http://www.yourdomain:2082

2)go to “mail” section, the very first icon

3)click on “default address”

4)click on “set default address”

5)you would see “send all unrouted email for your domain to:” and a text box where you can specify what to do with those unrouted emails. you have 4 options here:

A- enter any real email address in the text box so that the unrouted emails would be forwarded to that real email address

B- enter your main hosting account username, for example “xyzcom” (for example above), so that unrouted emails will be delivered to default account on our server. more details on how to access it below.

C- enter “:blackhole:” in text box so that unrouted emails will be discarded. not recommended as the sender would not receive any bounced back or error message if the sender is not spammer and just made typo.

D- enter “:fail: no such address here” in the text box so that unrouted emails will be bounced.

how to access default account on server if it’s enabled?

among the 4 options, case C and D are considered default-account-disabled as the unrouted emails are gone, not stored anywhere for you to access.

for case A, you can find the forwarded emails in that real email address.

for case B, there is an email account, the default account, on the server, however it’s not a real email address. you can access the default email account using main hosting account username as email account username.

in example above, use “xyzcom” as email account username in your Outlook or Outlook Express settings. password is the main hosting account password.

as you can see in this post on email account setup, you should use entire email address as username for normal email address/account.

so you can access the default account in the same way as normal email account, but the username is very different.

some clients find their account over-quota but could not find where the emails/files are. in many such cases, there’re tons of emails in the default account.