This is an issue that began Sunday with my wife's Outlook account. She bought some concert tickets and parking passes on StubHub. Afterwards, she got legit confirmation emails from StubHub for each purchase. She accidentally made duplicate purchases without realizing it but was able to resolve that with help from StubHub yesterday. So far, so good.

However, for every legitimate email from StubHub, she received a "failed delivery" email from postmaster@outlook.com as per the screenshot below. The body of the email would include all the content from the legitimate message from StubHub. When she was on the phone with StubHub customer service, she mentioned that issue and asked if they could help. "It's not on our end" was basically their response.

So now it's happening again after she signed for a new account with a retailer for some clothing items she wanted to buy. After getting a "confirm your email" message from the retailer, she started getting the same failed delivery message for any other email message from that company.

She changed her Outlook password twice. Today, she changed a password for another existing account and that triggered the same failed message for any incomings emails from that account.

She was doing all this on her phone. I ran a scan on her phone and no virus, malware or suspect files were found.

I found that these type of emails called "backscatter" are the result of spammers spoofing email addresses and forwarding messages to those "gobbledygook" type addresses.

What I don't know is how to prevent these issues from continuing. She is receiving other incoming messages from existing accounts without the additional failed delivery message.

Backscatter is when spammers send email as your email address and thus you get all the bounces (spoofed sending)

In the world of spam, spammers don't care about what address they sent from, they just need you to see the message and click on something…. Or just basically see the message. They don't care about seeing the replies, hence, why they fake the headers and send as other people.

To help stop backscatter, if your wife has her own domain, then make sure it's set up for both DKIM and SPF records in it's dns configuration. This goes a long way to help stopping that from happening and being acceptable as other mail servers will auto reject it sending because they know it's not from her official server via those records.

satexas said:

---

Backscatter is when spammers send email as your email address and thus you get all the bounces (spoofed sending)

In the world of spam, spammers don't care about what address they sent from, they just need you to see the message and click on something…. Or just basically see the message. They don't care about seeing the replies, hence, why they fake the headers and send as other people.

To help stop backscatter, if your wife has her own domain, then make sure it's set up for both DKIM and SPF records in it's dns configuration. This goes a long way to help stopping that from happening and being acceptable as other mail servers will auto reject it sending because they know it's not from her official server via those records.

---

Thanks for your response. I don't have a clue about anything in that last paragraph. She doesn't have her own domain to my understanding of what a domain is. She has a Hotmail/Outlook account and that's it.

Col. Steve Austin said:

---

satexas said:

---

Backscatter is when spammers send email as your email address and thus you get all the bounces (spoofed sending)

In the world of spam, spammers don't care about what address they sent from, they just need you to see the message and click on something…. Or just basically see the message. They don't care about seeing the replies, hence, why they fake the headers and send as other people.

To help stop backscatter, if your wife has her own domain, then make sure it's set up for both DKIM and SPF records in it's dns configuration. This goes a long way to help stopping that from happening and being acceptable as other mail servers will auto reject it sending because they know it's not from her official server via those records.

---

Thanks for your response. I don't have a clue about anything in that last paragraph. She doesn't have her own domain to my understanding of what a domain is. She has a Hotmail/Outlook account and that's it.

---

"Domain" as in if you owned your email domain… like I have an @satexas.com account, and own satexas.com.

since you don't own nor control your domain, and you are using freemail, pretty much everything I explain, doesn't apply to you unfortunately.

In a world of you, get what you pay for, since you are using free mail, you are at the mercy of the free mail system… Which means you can't do anything.

Just make sure that your accounts are secure via good password practices, Never use the same password in two different places, Make sure you don't fall for email tricks and scammers… And I recommend you use MalwareBytes.org for virus/malware scanning and protection.

MalwareBytes Let you install and use their software to scan your machine, manually and check for issues and fix them for free…. But if you want the resident always on and updating service then you need to pay for it… It's about 30 bucks a year… wholly worth it.

Yes, I've used Malwarebytes for years, great product.

I just don't understand how these failed delivery messages are only associated with new accounts and password change activity, how they are triggered and always with the exact same bogus address.

Is it possible that you have some auto responder set up and you're getting these automated messages from your new sign ups and then auto sending out a response and that is the rejection you are getting?

Check and see if you have some kind of auto response set up that you may not realize…

Also check and see if you have some kind of auto-forward set up too…

satexas said:

---

Is it possible that you have some auto responder set up and you're getting these automated messages from your new sign ups and then auto sending out a response and that is the rejection you are getting?

Check and see if you have some kind of auto response set up that you may not realize…

Also check and see if you have some kind of auto-forward set up too…

---

Read receipts were my first thought

satexas said:

---

Is it possible that you have some auto responder set up and you're getting these automated messages from your new sign ups and then auto sending out a response and that is the rejection you are getting?

Check and see if you have some kind of auto response set up that you may not realize…

Also check and see if you have some kind of auto-forward set up too…

---

I tracked it down this morning. In her Hotmail account, there was a Rule set up (by parties unknown) to auto forward all incoming emails to the bogus address. I deleted that rule, removed her Hotmail account from Outlook, reinstalled it and changed her password again. Ran another scan of the desktop, her phone and iPad with nothing really found other than a suspect file that I found out was related to signing pdf documents. I quarantined it anyway just in case.

Everything seems to be working fine now. Her Gmail was unaffected and the same for my Hotmail and Gmail accounts.

Now, if I could only find out why Outlook takes 8-10 minutes to come up running on the PC after it is closed and restarted (the app, not the PC), I would be a happy camper.

Thanks for the assistance.

Col. Steve Austin said:

---

satexas said:

---

Is it possible that you have some auto responder set up and you're getting these automated messages from your new sign ups and then auto sending out a response and that is the rejection you are getting?

Check and see if you have some kind of auto response set up that you may not realize…

Also check and see if you have some kind of auto-forward set up too…

---

I tracked it down this morning. In her Hotmail account, there was a Rule set up (by parties unknown) to auto forward all incoming emails to the bogus address. I deleted that rule, removed her Hotmail account from Outlook, reinstalled it and changed her password again. Ran another scan of the desktop, her phone and iPad with nothing really found other than a suspect file that I found out was related to signing pdf documents. I quarantined it anyway just in case.

Everything seems to be working fine now. Her Gmail was unaffected and the same for my Hotmail and Gmail accounts.

Now, if I could only find out why Outlook takes 8-10 minutes to come up running on the PC after it is closed and restarted (the app, not the PC), I would be a happy camper.

Thanks for the assistance.

---

Ah, you got compromised. 100% what happened.

Your hotmail account got hacked at some point. The hacker put in a forward (to a disposable email address) so that way you'd continue to use your hotmail, not notice, and they'd get a copy of all your future messages after already reading (and maybe downloading) your existing ones.

At some point, that forwarding account died, which is why you now get bounces.... and thus you noticing something was up, and 'here we are'.

100% sure that's what happened. They read that account's mail for goodness knows how long - and even if you changed the password, it didn't matter because the forward was sending a copy of every email outbound to them. It's a very smart method for attackers looking for any other account information, "password confirmation emails", financial info, etc etc. If you're fuzzy what I mean... they can go to other places you might have accounts, try that email address as "forgot password" and get it sent to your hotmail... and boom, they get a copy of it and get into that account too.

You know what's coming next right? Yup - the lecture about what else may be compromised BECAUSE of that Hotmail account. Time to do some serious due diligence... .and for goodness sakes, get off 'freemail'.

Col. Steve Austin said:

---

Now, if I could only find out why Outlook takes 8-10 minutes to come up running on the PC after it is closed and restarted (the app, not the PC), I would be happy camper

---

In the windows search box, type "programs", and go to your list of installed programs. Look for "Office 365" or whatever version you have installed, and do a "modify" option on it…. It will then offer to do a quick repair or a deep/full repair…. Choose the latter.

Russ

Yeah I have to do due diligence with her accounts and devices on a regular basis. I have told her over and over about phishing emails and text messages that come in and looking to get you to respond, click a link, etc to confirm your email address, take you to a bogus website, steal your personal information and identity, etc.

Just 15 minutes ago, she read a new email and responded out loud with Oh no and OMG, I took a look and saw that it stated that her " Norton LifeLock Ultimate Plus Plan has been successfully renewed for another 12 months" at a cost of $299.00. There was no mention of Norton.com in the sending address. There was a .docx file attached. Of course there was a Support phone number to call "if this renewal was not authorized by you". I walked through it all with her and pointed out all the traps set to hook her on this phishing expedition. "Well, how did they get my email address to begin with?" They might have bought it along with other addresses legitimately from a company you've dealt with in the past that has no problem doing that kind of business. Or they might have found it on the dark as a result of a company getting hacked and their client's personal information getting exposed.

It's far from the first time and I'm sure it won't be the last time I have to go all through this with her.

satexas said:

---

Col. Steve Austin said:

---

Now, if I could only find out why Outlook takes 8-10 minutes to come up running on the PC after it is closed and restarted (the app, not the PC), I would be happy camper

---

In the windows search box, type "programs", and go to your list of installed programs. Look for "Office 365" or whatever version you have installed, and do a "modify" option on it…. It will then offer to do a quick repair or a deep/full repair…. Choose the latter.

Russ

---

I'll give that a shot.

It was a little different on my PC, the options were Repair or Reset. I selected Repair and it worked pretty well, cut the time down to a minute or so. I will do a Reset tomorrow after backing up.