Thanks for the MXTOOLBOX hint @Townman 🙂

Im listed on Spamhaus according to the images attached 🙂

It took me a while but I eventually found a way to update the case!

Plusnet's out bound email servers are seen in two _SPF lists, there were 13 servers at the last count.

These are the only ones I am concerned about being black listed causing sent emails to be rejected repeatedly by various mail operators :

https://www.nslookup.io/domains/plusnet.plus.com/dns-records/ 


mx.avasin.plus.net looks like an in bound email server. 

Our Public IP I don't expect to be defined as an known email sender.

What’s the point you are trying to make with the above link?  There’s no such sub-domain.  Plusnet.plus.com does not exist.

View the link and then scroll down to see the two _SPF entries for the list of PN outbound servers.

Thanks to all that have taken the time to report this issue in the community. We’ve been sharing examples with our security team who have found no indications of any leaks from within our network. The logs indicate that the spam is originating from individual customer IPs which suggests that individual account could have been compromised. We’ve been reaching out to these customers with advice and continue to have a high level alert in place to detect further activity. If you have been affected by this issue, we’d recommend scanning your device for malware and updating your password. If the issue persists, please get in touch for further support

@PhilipHeyes 
And? What’s the value add?

There’s two SPF lists of outbound MTAs for Plusnet / Free-online / Force9 and three for the rest.  So what is the point you are seeking to convey / discuss / inform?

---

@James_B wrote:

Thanks to all that have taken the time to report this issue in the community. We’ve been sharing examples with our security team who have found no indications of any leaks from within our network. The logs indicate that the spam is originating from individual customer IPs which suggests that individual account could have been compromised. We’ve been reaching out to these customers with advice and continue to have a high level alert in place to detect further activity. If you have been affected by this issue, we’d recommend scanning your device for malware and updating your password. If the issue persists, please get in touch for further support

---

I haven't (AFAIK) been used to send the spam, but I have certainly received some, to a mailbox that to the best of my knowledge hasn't been compromised, so where did they get it from?

@jab1   An ex-employee with a grudge ?

@James_B 

@jab1 's point is well made, I have seen at least two Plusnet email addresses associated with the SPAM episode which do not appear in a known data breach (Have I Been Pwned: Check if your email address has been exposed in a data breach).  So the question remains, from where might these email addresses have been harvested?

How does a business KNOW that there has not been a data breach on their systems?  It is not though a hacker leaves a note saying "You've had your data taken", like a Labour chancellor leaves a note behind saying "We have spent all the money!".

@plusnettony / @James_B 

Can representations please be made to the team managing these issues, to request that a bulk application be raised to the black list bodies to ask for all *.plus.com sub-domains to be removed from their lists.  The expectation that each individual might do this themselves is not reasonable.