Plusnet Usergroup

All Users - The Open Forum => Plusnet Customer Service Issues => Topic started by: LF on November 20, 2014, 05:41:58 pm



Title: Email address for this forum has been compromised
Post by: LF on November 20, 2014, 05:41:58 pm
I use an email address of the form plusnet@xxxxx.co.uk, where xxxxx is my domain name, to access this forum and nothing else.  I have just started getting large amounts of spam to this email address.  Has anyone else had a similar problem?

The Contact Us on this Forum has been disabled so I can't ask them what has happened directly.


Title: Re: Email address for this forum has been compromised
Post by: Penny on November 20, 2014, 06:18:38 pm
I use an email address of the form plusnet@xxxxx.co.uk, where xxxxx is my domain name, to access this forum and nothing else.  I have just started getting large amounts of spam to this email address.

... I have a specific e-mail address which is used only for this forum and the (PN) Comm Site, and haven't experienced anything similar.

The only unusual mail I've seen of late has been a fair amount of virus-laden e-mails arriving to a yahoo address I use for freecycle (last couple of weeks or so) but nothing via the usergroup e-mail address - I had thought PUG was fairly secure, actually : /

Regards,

Penny.


Title: Re: Email address for this forum has been compromised
Post by: MauriceB on November 20, 2014, 06:19:57 pm
I use similar mail addressing for various elements of Usergroup activity and apart from a recent general rise in the number of SPAM mails across ALL of my mail accounts, I've not noticed a problem.  Yet!  :-(

We will need to do some investigating.

Thanks for highlighting the problem.

Maurice


Title: Re: Email address for this forum has been compromised
Post by: NB on November 20, 2014, 08:46:19 pm
I have a special address for usergroup e-mails also and (so far) no spam has been received.  I'll leave it to Maurice to do the detective work to check things out though.


Title: Re: Email address for this forum has been compromised
Post by: Oldjim on November 20, 2014, 10:53:08 pm
This may be relevant http://community.plus.net/forum/index.php/topic,133959.0.html


Title: Re: Email address for this forum has been compromised
Post by: LF on November 21, 2014, 09:13:58 am
Apologies.  Having read Oldjim's link I've remembered that it's the email I use with Plusnet itself too.  I've been getting spam from the same sources as mentioned on the other thread so I think the blame is likely to lie with Plusnet.


Title: Re: Email address for this forum has been compromised
Post by: MauriceB on November 21, 2014, 09:16:18 am
Thanks oldjim - certainly very relevant.

It's odd that I've managed to miss this whole thread on Community - ????  Must be senility :lol:


Title: Re: Email address for this forum has been compromised
Post by: MauriceB on November 21, 2014, 10:19:15 am
Apologies. 
No problem. It's always best to flag potential problems early rather than late.

Quote
<snip>I've been getting spam from the same sources as mentioned on the other thread so I think the blame is likely to lie with Plusnet.

 This is most probable.   The Usergroup does not host its own independent Mail service, we just have an account with  multiple Users on the standard Plusnet Mail Platform and manage them in the same way as any other User.  Two weeks ago we did a review and cleared out a number of redundant mailboxes as part of migrating to a newer hosting platform, so things are now much tidier. It may now be possible to revive the 'Contact Us' link now that SPAM in general is no longer a problem - so thanks for the memory jogger on that

Marice


Title: Re: Email address for this forum has been compromised
Post by: mikeb on February 20, 2017, 11:25:49 am
Sorry for resurrecting Ye Olde Thread mostly just to add ...

[aol]Me too[/aol] :(        and check out the (http://www.twowheels.force9.co.uk/STUFF/SMILIES/tumbleweed.gif)         :P

but a specific e-mail address which is used SOLELY for this site/forum on a PN account that didn't even exist at the time of the primary PN e-mail hack has today received spam for the very first time.

The (now apparently compromised) PN A/C was set up some time after PN managed to release email details for all of my F9 and PN A/Cs to one or more 3rd parties in 2007.  As far as I'm concerned, this data can only have been obtained via PN/PUG because I just can't see how there can be any other plausible source. It quite simply doesn't exist anywhere else and hasn't seen any spam to date despite further alleged PN data breaches subsequent to the well known about event in 2007.

Although PN wrecked all of my long-standing A/Cs by releasing data and they continue to get regularly spammed to death, the spam received is still being fully monitored. I am well aware of the alleged breach in Nov 2014 as it was immediately obvious from my monitoring that additional specific data had been compromised despite all the PN denials various. However, this specific PUG e-mail address and/or this specific PN A/C wasn't affected then and hasn't been affected at any time to date either. It seems that this shiny new spam is not being seen on any other e-mail address on any other PN/F9 A/C whether previously compromised or otherwise ... just the one specific address on the one specific PN A/C that has only ever been used here.

Delayed reaction to one or more of the previous PN hacks or is anyone else seeing shiny new e-mail abuse ?



EDIT: More info and an example

pug@My_PN_Account2.plus.com didn't exist until December 2007 (A/C My_PN_Account2.plus.com was registered around June 2007) and the address was only really in occasional use during 2008 in any case. Primarily thread reply notifications early/mid 2008 plus just a few random PMs late 2008.  There have only ever been 132 PUG messages received with the very last genuine message being in January 2009.  

Now spam:

Code:
Received: from spooler by mail.My_PN_Account.plus.com (Mercury/32 v4.72); 20 Feb 2017 08:07:46 -0000
X-Envelope-To: mbtw2pn
Received: from POP3D by mail.My_PN_Account.plus.com with MercuryD (v4.72); 20 Feb 2017 08:07:39 -0000
Return-path: <mansour-amine.akbi@lapste.net>
Envelope-to: pug@My_PN_Account2.plus.com
Delivery-date: Mon, 20 Feb 2017 08:05:43 +0000
Received: from [212.159.9.108] (helo=avasin06.plus.net)
 by inmx18.plus.net with esmtp (PlusNet MXCore v2.00) id 1cfiyd-000549-9d
 for pug@My_PN_Account2.plus.com; Mon, 20 Feb 2017 08:05:43 +0000
Received: from [160.120.22.200] ([160.120.22.200])
by avasin06.plus.net with Plusnet Cloudmark Gateway
id mw5f1u0084K1Gds01w5iAL; Mon, 20 Feb 2017 08:05:43 +0000
X-BV-Spam-Flag: Yes
X-IPAS: Level1
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.2 cv=Bb2o6vl2 c=1 sm=1 tr=0
 p=RTk0eHZ2DrJlZPA3llzyDg==:17 p=a-0_99mXpksmAfr0s-EA:9 p=y3TWnlBEAAAA:8
 p=zLQcBLSSKIrqbsZe:21 a=RTk0eHZ2DrJlZPA3llzyDg==:117 a=r77TgQKjGQsHNAKrUKIA:9
 a=tfwewdB7HFUA:10 a=QPd-B6XI0CwA:10 a=_W_S_7VecoQA:10
 a=2EECN8Q4aSjvsrRbs9Eq:22
Message-ID: <C6830F46E94ACAA0E569208F2CACC683@BXUPM24PY>
From: <mansour-amine.akbi@lapste.net>
To: <pug@My_PN_Account2.plus.com>
Date: 20 Feb 2017 15:22:25 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_004F_01D28B76.018A5319"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
X-pn-pstn: Spam 1
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: From International Company
X-Agent-Received: from Mercury POP (PN/My_PN_Account2) (pop.My_PN_Account.plus.com); Mon, 20 Feb 2017 10:24:19 +0000
X-Agent-Junk-Probability: 0

Dear pug,

We are looking for employees working remotely.

My name is Mercedes, I am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.

Salary is $2100-$5600.

If you are interested in this offer, please visit
Our Site

d_healthHave a nice day!

The A/C has a catch-all mbox so it would be fairly obvious if this was a result of a dictionary attack or something similar. It isn't. There is absolutely no evidence of any other spam being received at any time.


Title: Re: Email address for this forum has been compromised
Post by: Foresee on March 23, 2017, 08:49:14 pm

is anyone else seeing shiny new e-mail abuse ?


You are not alone mikeb.

I created an alias PN address purely for PUG in 2008. It has never been used to send, and has received nothing. Its format makes it virtually unguessable.

Since last Thursday 16th until today I've had six emails: three pharmacy spam, two 'Fedex' phishing, and one which seemed to have no purpose at all.


Title: Re: Email address for this forum has been compromised
Post by: NB on April 02, 2017, 11:59:15 pm
I've left this a while partly to see if anything came in to me and partly because I don't check in on the forums here as often as I used to so only noticed this a couple of weeks ago.  I've had no spam to my usergroup specific e-mail address recently, but did get one a year ago.  I don't suppose either of you clicked the report a post button in the past did you?

If you report a post an e-mail goes out to the team and it contains a reply e-mail address for the person reporting the post.  So if any of the e-mail accounts belonging to those people who get notified was compromised then e-mail addresses could be harvested from them.  That could be either their pc or their e-mail provider that was compromised.