cancel
Showing results for 
Search instead for 
Did you mean: 

Delivery failures from emails I haven't sent

mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Delivery failures from emails I haven't sent

Since yesterday evening I've had hundreds of mail delivery failures like the following:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:


SMTP error from remote mail server after end of data:
host relay.plus.net [212.159.9.107]: 552 z4jzefzg2sD7bz4k0eAR2M message rejected due to spam or virus. If you believe this is in error please login to your portal or contact your ISP support team.
> ------ This is a copy of the message, including all the headers. ------

>
> Return-path: <my plusnet email address>
> Received: from [212.159.8.109] (helo=avasin01.plus.net)
> by inmx19.plus.net with esmtp (PlusNet MXCore v2.00) id 1ez4jz-0005PL-Dl
> for ; Thu, 22 Mar 2018 18:15:07 +0000
> Received: from [127.0.0.1] ([177.71.8.61])
> by Plusnet Cloudmark Gateway with ESMTP
> id z4gLeqqJBBzS6z4gPeNTmu; Thu, 22 Mar 2018 18:13:58 +0000
> X-BV-Spam-Flag: Yes
> X-CM-Score: 100.00
> Date: Thu, 22 Mar 2018 19:13:49 +0100
> Subject: Eye movementMain article: Eye movementThe light circle is?
> From: my plusnet email address

These are all showing as being sent from my main plusnet email address.  I have changed my plusnet password and am still getting these emails, although not as many as before.

I called support and they said it was likely a virus, but I have scanned my PC and nothing has come up.  None of the email addresses these emails have been sent to are known to me, which makes me wonder whether it is a virus.

Could someone be  spoofing my email address, or this definitely a virus?

Thanks...

 

25 REPLIES 25
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Delivery failures from emails I haven't sent

Are you currently at home or on holiday in Latin American/Caribbean connecting to the Internet via a local ISP?

To me it looks like someone out there is trying to send spam messages forging your address as sender. The headers look to be incomplete as though the sender is trying to bypass the normal transmission path, but not succeeding. As a result you are receiving bounce messages whereas normally they wouldn't get off the originating client.

Changing your password was a wise move. Do you have any additional mailboxes that also might benefit from a password change?

Do the bounce messages you've received also originate at times when your PC, tablet, phone, etc are not connected to the Internet? That would eliminate those devices as potential source.

David
mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

Hi David, 

 

Thanks for the reply.

Nope, I'm in the UK and have been all this year.

 

I've got Plusnet email setup via IMAP on a tablet, mobile and PC and I'm pretty sure that there are no viruses on any of these devices.  When the bounce messages have occurred, both the tablet and mobile are 'asleep' and both have it set to disconnect from wifi when in this state.  The PC is set to go to sleep early morning and so would have been in sleep state at the same time as some of the bounce messages, so I really do not think it's any of my devices sending these emails.

Plusnet were pretty confident though that the cause is one of my devices, which had me really worried, but you have certainly calmed my fears, and to be honest I never even considered the timings of the emails, so thank you for mentioning that.

I've scanned my PC using malwarebytes and a full virus scan, and there were no alerts, so I'm hoping the spam will die down.

One thing I couldn't get my head around though, was how they are sending via Plusnet email server?  Surely to do that they would need my password? 

Cheers

Stu

spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Delivery failures from emails I haven't sent

Whilst being in sleep state should mean devices won't send messages there is always the chance they could wake up for a while and do so. I suggest trying with (all of) them switched off for a period if you can.

Trying to send spam emails using any servers they come across is part of the craft. For these people it's a business and they are prepared to try anything that will get messages sent. They'll exploit back-doors if they find any.

Any usernames, email addresses and/or passwords they manage to harvest is a bonus for them. You can check if your credentials are out in the wild by visiting https://haveibeenpwned.com/. The statistics shown there are eye watering.

David
mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

No more delivery failures for a while now - fingers crossed they have now got bored with using my email address Smiley

Thanks for the help..

mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

And that's why I shouldn't have replied saying it was all ok!

 

Got another round of delivery failures!

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: SMTP error from remote mail server after end of data: host relay.plus.net [212.159.8.107]: 552 zTvieki58Xt2bzTvjeKSil message rejected due to spam or virus. If you believe this is in error please login to your portal or contact your ISP support team.

------ This is a copy of the message, including all the headers. ------ Return-path: Received: from [212.159.8.109] (helo=avasin01.plus.net) by inmx01.plus.net with esmtp (PlusNet MXCore v2.00) id 1ezTvi-0008QH-Aa for mfk2781@comcast.net; Fri, 23 Mar 2018 21:08:54 +0000 Received: from [127.0.0.1] ([138.255.239.159]) by Plusnet Cloudmark Gateway with ESMTP id zTshetXbyBzS6zTuSeOVik; Fri, 23 Mar 2018 21:08:46 +0000 X-BV-Spam-Flag: Yes X-CM-Score: 100.00 X-CNFS-Analysis: v=2.3 cv=RLmd4bq+ c=1 sm=1 tr=0 p=z0x8UiiRcFsA:10 p=BDth3SHiwFEGuzzPD1IA:9 p=GBWsF_ZPkYPvqwn8:21 a=sFr03ri9EHtjc8D8NAzlxw==:117 a=sFr03ri9EHtjc8D8NAzlxw==:17 a=9DvhAHx2yrWFMPxQWpQA:9 a=x2Ur3U4oAAAA:8 a=lWDSaKpJu7Uf8PasSBEA:9 a=QEXdDO2ut3YA:10 a=mMrTLhvDXccA:10 a=SSmOFEACAAAA:8 a=eypaTzzcAAAA:8 a=_W_S_7VecoQA:10 a=0pNmr27YDSQA:10 a=U0ibzdup4t_vaLpIkD9m:22 From:  To:  Cc: Subject: Freedom to engage in outside? Message-ID: 

So am I right in thinking that the Received: from [127.0.0.1] ([138.255.239.159]) part shows that the original email originated from Brazil?  Does this sort of prove that the email didn't originate from my PC?  I'm obviously concerned that this is still happening and I have changed my password.  The password has only been updated on my main PC so it could only be that, that is sending out the emails.

 

 

 

 

mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

Woke up to another 416 Mail Delivery System emails.  They are all grouped into 5 to 10 or so emails each, different subjects, different IPs and looks to be different hardware / software.

Only my main PC now has plusnet email on it, and it was 100% shutdown when all of these emails was sent, and I know none of the recipients.

 

If I changed my password, how are these emails still being sent?

 

 

spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Delivery failures from emails I haven't sent


@mongo wrote:

So am I right in thinking that the Received: from [127.0.0.1] ([138.255.239.159]) part shows that the original email originated from Brazil? Does this sort of prove that the email didn't originate from my PC?


Yes, the (different) IP in () brackets there is what I looked at in the previous sample you posted, and asked if you were in Latin America or the Caribbean. There is little doubt in my mind that these messages do not originate on your PC.

My interpretation of the Non Delivery Report is that the avasouts have not actually sent any of these messages, so the intended recipients won't have received them, but the consequence is that you receive the NDR bounce messages. Probably this has happened before authentication (username/password) checking takes place.

Whilst this is a nuisance, hopefully the spammers will move elsewhere soon.

David
mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

Hi David,

 

Thanks again for replying.

I'm still receiving hundreds of these messages, so is there no way to prevent this from happening?  Or is my only option to just wait this out?

Thanks

spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Delivery failures from emails I haven't sent

I don't know whether the network engineers can block incoming connections from Latin America on a per account basis, rather than globally. Is this still happening? I assume you'd have no objection to that being done as a temporary measure - no one out there likely to be sending via your connection for legimate reasons?

I'd hoped the spammers would have moved on by now. The deluge will be detrimental to email performance though the volume you are receiving is a relatively small proportion of emails handled per day. I appreciate it will seem massive to you.

How long has this problem been going on?

David
mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

Hi,

 

Yes, I'm still receiving these emails.  Had another 200+ overnight.  It started Friday night, and I'm more than happy for these to be blocked.

Thanks

spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Delivery failures from emails I haven't sent

I've escalated this topic into the business for investigation.

Fingers crossed they'll be able to stop this. Knuppel

David
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,871
Thanks: 882
Fixes: 221
Registered: ‎27-04-2007

Re: Delivery failures from emails I haven't sent

Cheers for your time on the phone mongo. 

 

As mentioned I just wanted to show that I'm taking ownership of this issue between yourself and our security guys. I'll look out for the other headers coming through so cheers for agreeing to send those on. 

 

 

If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
mongo
Dabbler
Posts: 21
Thanks: 8
Registered: ‎22-03-2018

Re: Delivery failures from emails I haven't sent

Thanks Adam for the call.  Good to know this is being looked at.  I have sent you a selection of headers, but let me know if anything else is required.

Thanks...

adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,871
Thanks: 882
Fixes: 221
Registered: ‎27-04-2007

Re: Delivery failures from emails I haven't sent

Cheers, I shall do and thanks again for your cooperation.

If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team