next »

[sheila]

The most annoying thing is that my personal domain will now be affected forever now.

Ian

My domain name has been getting undeliverable replies for years, with random character from addresses.  I have always assumed the spammers got the domain name from nominet.  What is to stop anyone checking to see if a domain is available, then using it as a from address?  Sorry if this is a dumb question, but I'm thinking of getting a new domain name, but if spammers can find the new one, there's not much point.

[sgte]

Just a point to note that I can't seem to change my default mailbox; when plusnet recently changed the mail setup my original mailbox (that was blacholed - due to spam)was reinstated and my postmaster (then the default) was Aliased. Now I cannot change. Anyway I am going to let the 35,111 spam messages in grow!!

[Matt_2k34]

Anyway I am going to let the 35,111 spam messages in grow!!

Great plan  Cause PN "more" work which im sure they dont want to be doing.

there are already concerns if they platform can take it- i am not as reliant on my email as other people who use the products are, However in ur terms and conditions i am SURE somewhere that it states you have to check / remove mail ?? (please verify )

PN dont have the storage to take in the huge increase they will see, imagine if everyone had 35,111 mails in their inbox, at 1-5kb each... its going to either 1) if running a DB type system, slow the platform down Bigtime, or 2) if running a file system type email server, is going to kill the amount of storage they have.

Please dont complain about something then be unwilling to do your fair share 

[NB]

Or your spam mail will use up all your mail storage quota and it'll stop accepting any more e-mails for you, including the legit ones you actually want.

[Matt_2k34]

Or your spam mail will use up all your mail storage quota and it'll stop accepting any more e-mails for you, including the legit ones you actually want.

Fair point NB, didnt know a quota was in place but i do now !

[petervaughan]

1) there is no defined quota for email except if there is a lot of unread emails (i.e. over 25->50MB) PN may have a word.
2) I doubt the spam folder will be included in any quota being used as it is automatically purged after 30 days, and considering in was PN that implemented it, no user should be adversely affected by its use.

[jelv1]

I asked Liam about spare capacity on the Mailstore the other day just because of this concern to which he replied "Terabytes".

[Matt_2k34]

sounds big. still not convinced though.. 

[petervaughan]

PN increased their mailstore by about 2x in January 2007 to about 2.2TB of which about 1.5TB was in use at the time of the upgrade), to cater for the increase in emails and spam that was expected this year so they do have plenty of space in reserve. This can also be increased as necessary. They would also have checked there was more than enough currently to cater for the introduction of the spam folder. Also remember they are blocking spam entering the mail servers now as well which will also reduce the space requirements needed.

[mikeb]

sounds big. still not convinced though.. 

That's no problemo, I have way more than a few URLs you might be interested in if size really does matter to you or if you're worried about performance not to mention some on how to magically convert your FD into an HD if that helps at all

OK, so it's around 2 weeks since the first dodgy mail was received on my compromised addresses and time for a lil analysis methinks.  I have spam detection/filtering turned off (apart from the ClamSpam silent delete_on_receipt that I can't do anything about and don't even know what it does or how aggressive it is) and I have received/retained all dodgy mail to my main PN A/C default/contact addresses. I also have one mailbox on my main A/C and an old F9 account affected but have simply had a quicky look then deleted the dodgy mail to these.

(1) All compromised addresses have received roughly the same number of messages although not exactly the same messages or even messages sent at the same kinda time. They did, however, tend to come in small batches over the space of an hour or so with long(ish) gaps in between batches. Every individual address/mbox has received around 50 messages each so far.

(2) All messages were sent directly to PN and solely to the compromised addresses.  No messages were received on any other individual addresses or mboxes and prior to 13th May, no spam was ever received period. No bounced messages have been received either.

(3) Barring one single malformed (and possibly corrupted within PN) message received at one address, all messages were one of two forms: a certain amount of text and a URL or a certain amount of text and an attached gif image containing a URL.  In all cases, the URL was of the form http://something_fairly_random_looking.tld rather than a 'really obvious' commercial type site and although I haven't checked every single one, they tend to resolve to a relatively small number of IPs with several of them having a whole bunch of IPs. A short list of the more recent ones follows:

193.93.239.159
85.100.149.110
86.6.162.184
85.232.206.174
217.15.157.134
203.223.150.35
91.186.4.89
68.20.34.222
81.28.12.160
213.37.211.163
88.17.34.208
69.208.177.218
68.44.215.111
80.108.172.219
61.124.208.181
212.55.101.40
81.25.42.76
121.28.24.62 (*)

(*) a *very* popular IP !  well deserving of getting something rather unpleasant sent up the copper 

My conclusion so far is that "it's spam Jim, but not as we know it" in other words it's not really spam as such at all and the 'fun' hasn't even started yet ! I would suggest that all these messages are coming from the same peeps who acquired the list and are most likely attempts to infect individual machines with malware by visiting the various sites rather than actually attempting to sell something. I've wussed out of visiting too many of them to find out but those I have sort of looked at are the same site at a different IP and very, very slow.  Whether that's because of excessive traffic or because they're mainly 'private' machines with a slow U/L speed I'm not sure and haven't bothered to check.

I would also suggest that this is more 'the calm before the storm' and is a relatively minor PITA compared to what's likely to happen in the future. It's only if/when the compromised addresses are passed on bigtime that the spam deluge will begin in earnest and ultimately variations of the compromised addresses getting used as spoofed source address as well as actual destination of the spam. Isn't this all fun.fun.fun

I'm not sure why quite a few users seem to be reported significantly more messages received tho. Maybe it's just because they had more addresses compromised and therefore they are receiving proportionately more ... or maybe it's just because they're the 'lucky' ones or those who have been identified as more in need of the jolly fine 'services' being offered  Obviously, if you're using your own server then there's bound to be lots more. But all I can say is that each and every one of my individual compromised addresses or mailboxes on each account has received approximately the same relatively small number of messages altho YMMV and all that.

I'm also not sure why some users are reporting bounces. Not seen one so far.  Should I be feeling all neglected and left out  I think not because that most certainly will be where I draw the line under the situation I've been dumped in and decide exactly what I'm going to do for the future.

[RonSlicker]

121.28.24.62 (*)

(*) a *very* popular IP !  well deserving of getting something rather unpleasant sent up the copper 

Doesn't appear in any blacklists on http://www.robtex.com/ or http://www.uceprotect.net/en/index.php?m=1&s=0.