Email Server Hacked.....Again?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- :
- Re: Email Server Hacked.....Again?
- « Previous
-
- 1
- 2
- Next »
Re: Email Server Hacked.....Again?
29-08-2021 1:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Yes, Thank you. @Gandalf can you read them and send them to be looked at please?
Re: Email Server Hacked.....Again?
29-08-2021 2:29 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Ripperoo2018,
I too share your concerns as Im now visiting the forums for the first time in ages - been a member of plusnet for donkeys years, since the advent of dialup and demise of redhotant.
Over the last few days Ive seen a marked increase in spam, and am also receiving email with headers that would indicate they are being sent using my own account. Affecting the primary mailbox and my wifes mailbox.
As a security measure Ive changed passwords on both accounts, though I am concerned there may be a wider issue here.
Re: Email Server Hacked.....Again?
29-08-2021 4:05 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hey Chesterfield.
Same here, never visited the forums in years, but here we are with a similar issue and I gues there may be others who don't have the time to chase these issues up.
When I started getting these scam messages recently (August 26th), I had a quick search and found a post by a long time Plusnet member named Bazdvd and I did PM him to see he got any answers, but had no reply, so maybe he is no longer with Plusnet or thinks it was a suspicious message out of the blue, so did not answer and which is why I ended up posting here.
I had a very similar issue years ago with other unique email adresses and after a while they stopped, except for one that I to register with LastFM, who themselves had a had a massive breach in 2012, which wasn't reported until some time in 2016 apparently.
More recently though, I've received emails to six different, older and unique email addresses, all of which I've never used in around 10 years and some of which I'd never received scam emails to previously.
Some of those also don't show up on the HIBP website and I cannot believe so many separate companies could have been hacked all those years ago and it's only coming to light now.
I did a little digging earlier today and there seems to be two 'Received From' IP addresses when looking at the email headers.
One appears to be a Plusnet/BT IP address (8*.9*.2**.2** - British Telecommunications PLC) and probably the last hop before reaching me but for the 6 emails (all different addresses) I received over the last few days, the details are as follows (IP - Location - Carrier):
Message 1:
203.78.119.142 - Jakarta (Indonesia) - PT XL Axiata
Message 2:
36.89.194.165 - Jakarta Timur - PT Telekomunikasi Indonesia
Message 3:
181.66.207.219 - Lima (Peru) - Telefonica Del Peru SAA.
Message 4:
201.157.248.99 - Salvador (Brazil) - Tascom Telecomunicaes LTDA
Message 5:
179.6.38.193 - Lima (Peru) - America Movil Peru SAC
Message 6:
5.25.138.26 - Istanbul (Turkey) - Turkcell Iletisim Hizmetleri AS
They all originated from diffrerent carriers too, so what is going on?
Re: Email Server Hacked.....Again?
29-08-2021 10:40 PM - edited 29-08-2021 10:45 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Post up some routing headers (with the email addresses obfuscated) and we can take a look and work out what's happening.
For what it's worth, it sounds to me like you're overthinking this. Following the principle of Occam's Razor chances are that your old email addresses have been riding around together on a list of email addresses and which have now been picked up and consumed by a spam run. Such outfits often use distributed compromised machines to get their bulk mail out quickly and, before long I'm sure, I imagine the messages will dry up just as quick as they have seemingly appeared.
Re: Email Server Hacked.....Again?
30-08-2021 12:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Header: (XXXXXXX.plus.com is my plusnet ID, chris000 is not an address I use, or have ever used)
Return-path: <chris000@XXXXXXX.plus.com>
Envelope-to: chris000@XXXXXXX.plus.com
Delivery-date: Sun, 29 Aug 2021 11:29:32 +0100
Received: from [84.93.230.237] (helo=avasin10.plus.net)
by inmx20.plus.net with esmtp (PlusNet MXCore v2.00) id 1mKI4C-0004DH-3v
for chris000@XXXXXXX.plus.com; Sun, 29 Aug 2021 11:29:32 +0100
Received: from [102.89.0.204] ([102.89.1.193])
by Plusnet Cloudmark Gateway with ESMTP
id KI43muuohVNKaKI45m86gs; Sun, 29 Aug 2021 11:29:26 +0100
X-BV-Spam-Flag: Yes
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.3 cv=GNaT7tFK c=1 sm=1 tr=0 cx=a_idp_d
p=nB4ZqsF0izRGTkGuQBEA:9 p=GjopYUQxc-cA:10 p=JYkVw_zZ4YYA:10
a=ROLLm6z+GCTC6GNm1UIUug==:117 a=ROLLm6z+GCTC6GNm1UIUug==:17
a=E5nwcu9QDW8A:10 a=udTvpura_4gA:10 a=Z5ABNNGmrOfJ6cZ5bIyy:22
a=bWyr8ysk75zN3GCy5bjg:22
Message-ID: <612B6F92.5020205@XXXXXXX.plus.com>
Date: Sun, 29 Aug 2021 11:29:22 +0000
From: <chris000@XXXXXXX.plus.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: <chris000@XXXXXXX.plus.com>
Content-Type: text/plain; charset=WINDOWS-1250; format=flowed
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfLOHqD3TqhJxZQhF8NDbp/vQRPZ4mn3sIi7aeG8RZYQbwf1XrgOhW/fibBCBl0ZJwuV4EoBTBvB7KZ5n4Syc5E+UmuLLORb2C4TE6mGhm40KGcTv4QNi
zdxb91g4zIG8J/J250FcBuzWkc74dBOISfSycpdGP8OFg4jCfODSeXHsQneq8K/y60jHVH+Zf+lPFQxNdk22osz7T8P95CsQAQU=
X-pn-pstn-db:" Spam 99
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Waiting for the payment.
X-EsetId: 37303A299ABC1750637167
Re: Email Server Hacked.....Again?
30-08-2021 8:47 PM - edited 30-08-2021 8:48 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks @chesterfield .
Looking at the headers it is possible to confirm that the message wasn't sent from your account, despite the From: purporting to make it look this way. Specifically, if you look at the Received: headers:
@chesterfield wrote:
Received: from [84.93.230.237] (helo=avasin10.plus.net)
by inmx20.plus.net with esmtp (PlusNet MXCore v2.00) id 1mKI4C-0004DH-3v
for chris000@XXXXXXX.plus.com; Sun, 29 Aug 2021 11:29:32 +0100
Received: from [102.89.0.204] ([102.89.1.193])
by Plusnet Cloudmark Gateway with ESMTP
id KI43muuohVNKaKI45m86gs; Sun, 29 Aug 2021 11:29:26 +0100
The second Received: header is the first routing header added by Plusnet for *incoming* mail and with no older Received: headers present this illustrates the first hop i.e. the mail was submitted directly from 102.89.0.204 (which, incidentally, appears to be in Nigeria). If the message had been sent from your Plusnet account (i.e. authenticated, whether via SMTP AUTH by an email client or via the webmail service) then there would be a corresponding Received: line added by Plusnet's submission (and outgoing server, if separate) reflecting that this had been the case.
Like the OP, this appears to be a straightforward case of your address being spoofed. Chances are the address has simply been picked up out in the wild, most likely from an email you've sent to a 3rd party whose mailbox has been compromised or a compromised database containing customer details.
There's not much you can do about it, although I see that Plusnet did at least identify it as spam and so presumably it can be set to be filtered on that basis? (I don't use Plusnet's email service myself so I am unfamiliar with what spam control options are available).
Re: Email Server Hacked.....Again?
31-08-2021 12:19 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Ripperoo2018 I agree with @MJN's analysis of the headers for @chesterfield. Having checked the headers you've PM'd @JonoH it looks like your email address was spoofed too. Let us know if you've got any further concerns
Re: Email Server Hacked.....Again?
31-08-2021 12:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
OK, Cheers.
I have sent you a PM regarding another issue.
Re: Email Server Hacked.....Again?
31-08-2021 12:46 PM - edited 31-08-2021 12:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Ripperoo2018 wrote:
OK, Cheers.
I have sent you a PM regarding another issue.
Would you mind marking @Gandalf's response as a fix if it indeed did fix your concerns? Normally I wouldn't ask but people get a little worried when it comes to security and I'd like others who might see this in the future to be assured that we haven't exposed your or their details.
- « Previous
-
- 1
- 2
- Next »
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- :
- Re: Email Server Hacked.....Again?