Hoax security e-mail or genuine?

morganbach · ‎11-11-2017

Hello received this twice and appears to be from Plus.net. Anyone know if this is genuine pls?

Also unsure if relates just to this mailbox or all mails as some have arrived/

>

On 29/07/2020, 08:15, "autoemail@plus.net" <autoemail@plus.net> wrote:

Dear Mr Morgan,

During the Monitoring of our platform, we noticed a number of unsolicited emails are being sent from a remote IP address using your account login credentials.

These were identified as unsolicited by our spam filtering software and flagged to our attention, we then sanity checked the source IP address, Subject Line, From and To addresses and based on the content, we believe it's quite possible your log-in credentials have been compromised.

For reference, the mailbox in question is: antonia

The most probable reason is an insecure or weak password, possibly plain text which could have been obtained by a local virus/keylogger or brute-forced using normal dictionary words.

Due to the resources required to handle such high quantities of email, there is the potential for this situation to negatively affect other users of our email platform and the reputation of our mail servers.

We have therefore taken the temporary measure of blocking your access to the email servers. This means that you will be unable to send or receive emails.

Before considering reinstating access to our servers you will need to take preventative measures to stop this from re-occurring, we suggest an audit of all passwords and sensitive information that may have been accessible from keyloggers, etc and perform a full security audit & Virus/malware scan of any PC's connected to your network.

Once you have taken action, please contact us to arrange for a new strong (cryptic) password to be applied to your account or mailbox, please use upper / lower case characters and numbers or special characters mixed.

Alternatively, if you are confident you have secured all your local network/computers, you can re-enable the service by updating your password with a more secure cryptic password via your customer portal. Please note once you make these changes you will need to update any mail software which uses the password your changing to reflect the new password. If the password you are changing is your default password for your account and you use our broadband service, you may need to also update your router password to reflect the changes made.

Kind Regards,

Plusnet Abuse Team

This email has been sent as it contains important information about your service from Madasafish. Please do not reply to this email, as this is an unmonitored address.

PlusNet PLC Registered Office: The Balance, 2 Pinfold Street, Sheffield, S1 2GU. Registered in England no: 3279013

Alex · ‎05-04-2007

Seems legit to me, but I can't be 100%.

A PlusNet staff member will be able to confirm.

I would capture the e-mail headers, which will confirm if they have been sent from PlusNet's servers and the route it has taken to get to your mailbox.

Probably best not to post them on here, as it will contain personal information. It will be useful should a member of staff wants to see them.

Let us know what mail client you're using and we can help on how you can do that.

jab1 · ‎24-02-2012

@morganbach Backing up @Alex here - yes, the message is genuine, so please follow the suggested actions.

John

Alex · ‎05-04-2007

Thanks @jab1

I thought so, but it is still worth the OP checking the headers if they are unsure.

morganbach · ‎11-11-2017

OK that's great, thanks for responses.

The response is a bi broad though. reset (which?) password and 'contact us' where which dept. what e-mail address?

Any pointers would be great?

Thanks

jab1 · ‎24-02-2012

@morganbach Not the easiest of messages to understand, I agree, but basically you need to change/strengthen the password on the mailbox mentioned - is this your default mailbox or a secondary one? - and then see if you can access it again.

If you are still having problems after that, post back, and we can probably sort it without needing to involve Plusnet.

John

Townman · ‎22-08-2007

Hi @morganbach

A warm welcome to the forums.

To be honest here, though wordy, this is a very clear communication from Plusnet (unlike some of them). In summary paragraph by paragraph ...

We monitor the use of the email service
We have seen emails sent on your account from a suspect IP address
The mailbox is antonia
We believe your password has been compromised
The consequences of the compromise puts the whole email service at risk
Therefore your (and anyone else's) access to this mailbox has been blocked
You need to check your IT for vulnerabilities
Contact Plusnet to set up a new password or do it yourself through the (MAAF) user portal

This stock answer might assist...

Reset email password

Which ISP are you with, Plusnet or one of the other / legacy vISPs?

If you are not able to login to the email address using webmail, then it is likely that your email address has been identified as being compromised and has has its password changed. Where email address passwords have been changed to protect the integrity of the service, the account password is left unchanged.

Plusnet / Force9 / FreeOnline users can only change the password on the DEFAULT email address by changing the password on the user ACCOUNT through the user portal. You can change the password on a secondary mailbox using the Manage My Mail options in the user portal.

Brightview users (Madasafish / FreeNetName / GlobalNet / IC24 / ICScotland / Dialstart / Totalise) logging into webmail should use their full email address. Use the MAAF user portal to update the password on the default email address (change the account password) and use this MAAF guide to change the password on a secondary mailbox address. If you cannot recall the account password, you will need to contact support ... because the account password change process sends an email to the mailbox you cannot now access.

DO NOT USE THE SAME PASSWORD AGAIN for that would allow the continued exploitation of the account. The new password should be cryptic and not one used before.

Note that changing the account password will change the password used for logging on to the relevant user portal. If your email service is NOT a retained legacy service (one associated with a retired internet service account), then the password required by the router to connect to the internet will be changed too. If the router is a Hub Zero or a Hub One supplied by Plusnet it should update automatically. If not, you will need to log into the router, drop the connection, change the password yourself and reconnect.

On the assumption that the email address password has been compromised, I strongly recommend that wherever you have used that email address / password combination as access credentials to services such as Amazon, Netflix, eBay etc., that you also change the passwords on those service as well.

What is a little odd here is that if the password had been changed, I would not expect that you would be able to see the email if it had been sent to the compromised email address!! @JW

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

jab1 · ‎24-02-2012

@Townman Thanks for your simplified version of the original email.😉

Why the original couldn't be like that has always confused me - many users are clearly not computer literate enough to wade through that, and I was always taught/advised that when sending information to anyone who may need guidance, to make it as simple and concise as possible.

John

Townman · ‎22-08-2007

John,

Some might say terse rather than simplified, but been a Yorkshireman, I dislike wasting words!

A corporate communication tends to want to use more fluid, some might say, fluffy words ... which can obscure the key message!

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

morganbach · ‎11-11-2017

This is helpful, thanks. I jut wondered whether this was the main cust support line, or whether abuse team had a special contact point through raising a ticket? I'll raise one regardless and hopefully find out how to to get this deleted as a secondary mailbox, I don't really use it.

Thank all

morganbach · ‎11-11-2017

Sorry only now read the other reply 🙄. All sorted thanks

Townman · ‎22-08-2007

@morganbach

You can manage your mail boxes through the relevant user portal.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.