cancel
Showing results for 
Search instead for 
Did you mean: 

My email address hijacked ?

BrianAbbott
Newbie
Posts: 5
Registered: ‎18-12-2008

My email address hijacked ?

A few days ago, and again this morning, I've received bounceback from a dozen or so email addresses that had been sent emails, purportedly from my account, to invalid addresses.

I have no evidence either on my machine (Office Pro 2016 on Windows 10 with latest patches) or plusnet webmail of these actually being sent from my machine / email address.

The details on the bounceback typically look like this:

---------------------

Reporting-MTA: dns; avasout07 [84.93.230.235]
Received-From-MTA: dns; THEE7R64L3XX0F7J [207.148.65.140]
Arrival-Date: Fri, 17 Jan 2020 09:48:11 +0000


Final-recipient: rfc822; qlz24907@zwoho.com
Diagnostic-Code: smtp; 550 relay not permitted

Last-attempt-Date: Fri, 17 Jan 2020 09:48:13 +0000

----------------------

All of the 'from' on the top line are some variation on avasout, which AIUI indicates plusnet ?

So, do these spam emails originate from within plusnet, or not ?

Any advice ?

 

Thanks

 

Brian

6 REPLIES 6
Marksfish
Seasoned Pro
Posts: 1,078
Thanks: 281
Fixes: 4
Registered: ‎22-11-2014

Re: My email address hijacked ?

Someone has gained your email address from somewhere and has put it in the "reply to" section of an email. That way, any addresses that are not valid are sent back to you. They do not originate from inside the +Net network, but the spammer's. Full headers should show you where they were sent from.

Mook
Seasoned Champion
Posts: 1,266
Thanks: 870
Fixes: 9
Registered: ‎27-12-2019

Re: My email address hijacked ?

As is mentioned above @BrianAbbott by @Marksfish this is nothing to do with you and as tedious as it is you can ignore these. If you are getting a lot of these you could set up a mail filter on your client to dump them.

BrianAbbott
Newbie
Posts: 5
Registered: ‎18-12-2008

Re: My email address hijacked ?

So, avasout doesn't inidcate Plusnet ?

 

Apart from the details in my earlier post, the header in the bounceback contained this:

-----------------------------

Received: from THEE7R64L3XX0F7J ([207.148.65.140])
    by smtp with ESMTPSA
    id sOEDik1UUowWhsOEbiCl1g; Fri, 17 Jan 2020 09:48:11 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plus.com; s=042019;
    t=1579254491; bh=rhr6oLKGfREeeKrY8YGgd2kEDVoXlS9tlbMN/KaohD4=;
    h=To:Subject:From:List-Unsubscribe;
    b=TyNt1AAuQzde/StRDjDMHBUOkXMBrfk22r2Ik9cn+I/vyE4vfWf6twWTqcBce2KTl
     0z1la9mRYC47yZjXbD9886I0N2O3fklRwM4HNej4rZl3q5EPD6TTbzILPeNNLXuIDG
     E6Sh/foe/C81a/bmA5DU7IZIZBONatX4/PNv5jy9D1tZTg5YImaYDYqKtMRM/4GR9o
     xkxu8QZlrOZ5uegqzhrzvC5Z6SypaKq1FjJ/blHMVx4qae/Npd00i1KZwzDh/7qnxq
     t+i+HZAFKxnM5NSGHgNJ0npSF/s+rZrxIGELZVZbCoF6DOn9IbVz+N8PDBQ2uSBlE3
     m35fCo2jUhIwg==
X-Clacks-Overhead: "GNU Terry Pratchett"
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.3 cv=E6qzWpVl c=1 sm=1 tr=0
 a=GVUuMGj+JKHOcLGo1ytapw==:117 a=GVUuMGj+JKHOcLGo1ytapw==:17
 a=HpEJnUlJZJkA:10 a=DBwwDor5xuMA:10 a=kQrcmiHUAAAA:8 a=KjzP0bffsGbAeAntB8MA:9
 a=Lk9fFPFQQ9CUdlo9:21 a=KhgaYUx5TQUJIcCX:21 a=QEXdDO2ut3YA:10
 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=luwA3-0jEilIXhxMmmP0:22
 a=EeFWjPFElJDHm6OpgIBZ:22 a=p-dnK0njbqwfn1k4-x12:22 a=301kmAp-fCAfJyRBmuhM:22
X-AUTH: [Removed]:46500
To: qlz24907@zwoho.com
Content-Type: multipart/mixed; boundary="____MKHHCBZSKFPLJX3DXQ0S31B980MV830"
Subject: 💋A princess is waiting for a prince🌈
From: Debbra Polinsky <[Removed]>
List-Unsubscribe: 55bkccxwhmz7c@retoba.trade
X-CMAE-Envelope: MS4wfE5So/d39gV00oXnq/ccSf3ZoJZJEss3pjq63VTT0M5Edp7+rMhvYR2veDZsxBy0zqvAmF422AJ5sH8BP9Rsb8HNfrhyFuR3ZfYfitX5ZD45lOc3zrWr
 2vXBKaOZVNRhvZqw1tjBu/n9wkRfR93+7+TuRbjteDK1Bmld33sh1PrDSgJRMe7+NqlpFfVFnJPdrg==

-----------------------------

 

I can't see anything in there that would tell me the originator.  But then I'm no expert 😉

Moderator's note by Dick (Strat): Personal information removed from a public forum (to an area that staff can see).

Marksfish
Seasoned Pro
Posts: 1,078
Thanks: 281
Fixes: 4
Registered: ‎22-11-2014

Re: My email address hijacked ?

Unless you run the headers through something like Spamcop, you are unlikely to find out. You can however clearly see your email address used, which is why you are getting bounce backs.:

From: Debbra Polinsky <edited@edited.plus.com>

You may want to remove your email from the previous post.

JW
Plusnet Staff
Plusnet Staff
Posts: 314
Thanks: 100
Fixes: 24
Registered: ‎09-11-2007

Re: My email address hijacked ?

@BrianAbbott 

Those headers read as though someone has attempted to send those emails through the Plusnet servers, but using your login credentials. There's a header that tracks the fact that it was an authenticated send. I would strongly suggest that you change both your mailbox password, for that account, and anywhere else that you may have reused that password.

 Jon W
 Plusnet
BrianAbbott
Newbie
Posts: 5
Registered: ‎18-12-2008

Re: My email address hijacked ?

OK I'll do that.

 

Thanks