topic Re: Sudden Surge of rogue email bouncebacks in Email

Sudden Surge of rogue email bouncebacks

hillfort — Tue, 26 May 2026 16:18:50 GMT

I have lately been receiving rogue email bouncebacks, example below. Needless to say I didnt send any emails to triggered these and there are none in my 'sent' mailbox on either my mail client nor on webmail.

I've also done an anti virus scan which came up clean.

Advice appreciated.

Example bounceback:

Subject:	Mail delivery failed: returning message to sender
From:	Unknown sender
Date:	Tue, May 26, 2026 2:10 pm
To:	[Removed]
Priority:	Normal
Options:

      This is an automatically generated Delivery Status Notification.      

Delivery to the following recipients failed permanently:

   * sales@normanmusa.com

Reason: A message that you sent to the following recipient could not be delivered
due to a permanent error. ** The remote server ?? responded with: **
sales@normanmusa.com ??:?? This message was created automatically by mail delivery
software on the server .

Moderators Note: Personal information removed

Re: Sudden Surge of rogue email bouncebacks

PhilipHeyes — Wed, 27 May 2026 07:04:30 GMT

Historically these spam messages have been sent from the Plusnet email platform and often from an IP of a Plusnet Internet connection. Could be rogue customer, could also be a compromised PC or Fire TV Stick loaded with special needs software.

The spam sending is a matter that Plusnet totally failed to address over the last 12 months, and despite repeated warning about the open relay vulnerability of relay.plus.net still have taken zero securing action.

Re: Sudden Surge of rogue email bouncebacks

Champnet — Wed, 27 May 2026 08:01:52 GMT

It's more than possible, until the bounce back message, the email has been nowhere the Plusnet systems.......

Re: Sudden Surge of rogue email bouncebacks

PhilipHeyes — Wed, 27 May 2026 09:08:06 GMT

Every Boots scam email that we have seen in the last year was sent via relay.plus.net and the Plusnet hosted avssout outbound email server farm. This is how the sender gets SPF / DMARC / DKIM to PASS.

Here are email header examples from a recent Boots message that it was so convincingly real ( it is real ) it was accepted as not being spam by the 123reg email platform :

Received: from avasout-ptp-001.plus.net ([84.93.230.227])

Authentication-Results: sxplibsmtp04-20.prod.sxb1.secureserver.net;
   dkim=pass header.d=plus.com header.b=qtL2afFb;
   dmarc=pass header.from=<account>.plus.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plus.com; s=042019;

That I can send messages from my VM internet connection using relay.plus.com without credentials points to lack of effort to secure the platform & is why having migrated to Greenby we have abandoned SMTP server relay.plus.com and the IP.

There is a wall of silence on this open relay issue, so I assume that folks are well aware of the fact the front door to the SMTP service is wide open much as it was in 2004. If it was other the questions would come on the matter.

Are there are Boots spam messages that show a different originating source ?
That would be new and interesting to see.

Re: Sudden Surge of rogue email bouncebacks

Champnet — Wed, 27 May 2026 10:28:27 GMT

I see no mention in the original post to Boots specifically that's why my reply was more general............

Re: Sudden Surge of rogue email bouncebacks

pvmb — Wed, 27 May 2026 10:58:36 GMT

@PhilipHeyes wrote:

Every Boots scam email that we have seen in the last year was sent via relay.plus.net and the Plusnet hosted avssout outbound email server farm. This is how the sender gets SPF / DMARC / DKIM to PASS.

Here are email header examples from a recent Boots message that it was so convincingly real ( it is real ) it was accepted as not being spam by the 123reg email platform :
Received: from avasout-ptp-001.plus.net ([84.93.230.227])

Authentication-Results: sxplibsmtp04-20.prod.sxb1.secureserver.net;
   dkim=pass header.d=plus.com header.b=qtL2afFb;
   dmarc=pass header.from=<account>.plus.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plus.com; s=042019;

That I can send messages from my VM internet connection using relay.plus.com without credentials points to lack of effort to secure the platform & is why having migrated to Greenby we have abandoned SMTP server relay.plus.com and the IP.

As avasout-ptp-001.plus.net [84.93.230.227] is listed as a BT IP address, has this matter been reported to BT?

% Abuse contact for '84.92.0.0 - 84.93.255.255' is 'email@bt.com'

https://www.whois.com/whois/84.93.230.227

sxplibsmtp04-20.prod.sxb1.secureserver.net [92.204.86.193] belongs to Go Daddy

https://www.whois.com/whois/92.204.86.193

Re: Sudden Surge of rogue email bouncebacks

hillfort — Wed, 27 May 2026 10:50:12 GMT

I did get a boots spam email in amongst it all. I assume the header doesn't show the full trail from the initial email, just that from the bounce back.

Re: Sudden Surge of rogue email bouncebacks

PhilipHeyes — Wed, 27 May 2026 10:58:03 GMT

avasout-ptp-001.plus.net is one of about 13 similar hosts operated by PN/BT you can see them in your SPF list.

Re: Sudden Surge of rogue email bouncebacks

pvmb — Wed, 27 May 2026 10:59:20 GMT

...And?

Re: Sudden Surge of rogue email bouncebacks

tangodoll — Wed, 27 May 2026 12:37:34 GMT

I've just got a new position with a company. I receive their emails just fine and was able to respond until Saturday evening of last week. I tried to respond about 9 times from plusnet email addresses and then my yahoo one - all of the emails came back and didn't send.?!

I have tried just now to receive the same issue.

As you can imagine, a new job and I need to be able to respond to emails - granted my emails are not 'rogue', but still bouncebacks all the same.

Apologies IF my issue requires a new post.

I need some help with this please quite urgently. Next stop, greenby (un)help(ful) system.

Re: Sudden Surge of rogue email bouncebacks

mavison — Wed, 27 May 2026 14:42:04 GMT

@tangodoll

What was a detailed error report from the bounced messages?

Take care to obscure your email address!

Re: Sudden Surge of rogue email bouncebacks

Champnet — Wed, 27 May 2026 14:45:24 GMT

@tangodoll wrote: "I've just got a new position with a company."

Does the Company not supply you with an email address ?

Re: Sudden Surge of rogue email bouncebacks

tangodoll — Wed, 27 May 2026 16:43:37 GMT

Hello @mavison and @Champnet - thank you for your responses. I spoke with the company today it looks like they made a change to their email addresses, so on this occasion - greenby might not be at fault. I used the 'greenby bot' thing and it said the same, but it also stated that there are issues which they're trying to fix. Sorry for MY false alarm.

They're a small company and today was our first training day. We have been issued with 'work' email addresses.

Thanks again, be well everyone.

part error: Final-recipient: rfc822; ***@********.co.uk
Diagnostic-Code: smtp; 550 5.1.1 User does not exist -

BUT I'm happily receiving her emails?

Re: Sudden Surge of rogue email bouncebacks

Champnet — Wed, 27 May 2026 17:55:33 GMT

@tangodoll Thanks for the update and good luck for the future..............