Historically these spam messages have been sent from the Plusnet email platform and often from an IP of a Plusnet Internet connection.  Could be rogue customer, could also be a compromised PC or Fire TV Stick loaded with special needs software.

The spam sending is a matter that Plusnet totally failed to address over the last 12 months, and despite repeated warning about the open relay vulnerability of relay.plus.net still have taken zero securing action. 

It's more than possible, until the bounce back message, the email has been nowhere the Plusnet systems.......

Every Boots scam email that we have seen in the last year was sent via relay.plus.net and the Plusnet hosted avssout outbound email server farm.  This is how the sender gets SPF / DMARC / DKIM to PASS.

Here are email header examples from a recent Boots message that it was so convincingly real ( it is real ) it was accepted as not being spam by the 123reg email platform :

Received: from avasout-ptp-001.plus.net ([84.93.230.227])     

Authentication-Results: sxplibsmtp04-20.prod.sxb1.secureserver.net;
    dkim=pass header.d=plus.com header.b=qtL2afFb;
    dmarc=pass header.from=<account>.plus.com


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plus.com; s=042019;


That I can send messages from my VM internet connection using relay.plus.com without credentials points to lack of effort to secure the platform & is why having migrated to Greenby we have abandoned SMTP server relay.plus.com and the IP.

There is a wall of silence on this open relay issue, so I assume that folks are well aware of  the fact the front door to the SMTP service is wide open much as it was in 2004.  If it was other the questions would come on the matter.

Are there are Boots spam messages that show a different originating source ?
That would be new and interesting to see.

I see no mention in the original post to Boots specifically that's why my reply was more general............

---

@PhilipHeyes wrote:

Every Boots scam email that we have seen in the last year was sent via relay.plus.net and the Plusnet hosted avssout outbound email server farm.  This is how the sender gets SPF / DMARC / DKIM to PASS.

Here are email header examples from a recent Boots message that it was so convincingly real ( it is real ) it was accepted as not being spam by the 123reg email platform :
Received: from avasout-ptp-001.plus.net ([84.93.230.227])     

Authentication-Results: sxplibsmtp04-20.prod.sxb1.secureserver.net;
    dkim=pass header.d=plus.com header.b=qtL2afFb;
    dmarc=pass header.from=<account>.plus.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plus.com; s=042019;

That I can send messages from my VM internet connection using relay.plus.com without credentials points to lack of effort to secure the platform & is why having migrated to Greenby we have abandoned SMTP server relay.plus.com and the IP.

---

As avasout-ptp-001.plus.net [84.93.230.227] is listed as a BT IP address, has this matter been reported to BT?

% Abuse contact for '84.92.0.0 - 84.93.255.255' is 'email@bt.com'

https://www.whois.com/whois/84.93.230.227

sxplibsmtp04-20.prod.sxb1.secureserver.net [92.204.86.193] belongs to Go Daddy

https://www.whois.com/whois/92.204.86.193

I did get a boots spam email in amongst it all.  I assume the header doesn't show the full trail from the initial email, just that from the bounce back. 

avasout-ptp-001.plus.net is one of about 13 similar hosts operated by PN/BT  you can see them in your SPF list.

...And?

I've just got a new position with a company. I receive their emails just fine and was able to respond until Saturday evening of last week. I tried to respond about 9 times from plusnet email addresses and then my yahoo one - all of the emails came back and didn't send.?!

I have tried just now to receive the same issue. 

As you can imagine, a new job and I need to be able to respond to emails - granted my emails are not 'rogue', but still bouncebacks all the same.

Apologies IF my issue requires a new post.

I need some help with this please quite urgently. Next stop, greenby (un)help(ful) system.

@tangodoll 

What was a detailed error report from the bounced messages?

Take care to obscure your email address!

@tangodoll wrote: "I've just got a new position with a company."

Does the Company not supply you with an email address ?

Hello @mavison and @Champnet - thank you for your responses. I spoke with the company today it looks like they made a change to their email addresses, so on this occasion - greenby might not be at fault. I used the 'greenby bot' thing and it said the same, but it also stated that there are issues which they're trying to fix. Sorry for MY false alarm.

They're a small company and today was our first training day. We have been issued with 'work' email addresses.

Thanks again, be well everyone. 

part error: Final-recipient: rfc822; ***@********.co.uk
Diagnostic-Code: smtp; 550 5.1.1 User does not exist - 

BUT I'm happily receiving her emails?

@tangodoll  Thanks for the update and good luck for the future..............