cancel
Showing results for 
Search instead for 
Did you mean: 

Email Server Hacked.....Again?

JonoH
Community Gaffer
Community Gaffer
Posts: 3,700
Thanks: 6,247
Fixes: 124
Registered: ‎29-09-2011

Re: Email Server Hacked.....Again?

Yes, Thank you. @Gandalf  can you read them and send them to be looked at please?

 Jono H
 Plusnet Community Manager
chesterfield
Community Veteran
Posts: 2,336
Thanks: 1
Registered: ‎01-08-2007

Re: Email Server Hacked.....Again?

Ripperoo2018,

 

I too share your concerns as Im now visiting the forums for the first time in ages - been a member of plusnet for donkeys years, since the advent of dialup and demise of redhotant.

Over the last few days Ive seen a marked increase in spam, and am also receiving email with headers that would indicate they are being sent using my own account.  Affecting the primary mailbox and my wifes mailbox.

As a security measure Ive changed passwords on both accounts, though I am concerned there may be a wider issue here.

Ripperoo2018
Dabbler
Posts: 16
Thanks: 2
Registered: ‎10-04-2018

Re: Email Server Hacked.....Again?

Hey Chesterfield.

 

Same here, never visited the forums in years, but here we are with a similar issue and I gues there may be others who don't have the time to chase these issues up.

When I started getting these scam messages recently (August 26th), I had a quick search and found a post by a long time Plusnet member named Bazdvd and I did PM him to see he got any answers, but had no reply, so maybe he is no longer  with Plusnet or thinks it was a suspicious message out of the blue, so did not answer and which is why I ended up posting here.

I had a very similar issue years ago with other unique email adresses and after a while they stopped, except for one that I to register with LastFM, who themselves had a had a massive breach in 2012, which wasn't reported until some time in 2016 apparently.

 

More recently though, I've received emails to six different, older and unique email addresses, all of which I've never used in around 10 years and some of which I'd never received scam emails to previously.

Some of those also don't show up on the HIBP website and I cannot believe so many separate companies could have been hacked all those years ago and it's only coming to light now.

 

I did a little digging earlier today and there seems to be two 'Received From' IP addresses when looking at the email headers.

 

One appears to be a Plusnet/BT IP address (8*.9*.2**.2** - British Telecommunications PLC) and probably the last hop before reaching me but for the 6 emails (all different addresses) I received over the last few days, the details are as follows (IP - Location - Carrier):

Message 1:

203.78.119.142 -  Jakarta (Indonesia) - PT XL Axiata

Message 2:

36.89.194.165 - Jakarta Timur - PT Telekomunikasi Indonesia

Message 3:

181.66.207.219 - Lima (Peru) - Telefonica Del Peru SAA.

Message 4:

201.157.248.99 - Salvador (Brazil) - Tascom Telecomunicaes LTDA

Message 5:

179.6.38.193 - Lima (Peru) - America Movil Peru SAC

Message 6:

5.25.138.26 - Istanbul (Turkey) - Turkcell Iletisim Hizmetleri AS

 

They all originated from diffrerent carriers too, so what is going on?

MJN
Pro
Posts: 1,285
Thanks: 142
Fixes: 5
Registered: ‎26-08-2010

Re: Email Server Hacked.....Again?

Post up some routing headers (with the email addresses obfuscated) and we can take a look and work out what's happening.

 

For what it's worth, it sounds to me like you're overthinking this. Following the principle of Occam's Razor chances are that your old email addresses have been riding around together on a list of email addresses and which have now been picked up and consumed by a spam run. Such outfits often use distributed compromised machines to get their bulk mail out quickly and, before long I'm sure, I imagine the messages will dry up just as quick as they have seemingly appeared.

chesterfield
Community Veteran
Posts: 2,336
Thanks: 1
Registered: ‎01-08-2007

Re: Email Server Hacked.....Again?

@MJN 

 

Header:  (XXXXXXX.plus.com is my plusnet ID, chris000 is not an address I use, or have ever used)

 

Return-path: <chris000@XXXXXXX.plus.com>
Envelope-to: chris000@XXXXXXX.plus.com
Delivery-date: Sun, 29 Aug 2021 11:29:32 +0100
Received: from [84.93.230.237] (helo=avasin10.plus.net)
      by inmx20.plus.net with esmtp (PlusNet MXCore v2.00) id 1mKI4C-0004DH-3v
      for chris000@XXXXXXX.plus.com; Sun, 29 Aug 2021 11:29:32 +0100
Received: from [102.89.0.204] ([102.89.1.193])
    by Plusnet Cloudmark Gateway with ESMTP
    id KI43muuohVNKaKI45m86gs; Sun, 29 Aug 2021 11:29:26 +0100
X-BV-Spam-Flag: Yes
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.3 cv=GNaT7tFK c=1 sm=1 tr=0 cx=a_idp_d
 p=nB4ZqsF0izRGTkGuQBEA:9 p=GjopYUQxc-cA:10 p=JYkVw_zZ4YYA:10
 a=ROLLm6z+GCTC6GNm1UIUug==:117 a=ROLLm6z+GCTC6GNm1UIUug==:17
 a=E5nwcu9QDW8A:10 a=udTvpura_4gA:10 a=Z5ABNNGmrOfJ6cZ5bIyy:22
 a=bWyr8ysk75zN3GCy5bjg:22
Message-ID: <612B6F92.5020205@XXXXXXX.plus.com>
Date: Sun, 29 Aug 2021 11:29:22 +0000
From: <chris000@XXXXXXX.plus.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: <chris000@XXXXXXX.plus.com>
Content-Type: text/plain; charset=WINDOWS-1250; format=flowed
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfLOHqD3TqhJxZQhF8NDbp/vQRPZ4mn3sIi7aeG8RZYQbwf1XrgOhW/fibBCBl0ZJwuV4EoBTBvB7KZ5n4Syc5E+UmuLLORb2C4TE6mGhm40KGcTv4QNi
 zdxb91g4zIG8J/J250FcBuzWkc74dBOISfSycpdGP8OFg4jCfODSeXHsQneq8K/y60jHVH+Zf+lPFQxNdk22osz7T8P95CsQAQU=
X-pn-pstn-db:" Spam 99
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Waiting for the payment.
X-EsetId: 37303A299ABC1750637167

MJN
Pro
Posts: 1,285
Thanks: 142
Fixes: 5
Registered: ‎26-08-2010

Re: Email Server Hacked.....Again?

Thanks @chesterfield .

 

Looking at the headers it is possible to confirm that the message wasn't sent from your account, despite the From: purporting to make it look this way. Specifically, if you look at the Received: headers:


@chesterfield wrote:

 

Received: from [84.93.230.237] (helo=avasin10.plus.net)
      by inmx20.plus.net with esmtp (PlusNet MXCore v2.00) id 1mKI4C-0004DH-3v
      for chris000@XXXXXXX.plus.com; Sun, 29 Aug 2021 11:29:32 +0100
Received: from [102.89.0.204] ([102.89.1.193])
    by Plusnet Cloudmark Gateway with ESMTP
    id KI43muuohVNKaKI45m86gs; Sun, 29 Aug 2021 11:29:26 +0100


The second Received: header is the first routing header added by Plusnet for *incoming* mail and with no older Received: headers present this illustrates the first hop i.e. the mail was submitted directly from 102.89.0.204 (which, incidentally, appears to be in Nigeria). If the message had been sent from your Plusnet account (i.e. authenticated, whether via SMTP AUTH by an email client or via the webmail service) then there would be a corresponding Received: line added by Plusnet's submission (and outgoing server, if separate) reflecting that this had been the case.

Like the OP, this appears to be a straightforward case of your address being spoofed. Chances are the address has simply been picked up out in the wild, most likely from an email you've sent to a 3rd party whose mailbox has been compromised or a compromised database containing customer details.

There's not much you can do about it, although I see that Plusnet did at least identify it as spam and so presumably it can be set to be filtered on that basis? (I don't use Plusnet's email service myself so I am unfamiliar with what spam control options are available).

Gandalf
Plusnet Help Team
Plusnet Help Team
Posts: 20,364
Thanks: 6,895
Fixes: 1,148
Registered: ‎21-04-2017

Re: Email Server Hacked.....Again?

@Ripperoo2018 I agree with @MJN's analysis of the headers for @chesterfield. Having checked the headers you've PM'd @JonoH it looks like your email address was spoofed too. Let us know if you've got any further concerns Smiley

If this post resolved your issue please click the 'This fixed my problem' button
 Anoush Mortazavi
 Plusnet Help Team
Ripperoo2018
Dabbler
Posts: 16
Thanks: 2
Registered: ‎10-04-2018

Re: Email Server Hacked.....Again?

OK, Cheers.

I have sent you a PM regarding another issue.

 

JonoH
Community Gaffer
Community Gaffer
Posts: 3,700
Thanks: 6,247
Fixes: 124
Registered: ‎29-09-2011

Re: Email Server Hacked.....Again?


@Ripperoo2018 wrote:

OK, Cheers.

I have sent you a PM regarding another issue.


Would you mind marking @Gandalf's response as a fix if it indeed did fix your concerns? Normally I wouldn't ask but people get a little worried when it comes to security and I'd like others who might see this in the future to be assured that we haven't exposed your or their details. 

 Jono H
 Plusnet Community Manager