@PhilipHeyes 

Other than possibly volume and profiling behaviour on a case by case basis, I suggest it is neigh impossible to discern the difference between legitimate use of credentials and compromised use of credentials.  If you have the key to the lock and can turn it, you can enter the house.

@Champnet 

Any idea what that checker is actually checking?  I think it does little more than check the domain name.  I tested with notarealperson@mydomin.co.uk and it reported as being OK.  Changed it to .ro and got a BAD report.

@Townman  Checker site says :

• First it checks for email address format.
• Then make sure that domain name is valid. We also check whether it’s a disposable email address or not.
• In the final step, It extracts the MX records from the domain records and connects to the email server (over SMTP and also simulates sending a message) to make sure the mailbox really exists for that user/address. Some mail servers do not cooperate in the process, in such cases, the result of this email verification tool may not be as accurate as expected.

The final stage is a standard check but the domain could have a catchall setting.

I agree, legitimate use of credentials and compromised use of credentials would look the same.

But my curiosity was, are these SMTP without credentials vs. SMTP authenticated with credentials ( legit or not ),
and I have poured over the email headers of Outlook and Thunderbird for the Boots email and no clues at all.

Has there been any further acknowledgement of this spam email issue from Plusnet. As whoever answered my dm on Twitter yesterday that I originally sent on the 26th Sep denied there was any issue.

@mrwizard From what I can gather and infer from information I  have as, like you, a mere forum member, the original issue was rectified, but there have been a couple of quickly squashed further instances, and a further one, still under investigation which started apparently yesterday.

Replies on 'X' should be treated with caution.

After analysing the header of the one I got yesterday using Claude it seems that these are being sent from someone external to plus net.

1. Originating IP Address: The bottom "Received:" header shows:

   Received: from thetrician.plus.com ([209.93.37.125])

The IP address 209.93.37.125 is not a Plusnet IP. Plusnet's infrastructure uses IPs like:

• 212.159.x.x (seen in the final delivery hop)
• 84.93.x.x (seen in avasout-ptp-002.plus.net)

2. Mail Flow: The email traveled:
   • Origin: External server at 209.93.37.125 (outside Plusnet)
   • → Through Plusnet's outbound server (avasout-ptp-002.plus.net)
   • → External filtering service (mail.enmail.co)
   • → Back to Plusnet's Cloudmark Gateway
   • → Final delivery within Plusnet
3. Suspicious Indicators:
   • High spam score: X-pn-pstn-db:" Spam 99
   • Went through external filtering before final delivery

Conclusion: This is an email that originated externally (from IP 209.93.37.125) and was likely sent through a compromised Plusnet email account or relay, which explains why it passed through Plusnet's outbound server before being filtered and delivered back to a Plusnet recipient. It's almost certainly spam/phishing.

It is definitely spam, and as I said, the source/routing is under investigation, but this is not an 'instant fix' situation.

The originating IP is a PN (BT) address, which makes me suspicious of Claude - whatever/whoever that is.

Also mail.enmail.co is the Enix mail server, which mail now goes through (in preparation for the transfer of the Plusnet mail service).

In mrwizard's copy :

DNS records for 125.37.93.209.dyn.plus.net


In my copy :

Received: from thetrician.plus.com ([51.7.186.17])

DNS records for 17.186.7.51.dyn.plus.net

Who's copy, @PhilipHeyes ?

I have a new spam Boots email from  <account>@<account>.plus.com

Please advise if there is a place to send the detailed email header info for investigation.

Received: from avasout-peh-002.plus.net (avasout-peh-002.plus.net [212.159.14.18])
	by mail.enmail.co (Postfix) with ESMTPS id 4D1D81000EA11E13
	for <my.name@account.plus.com>; Mon,  3 Nov 2025 17:08:00 +0000 (UTC)
Received: from <redacted>.plus.com ([80.189.65.148])
	by smtp with ESMTP

Sender IP resolves as :  148.65.189.80.dyn.plus.net

I have also been getting emails from Germany advertising mountain & electric bikes. Now 2 a day.

Anyone else getting these?

Dozens of spam messages are being delivered to our email accounts,
the Plusnet [-SPAM-] flagging system has stopped working.

I started another thread on this :

https://community.plus.net/t5/Email/Spam-not-marked-as-SPAM/td-p/2026611

My problem with the increase in emails appearing in the "SPAM" folder since the migration to Greenby, is that the alleged "SPAM" messages are being taken from my "INBOX".  Today, several valid messages appeared in my SPAM folder that should have been in my INBOX - two were vital messages.  

My thinking is that the Greenby algorithm for identifying spam is much too aggressive.  On PlusNet accounts, a message placed in the SPAM folder was rare (< 1/month).  True spam ending in my INBOX was also rare (one or two per month).  I was content with the PlusNet arrangement.  But I fear that with the over-aggressive Greenby algorithm, I'm likely to miss something important sooner-or-later.  If it can't be fixed, I'll want to setup automatic forwarding from the SPAM folder to the INBOX folder!

Although there was an option to mark messages as spam to help train the spam recognition, I can't find any way to tell the system "This is NOT spam".

At least the GreenBy spam filter is working, that is more than can be said for the Plusnet spam filter.

Does the Greenby email portal have the ability to adjust the sensitivity to spam ?