Receiving extortion emails sent from my own Plusnet email address

berylcuke · ‎13-12-2023

Every couple of weeks for the last few months I have been bombarded with emails sent from my own email address to my email address (as though I've sent myself an email) with the usual thing about the sender having downloaded a trojan into my PC and watched me having sex or something similar and asking for payment using cryptocurrency. The emails begins: "Some time ago your device was infected with my private trojan, R.A.T (Remote Administration Tool), if you want to find out more about it simply use Google. My trojan allowed me to access your files, accounts and your camera. Check the sender of this email, I have sent it from your email account. To make sure you read this email, you will receive it multiple times."

I know it's a scam but am concerned that it has been sent from my own email address. There is no other email address behind it and when I click on the email address it comes up with my contact details. I know there is no malware on my PC as I am constantly scanning it and never click on anything I am not 100% sure about. I have contacted Plusnet a couple of times about this but hit a brick wall. The only suggestion was to change my email address to which Plusnet sends me notifications, which I did, but it still hasn't stopped. As the emails are sent from my email address, I can't block it or put it on the black list. Neither does the spam filter work for the same reason.

How is this happening and how do I stop it? I am fed up with my inbox being filled with 40 or 50 emails a day from this scammer every few weeks. I've even started wondering if the emails originate from someone within Plusnet.

Townman · ‎22-08-2007

Sadly you cannot stop this - it is possible to make an email appear to have come from any address (if you know how) - which is not the same as it having done so.

You should look at the email headers (file - properties) to see how the email was routed. You only need to be concerned if the email was sent via Plusnet's SMTP server using YOUR account credentials. Changing the password on your email address might offer you additional reassurance.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

berylcuke · ‎13-12-2023

Thanks Townman.

I have changed my password several times, but to no avail. How do I look at the email headers, as you suggested, in Plusnet webmail?

Anonymous · ‎13-12-2023

All you can do to prevent the build-up of these SPAM in your 'Inbox', is automate a filter for incoming emails - that looks at the message headers, and silently moves the unwanted messages to your 'Deleted' or 'Trash' folder.

You will need an email IMAP client running on a PC, such as Thunderbird or Pegasus,

and then use the message filtering rules to build something like -

IF <From:> CONTAINS <your_email_address> THEN <Move message> TO <Deleted> folder

You can make the rules more complex to separate out different actions if needed, such as if you did ever email yourself.

berylcuke · ‎13-12-2023

Hi Rising Star

I do use an email IMAP client (eM Client). I've looked at its filter but I can only choose options from various drop down menus. Since I frequently email myself reminders it will be problematic to filter out my email address as a sender. The email titles change with each new extortion campaign, but once I start receiving a new batch of scam emails I could filter out the title, so that's a good idea. Thanks.

Townman · ‎22-08-2007

You can look to see where an email comes from by looking at its headers - in Webmail, click the options cog in the menu bar above an open mail item. Select view source.

Look at the RECEIVED: FROM line...

Received: from avasout-peh-003.plus.net ([84.93.223.46])
	by Plusnet Cloudmark Gateway with ESMTP

The above was sent via Plusnet's own SMTP service.

If the received from indicates a Plusnet SMTP service, look at the X-Auth line.

X-AUTH: ******@:2500

Which will indicate which account was used to authenticate to Plusnet's SMTP service.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

berylcuke · ‎13-12-2023

Thanks Townman. I'll give it a go.

MisterW · ‎30-07-2007

I do use an email IMAP client (eM Client).

@berylcuke to View headers using eM Client see https://forum.emclient.com/t/how-do-i-see-incoming-email-headers/80244

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

berylcuke · ‎13-12-2023

Hi Townman

This is what I found:

Received: from [84.54.72.15]
	  by inmx-peh-004.plus.net with esmtp (PlusNet MXCore v2.00) id 1rDJll-000FNa-UJ 
	  for [I've deleted my email address]; Wed, 13 Dec 2023 07:35:04 +0000
Received: from hbqmdjb ([84.200.215.46]) by 39636.com with MailEnable ESMTP; Wed, 13 Dec 2023 12:34:54 +0500

Any insights???

Townman · ‎22-08-2007

All that can be advised is that the email is not being sent via a Plusnet SMTP server, so neither you nor some other Plusnet user's email account is being abused.

As per previous reply it is easy enough to send an email as if it came from any email address, including your own, IF strict SPF is not enabled. Sadly due to untidy use of email (forwarding without SRS) strict SPF enforcement can lead to various difficulties.

A SPF failure should lead to SPAM marking - are you using the Plusnet SPAM options?

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

berylcuke · ‎13-12-2023

Well that's a relief at least!

Anonymous · ‎13-12-2023

@berylcuke can you compare in the message headers, the field -

Return-Path:

for one of the SPAM messages, and from a message you send to yourself ?

I'm thinking there must be a way to build a filter something like -

IF <From:> CONTAINS <your_email_address> AND <Return-Path:> DOESN'T CONTAIN <your_email_address> THEN <Move message> TO <Deleted> folder

This *should* leave messages to yourself in your 'Inbox'

For most of the messages I deal with like yours, the return path is usually the giveaway by being something obviously spurious

berylcuke · ‎13-12-2023

Thanks. I will need to spend a bit of time drilling down into what I can and cannot do with my email client. I'll report back on progress.

jab1 · ‎24-02-2012

@berylcuke et al : As I have an efficient 'filtering service' via my MailWasher program, and because of an episode some time ago where CloudMark were marking valid emails as 'SPAM' and deleting them, I have disabled the PN filters entirely - I will decide what is or isn't rubbish - but IIRC you get set the Plusnet spam filter (referred to previously) to eliminate a very large percentage of obvious rubbish, without you actually having sight of it.

John

Champnet · ‎25-07-2007

I'm with @jab1, I'd never let a 3rd party algorithm decide which emails I can, or cannot, receive.

Simple temporary solution, providing the email client allows rules, is to create a spam folder. Create a rule that automatically moves all recieved emails sent from <your_email_address> to the spam folder. Regularly check that folder and delete the unwanted emails.....