Looking back to posts in 2019 & 2021, 84.93.223.46 used to be avasout04.plus.net an outbound email server.

Innocent until proven guilty?

The more I look into this, the more I feel that we should be careful about blaming Plusnet for this.

Sure, someone has obtained a very big list of Plusnet email addresses from somewhere, but as yet we don't know where that came from.

Anyone can find out how to SPOOF another person's email address if they search the internet.

A LOT of the emails sent from my SPOOFED email address went to dormant accounts - how old must the list of emails be?

The emails Spoofing my email stopped completely after about 22 hours, apart from the repeat 'undeliverables', which have also stopped.

I'm GUESSING that there would be no point spoofing an email for too long, as I GUESS many users would have blocked it.

My email address remains blacklisted, and Im on Plusnet's list of those that need this resolving - there must be a LOT and FAR MORE than this forum would show.

I believe (happy to be wrong) that SPF etc, can't apply to outgoing messages, but I don't know if Plusnet could implement that to catch inbound for messages originating with them. At this stage it's a moot point.

There are lots of smoking guns, but I wouldn't like to condemn the holder of any of those until the bullet had been matched to the barrel! 🔫

Could this happen again in the relatively short time (by the end of November) it will apparently take to migrate everyone to Greenby? I hope the odds of that are low.

Would Greenby have been able to prevent this from happening to us there? 🤷‍♂️🤷‍♂️

Yes, Im going to be moving away from Plusnet's/Greenby email, but certainly NOT because of this recent issue. I have my (ex-Plusnet) mobile with EE, and they offer benefits that, as yet, Plusnet aren't doing - and probably never will 🙂

Plusnet have served me very well over the last 10 years and I wish them well 🙂

---

@purkle wrote:

I believe (happy to be wrong) that SPF etc, can't apply to outgoing messages, but I don't know if Plusnet could implement that to catch inbound for messages originating with them. At this stage it's a moot point.

There are lots of smoking guns, but I wouldn't like to condemn the holder of any of those until the bullet had been matched to the barrel! 🔫

Could this happen again in the relatively short time (by the end of November) it will apparently take to migrate everyone to Greenby? I hope the odds of that are low.

 

---

SPF is an optional standard all round - in the first place to specify which MTAs are permitted to send on behalf of the sender email domain and then (by the receiver) to verify that the sending MTA is valid for the domain ... and then decide what to do / not do if it does not.

A sea change in the architecture of email service would be for sending MTAs to ask the question "Am I permitted to send emails for this domain?" - kind of as you hint at - outbound checking, but there is no concept of that which I have been able to find.

In this situation where (as it looks as though) there is malware executing on folk's devices on the network, mail sent on behalf of a spoofed Plusnet address, through a Plusnet MTA is going to pass SPF verification.  In short SPF does not help with this intrusion vector.  I thus doubt that things will be different with Greenby ... unless they implement harsh sending limits, more applicable to residential use of email.  That though is not going to please those around this forum using PlusNet's email service for the conduct of commerce.

The "Boots Survey" emails that arrived with us did not look as if they are sent from a compromised Plusnet customer's computer, the outbound email server IP & host name does not match what occurs when sending via relay.plus.com

Some ISPs / mail operators are using SPF to protect their customers from forged emails & that is resulting in a back wash of 500+ delivery rejection emails causing a royal pain to clear up.

Ive had no emails sent from either my webmail or Outlook client. I had assumed that @Townman saying

---

@purkle wrote:
In this situation where (as it looks as though) there is malware executing on folk's devices on the network,

This I would love to see confirmed 🤔 😀.
This guarantees nothing , but I use Malwarebytes and windows built in defender and scan regularly BUT 🧐🤔🤷‍♂️

---

was implying that our INDIVIDUAL email addresses were being harvested through malware, but it was only an assumption on my part ... but that wouldn't perhaps tie in with all of the addresses being Plusnet derivatives as mixed ISP emails would maybe have been collected. Which takes us back to a list of Plusnet emails being obtained by other means ...

There’s lots if sources of leaked email addresses.  Selecting *@*.Plus.com as a target list is an easy enough task to run a targeted campaign.

I have never used a naked domain email address, consequently I’ve not had my *.plus.com address abused … well not to my knowledge (no back scatter seen).

---

@PhilipHeyes wrote:

The "Boots Survey" emails that arrived with us did not look as if they are sent from a compromised Plusnet customer's computer, the outbound email server IP & host name does not match what occurs when sending via relay.plus.com

---

That's a point I made earlier. Spammers use scripts to blast out spam campaigns using whatever compromised hosts they have found and are available to them at the time. They just feed the script a list of harvested e-mail addresses to masquerade as. The headers do not indicate that the e-mails came from a PlusNET domain but, rather, from other (compromised or poorly secured) hosts. The spammers will have obtained a list of PlusNET addresses from somewhere, but, since we don't know from where, as @purkle has said, there is no point pointing any fingers. Coming from elsewhere in the Internet, the spam e-mail may have arrived at the PlusNET e-mail gateway via another "legit" mail server, so SPF alone might not prevent them being from being accepted. There are various technologies that can be applied at e-mail gateways and its always a delicate balance to ensure that the gateway is not throttling too much and blocking genuine e-mails or catching too little and letting too much junk past.

We have seen one of the Boots Survey email sent from a local LAN IP a 192.168.xxx.xxx.
This suggested the spam sender is using a pearl script or similar to forge the entire email transmission.

Makes you wonder why not get the outbound server IPs and names correct, delivery rates would improve,
or is the goal to make PN look like a SPAM / Forged email sender degrading its sender reputation.

Who knows.

I am still getting a trickle of Boots e-mails. Of the 5 or so received in the last 24 hours, the IP address in the first 'Received from' header according to a reverse-lookup using MX Toolbox appears to be a PlusNET dynamic address issued from host dyn.plus.net.

The second host is 

avasout-ptp-002.plus.net ([192.168.2.6])

However, if you ping it you get:

PING avasout-ptp-002.plus.net (84.93.230.235) 56(84) bytes of data

So the header contains the private internal address, but the ping shows the external public address. That is not unexpected as unless specifically re-written, the header will show the "local" or actual host address.

It then goes on to the PlusNET Cloudmark Gateway and finally to the delivery gateway.

The other thing they have in common is that they are being sent from time zone -0700, which is the mid-United States or Canada. This does seem to correlate with us-east1.amazonaws.com found in the link URL. However, this only indicates that a host running on resources hosted by Amazon in the eastern United States could be the source. The spammers could be remoting in from anywhere.

Out of curiosity I ran a couple of the messages through a decoder that can extract the Cloudmark results and both were flagged as "Possible SPAM", but evidently the score is not high enough for Cloudmark to block them. The spammers seem to have been careful enough to ensure their junk messages fly under the radar so to speak.

Sorry you are still getting them, @Batphone  - I've only had three since these comedians started, and none in the last 36-48 hours.

No doubt this is receiving a lot of attention, but the inter-web is complex, as I'm sure you know, so it isn't a simple fix.