My email address hijacked ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- :
- My email address hijacked ?
My email address hijacked ?
17-01-2020 11:13 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
A few days ago, and again this morning, I've received bounceback from a dozen or so email addresses that had been sent emails, purportedly from my account, to invalid addresses.
I have no evidence either on my machine (Office Pro 2016 on Windows 10 with latest patches) or plusnet webmail of these actually being sent from my machine / email address.
The details on the bounceback typically look like this:
---------------------
Reporting-MTA: dns; avasout07 [84.93.230.235]
Received-From-MTA: dns; THEE7R64L3XX0F7J [207.148.65.140]
Arrival-Date: Fri, 17 Jan 2020 09:48:11 +0000
Final-recipient: rfc822; qlz24907@zwoho.com
Diagnostic-Code: smtp; 550 relay not permitted
Last-attempt-Date: Fri, 17 Jan 2020 09:48:13 +0000
----------------------
All of the 'from' on the top line are some variation on avasout, which AIUI indicates plusnet ?
So, do these spam emails originate from within plusnet, or not ?
Any advice ?
Thanks
Brian
Re: My email address hijacked ?
17-01-2020 11:29 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Someone has gained your email address from somewhere and has put it in the "reply to" section of an email. That way, any addresses that are not valid are sent back to you. They do not originate from inside the +Net network, but the spammer's. Full headers should show you where they were sent from.
Re: My email address hijacked ?
17-01-2020 11:35 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
As is mentioned above @BrianAbbott by @Marksfish this is nothing to do with you and as tedious as it is you can ignore these. If you are getting a lot of these you could set up a mail filter on your client to dump them.
Re: My email address hijacked ?
on 17-01-2020 11:42 AM - last edited on 17-01-2020 1:18 PM by Strat
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
So, avasout doesn't inidcate Plusnet ?
Apart from the details in my earlier post, the header in the bounceback contained this:
-----------------------------
Received: from THEE7R64L3XX0F7J ([207.148.65.140])
by smtp with ESMTPSA
id sOEDik1UUowWhsOEbiCl1g; Fri, 17 Jan 2020 09:48:11 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plus.com; s=042019;
t=1579254491; bh=rhr6oLKGfREeeKrY8YGgd2kEDVoXlS9tlbMN/KaohD4=;
h=To:Subject:From:List-Unsubscribe;
b=TyNt1AAuQzde/StRDjDMHBUOkXMBrfk22r2Ik9cn+I/vyE4vfWf6twWTqcBce2KTl
0z1la9mRYC47yZjXbD9886I0N2O3fklRwM4HNej4rZl3q5EPD6TTbzILPeNNLXuIDG
E6Sh/foe/C81a/bmA5DU7IZIZBONatX4/PNv5jy9D1tZTg5YImaYDYqKtMRM/4GR9o
xkxu8QZlrOZ5uegqzhrzvC5Z6SypaKq1FjJ/blHMVx4qae/Npd00i1KZwzDh/7qnxq
t+i+HZAFKxnM5NSGHgNJ0npSF/s+rZrxIGELZVZbCoF6DOn9IbVz+N8PDBQ2uSBlE3
m35fCo2jUhIwg==
X-Clacks-Overhead: "GNU Terry Pratchett"
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.3 cv=E6qzWpVl c=1 sm=1 tr=0
a=GVUuMGj+JKHOcLGo1ytapw==:117 a=GVUuMGj+JKHOcLGo1ytapw==:17
a=HpEJnUlJZJkA:10 a=DBwwDor5xuMA:10 a=kQrcmiHUAAAA:8 a=KjzP0bffsGbAeAntB8MA:9
a=Lk9fFPFQQ9CUdlo9:21 a=KhgaYUx5TQUJIcCX:21 a=QEXdDO2ut3YA:10
a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=luwA3-0jEilIXhxMmmP0:22
a=EeFWjPFElJDHm6OpgIBZ:22 a=p-dnK0njbqwfn1k4-x12:22 a=301kmAp-fCAfJyRBmuhM:22
X-AUTH: [Removed]:46500
To: qlz24907@zwoho.com
Content-Type: multipart/mixed; boundary="____MKHHCBZSKFPLJX3DXQ0S31B980MV830"
Subject: 💋A princess is waiting for a prince🌈
From: Debbra Polinsky <[Removed]>
List-Unsubscribe: 55bkccxwhmz7c@retoba.trade
X-CMAE-Envelope: MS4wfE5So/d39gV00oXnq/ccSf3ZoJZJEss3pjq63VTT0M5Edp7+rMhvYR2veDZsxBy0zqvAmF422AJ5sH8BP9Rsb8HNfrhyFuR3ZfYfitX5ZD45lOc3zrWr
2vXBKaOZVNRhvZqw1tjBu/n9wkRfR93+7+TuRbjteDK1Bmld33sh1PrDSgJRMe7+NqlpFfVFnJPdrg==
-----------------------------
I can't see anything in there that would tell me the originator. But then I'm no expert 😉
Moderator's note by Dick (Strat): Personal information removed from a public forum (to an area that staff can see).
Re: My email address hijacked ?
17-01-2020 11:56 AM - edited 17-01-2020 11:57 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Unless you run the headers through something like Spamcop, you are unlikely to find out. You can however clearly see your email address used, which is why you are getting bounce backs.:
From: Debbra Polinsky <edited@edited.plus.com>
You may want to remove your email from the previous post.
Re: My email address hijacked ?
17-01-2020 12:38 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Those headers read as though someone has attempted to send those emails through the Plusnet servers, but using your login credentials. There's a header that tracks the fact that it was an authenticated send. I would strongly suggest that you change both your mailbox password, for that account, and anywhere else that you may have reused that password.
Re: My email address hijacked ?
17-01-2020 4:20 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
OK I'll do that.
Thanks
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page