Has a mail server been hacked again?

Saturn · ‎30-07-2007

Today I have noticed a large increase in the number of spam emails being sent to 'anything@mydomain.plus.com'. After the last debacle spam emails were sent to specific mailboxes, these aren't.
I realise that these spam emails could be the result of previous hacks (just keeping the '@mydomain.plus.com' consistent but it is rather odd there's been a step change in the spam I am receiving. Is it possible something's been hacked again?

Chris · ‎05-04-2007

This is probably what's known as a dictionary attack, the spammers know that @username.plus.com on your account is a domain so just send loads of emails to different addresses before the @ sign.
There are a few ways to combat this, one is to turn off the catch-all feature and only receive emails to specific addresses. The second way is to turn off any emails sent to @username.plus.com, if you want us to do this then just raise a ticket and we'll sort it for you.
I'd suggest having a read of my blog post, for ways to help with spam.

Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.

Chris · ‎05-04-2007

Come to think of it, there is also the possibility that these are bounce back messages, produced when someone fakes the 'from' address and sends out a large amount of spam.

Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.

Saturn · ‎30-07-2007

Thanks Chris, I'm familiar with the options and how the spams come about but was struck by the sudden change in spam pattern. It begged the question as to whether another incident/attack had occurred.

dave · ‎04-04-2007

Not that I know of, but we'll certainly keep a very close on eye on things just in case. I do though think that as Chris suggests that it's some form of dictionary attack, and that it's just your address that's been picked out. It'll probably dry up in a day or two.

Dave Tomlinson
Enterprise Architect - Network & OSS
Plusnet Technology

aetos · ‎30-07-2007

I have recieved over 690 YES 690 returned/undelivery reciepts to anything@username.plus.com within the last 3 hours.
The worry about this is thta there are domains that I e-mail and am afraid that my address will be blacklisted.
Have the servers been comproised again.
As previous why not impliment authentication for e-mail sending
MArk

aetos · ‎30-07-2007

time is now 11pm and I have now suffered over 1000 failed/undeliverable/returned e-mails

MARK

hulls · ‎30-07-2007

I haven't had the returned mail too much, but have noticed the increase in spam over the last couple of days (not 1000+ thank goodness, but more than I have been getting.)
John

aetos · ‎30-07-2007

Well I Submitted a ticket (2506248 ) to customer support @ 9:47pm, Thursday 2nd August 2007 with the following updates
Your comment 10:02pm, Thursday 2nd August 2007
FYI these have all come in the space of 3 Hours

Your comment 10:47pm, Thursday 2nd August 2007
NOW OVER 700 !!

Your comment 11:24pm, Thursday 2nd August 2007
NOW OVER 1000
CAN SOMEONE LOOK AT THIS !!!!!

Your comment 11:35pm, Thursday 2nd August 2007
NOW OVER 1200..............

and guess what
NO RESPONSE FROM CS YET, only 21/2 hours later and approaching 1300 reciepts
I'm a business customer supposed to be on priority response...

MARK

dave · ‎04-04-2007

Quote from: aetos
The worry about this is thta there are domains that I e-mail and am afraid that my address will be blacklisted.

Unless the mails are actually being sent by you (worth a full virus scan with a couple of different scanners) then I wouldn'y worry about the blacklist as most blacklists operate on IP address rather than email address because in most cases the email addresses are just innocent parties whose addresses are being used as from addresses by spammers.

Quote from: aetos
Have the servers been comproised again.

Not that I know of and I have to say that it's very unlikely. What's most likely here as I say is that a spammer has go hold of your email address and has just set it as a from address. It probably won't last for long generally spammers will move on to a new batch of from addresses after a short while.

Quote from: aetos
As previous why not impliment authentication for e-mail sending

Certainly something we are looking at bringing in but ultimately it doesn't stop something like this. SMTP authentication would allow people to send mail via our mail servers from outside our network and might help to cut down on spammers sending via our relay servers if it was made mandatory but wouldn't stop spammers from using our customers' email addresses as from addresses.

Dave Tomlinson
Enterprise Architect - Network & OSS
Plusnet Technology

aetos · ‎30-07-2007

re point 1

Quote
Unless the mails are actually being sent by you (worth a full virus scan with a couple of different scanners) then I wouldn'y worry about the blacklist as most blacklists operate on IP address rather than email address because in most cases the email addresses are just innocent parties whose addresses are being used as from addresses by spammers.

my address with PN is 8x.xx.xxx.xx.plus.net and according to the spam tools I looked at earlier PN have

Quote
Addresses in plus.com used to send email

Showing 1 - 50 out of 316

taken from senderbase
Question 2

Quote
Not that I know of and I have to say that it's very unlikely. What's most likely here as I say is that a spammer has go hold of your email address and has just set it as a from address. It probably won't last for long generally spammers will move on to a new batch of from addresses after a short while.

This is the 4th /5th time this has occured
I posted a ticket regarding this nearly 3 hours ago and no response yet from PN CS (i'm a business customer)
MARK
NOW REACHING NEARLY 1500 mail items !!!

aetos · ‎30-07-2007

Please have a look at the following link to see some of the address being spammed at Plus.com and blacklisted
http://www.trustedsource.org/TS?do=feedback&subdo=query&q=plus.com
Mark

dave · ‎04-04-2007

It looks like these are reverse DNS records of senders rather than email addresses, i.e. these are the IP addresses of people suspected of sending spam (or whose PCs are suspected of sending spam). Because the default rDNS record is username.plus.com which is the same as the email address after the @ symbol it will look like email addresses but if anyone is blocking based on this list they will block email coming from these IP addresses rather than the email addresses.
Unfortunately when an address has been picked up by a spammer there's a chance it will be used as a from address, I get it about once every 3 or 4 months on one of my domains. Usually lasts about a day or so. If you don't use the catch-all facility on your email address then turning this off will block most of the mail that's coming through.

Dave Tomlinson
Enterprise Architect - Network & OSS
Plusnet Technology

moemoff · ‎06-07-2007

Quote from: aetos

NOW REACHING NEARLY 1500 mail items !!!

Until the storm is over .. use a program like Magic Mail Monitor 3 which will enable you to mass delete and sort items in to alphbetical and senders etc Its FREE and can be found here
http://mmm3.sourceforge.net/
It will enable you to see the mail headers and you can delete the mail without having to download the mail to your computer.

SteveA · ‎17-06-2007

Quote from: dave

Unfortunately when an address has been picked up by a spammer there's a chance it will be used as a from address, I get it about once every 3 or 4 months on one of my domains. Usually lasts about a day or so. If you don't use the catch-all facility on your email address then turning this off will block most of the mail that's coming through.

I've been there - in the old days when I was on dial up. I got about 2500 failure notices... and I didn't have anything like a catch all so I got them all.
I happened again recently but as I have a catch-all on my domain at Just The Name it all got funnelled off as I don't have email addresses like aaaaaa@mydomain

Has a mail server been hacked again?

Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?

Re: Has a mail server been hacked again?