@Mardler If your above post is in answer to my reply, the answer is : the issue you are experiencing.

It was, John.

I have had no response from PN nor did I see anything relevant before I posted a new topic. Are you talking about the referral mentioned above? If so, it's not necessarily the same issue.

The two topics should have been kept separate.

@Mardler I tend to agree that the issue you refer to is not related really to the topic it has been merged into, but that was not my decision.

The "Boots store survey" issue does appear to be different to the one reported by the OP, but might the be related in some way?

Could be/may be, but I have asked the mods to review the merge.

@Mardler 

Boots survey is but one flavour of nefarious activity hitting PN mail accounts.  I’ve got evidence from @jab1 which matches my own experience, that having nothing to do with the subject of Boots.

I'm also getting the same boots survey messages (4 so far), all addressed to subaddress@myusername.plus.com, all apparently(?) from some random plusnet user.

Easy enough for me to spot, since I know this particular subaddress was stolen back in 2017, and it has been automatically tagged and blackholed since then.  Though it's been a good few years since this particular email address was targeted.

How is the target address “blackholded?”

Have you made it an alias of your own black hole mailbox or do you divert SPAM to the same?

If the address was blackholded in the straight forward sense, you would never have seen it.

This reminds me to go check my black hole mailbox!!

I have started to receive fake "Boots Survey" spam emails and they are from <account>.plus.com
They are not being detected as [-SPAM-] by the Plusnet inbound spam filters.

In the last two days three different version of <account>.plus.com have been used all have valid _SPF / DNS entries,
so I shall not list them here as they could well be genuine customers being hijacked.

If this is a widespread problem, it would come as no surprise the SMTP servers are landing on the blocked lists of iCloud, Microsoft, Talk Talk and Tiscali.

The sending SMTP servers are using the host names from Plusnet's _SPF but the IPs do not match.

Received: from avasout-ptp-004.plus.net ([192.168.2.6])      ( Note the Private LAN IP )

Received: from avasout-ptp-002.plus.net ([84.93.223.46])    ( Should be IP 84.93.230.235 )

Received: from avasout-peh-004.plus.net ([84.93.223.46])    ( Should be IP 212.159.14.20)


Looking up the one public IP  84.93.223.46 that has been used twice with two different host names :

84.93.223.46.bizsurf.pth-ag2.dyn.plus.net     ( this does not have any _SPF records )

Anyone else seeing similar to this ?

I have just forwarded the last three fake Boots survey emails to report@phishing.gov.uk
and received one conformation reply email, no delivery rejections.

I mean it's locally tagged so it sticks out like a sore thumb should I happen to see it.

So as to remind me that regardless of how "compelling" the message is, if it's to one of the subdomains I know have been compromised, I'm sure not going to pay any real attention to it.

Ah. you are using client based email marking rather than...

Found here - https://www.plus.net/manage_my_mail

The one I received today is interesting as it indicates a possible targetting of PlusNet employees. There are 4 links embedded in what looks like two links in the signature. I tried to attach a file with the full headers but got a 404 Forbidden message.

(BTW, just to make clear, I do not work for PlusNet, BT or EE or any ofther partner company).