Home   Help Search Groups Login Register  
You are not logged in. To get the full experience of these forums, we recommend you log in or register
Plusnet Usergroup » All Users - The Open Forum » Plusnet Network and Technical Issues » Spam being recieved on Private e-mail addy
Pages: 1 2 [3] 4 5 ... 20
  Print  
Author Topic: Spam being recieved on Private e-mail addy  (Read 162524 times)
mikeb

Posts: 657


« Reply #30 on: May 14, 2007, 04:01:11 am »

That's definitely exactly the same as the one I got - well at least the attached .gif image is - the rest, as you say, is obviously a fairly random lump of text with a random subject: field, random file name (I guess, seeing that mine seems to be based on the from address) and a bogus from: field.  Does the sending IP match on other spams ? Mine apparently came from 124.80.85.115 but as it was delivered direct to PN that could quite easily be bogus as well I suppose.  That IP appears to be listed as an open relay (spamcop) although it isn't responding at the mo.

Although I use the particular address all over the place and have done for years, the only PN related things I can think of that I've used it on are the portal forums and here plus I tend to also use for ticket e-mail advice.  As I said earlier, I don't use webmail and my Fax2email is always sent to something_else@my_account.plus.com  I only received the one spam to this one specific PN address none of the others I regularly use or any mailboxes received anything. Unfortunately, I had already de-spammed my F9 account before I noticed it so I don't know whether any turned up on there.
« Last Edit: May 14, 2007, 04:25:43 am by mikeb »

--
WARNING: The e-mail address on my profile is not my usual address, all messages sent via this site have been redirected elsewhere for test purposes. This could result in messages not being received in a timely manner or potentially not being received at all.
dusty_bin

Posts: 84

« Reply #31 on: May 14, 2007, 10:09:40 am »

I haven't check my main account properly, but from my PAYG dial-up account each mailbox has received the spam, but not the redirects to a mailbox.
One of the mailboxes: pop3@myusername.plus.com, is not used for sending or receiving email directly, just for collecting all the email from the redirected addresses - and this mailbox also received spam directly addressed to it.
Ultra

Posts: 777

WWW
« Reply #32 on: May 14, 2007, 10:12:44 am »

@Graham - re the "ED pills" - in the mail I had today, it was a graphic image. 

@mikeb - the four I have seen were each from different IP addresses.

Received: from dyn-91-163-131-134.ppp.tiscali.fr ([91.163.131.134]) by
 pih-sunmxcore16.plus.net with smtp (PlusNet MXCore v2.00) id
 1HnHrP-0002eJ-2O for username@username.plus.com; Sun, 13 May 2007
 17:27:55 +0000
Message-Id: <001101c79594$e5f49ba0$001af094@famille>
From: Damon Hancock <qoutsharp@anyarizonahomes.com>
To: username@username.plus.com
Subject: shipping rates qualitative Damon
Date: Sun, 13 May 2007 19:28:34 +0200

In my case it is a 'catch all' mail address.  This PN ('Essential') account was created on 2005-05-28 and used while I was connected on another ISP.  It has mail checked at regular intervals (*) from a commercial mail service (10 GB storage, plus 1 GB FTP space) which pulls in mail from a number of different accounts for me.

On checking much later I did find three more messages (in the spam folder, because the Spamhaus blacklist included the sender IP addresses for those three, just not this one, of the ones sent to 2 PN accounts I check).  In all cases I have seen, the "Subject" line ends with the first name of the "Sender".

I have rarely used webmail for any PN account, and don't believe either account name has ever been given on Usenet.


Of course, any person can connect to the PN Forum (guest/guest) and find postings which would show many still-valid user account names, though I don't know if guest/guest would easily allow large scale extraction.  I assume it might, if one put together a script to go from some fairly high member number and work backwards to find early account holders.

However this does seem quite strange insofar as the dates mentioned on TBB were also May 2005 - it might just be that an ex-customer with time on their hands used their own profile as a starting point and worked up and down from it...  Well, just checked and you can get the login prompt then onto the PN Forum and with a bit of scripting (perhaps even using good old Firefox) it may be possible to capture (from viewing a profile) (+) (a) username and (b) mail address.  If none is shown  username@username.plus.com  is an easy default target.

Now, increment or decrement the number in that profile and you get to view details of hundreds and thousands of users.  Pick some specific starting point and you will find users who first used the forum at a specific point in time (not necessarily when they opened their PN account of course).  I'm no PHP/etc scripting genius but anyone who ever had a ZX81 or Spectrum can make a loop to add a number, and with 'web scrape' tools available to capture web content, it may be possible to gather large quantities of data.

Shame, but guest/guest seems to be a security hole just waiting to be exploited.  Some other ISPs I used 10 years ago each had a "user directory" which listed account users alphabetically (pointing to user web pages, as a "feature") but you can see it is a goldmine for spammers to have account names on a plate.  OK, the PN Forum isn't exactly laid out alphabetically and needs some work, (also it is perhaps possible to spot a sequential search if one needed to) but shows there's a 'free' way to get lots of details without necessarily needing anyone "on the inside" to copy user info, or a set of data on an old drive to get into the wrong hands.

(*) anything from minutes to hours - don't remember off-hand - I think most of the accounts (a tiny portion are on PN) are on the 10 minute setting.

(+) member of PN staff chosen at random, from list of recent posts on the PN Forum.  Just Liam's luck his post was spotted.  Happy to alter link if anyone wishes to volunteer to have their details highlighted.  Not sure if there's a 'random user' option, and hope that Liam doesn't mind too much.  If there's an example profile that PN suggest, then feel free to alter this post, someone, or I will do so later...
« Last Edit: May 14, 2007, 10:37:43 am by Ultra »
Ultra

Posts: 777

WWW
« Reply #33 on: May 14, 2007, 10:17:58 am »

@Pod I can see where you're coming from, but if someone has made claims anywhere on the internet about having a mole, or having obtained the mail addresses (from some leaked list) a while back, then one cannot ignore that they (by proclaiming to anyone who sees it) could later use the materials they have (or potential access to a disaffected [ex-?] employee) to do something malicious.

It's definitely not in one's interest to brag about having information (such as a load of e-mail addresses) and expect *not* to be viewed with some suspicion later on.  I don't have any links to specific posts, nor do I routinely feel the need to archive gossip or (possibly idle) boasts, but am sure some others have seen such comments posted freely elsewhere, or can correct my mistaken memory if I have misunderstood/ misremembered/ misquoted what was posted months or more back in time.
ianwild

Posts: 3979


Not to be confused with Mike, Wildmind.

WWW
« Reply #34 on: May 14, 2007, 10:51:32 am »

Guys - I'm not a forum mod, but can I ask that you please drop this particular line of discussion in this forum with immediate affect please.

Ian

Regards,

Ian Wild
PlusNet Support
Chemical Brother

Posts: 134


« Reply #35 on: May 14, 2007, 10:56:50 am »

Gentlemen,

This thread is starting to get a little out of hand now, and we do not want or need a flame war here.

Yes, granted there have been allegations of someone having a list of email addresses, and naturally the fingers of blame are being pointed in a certain direction, however, it is not our place to do this, and it is down to those armed with the facts to prove without reasonable doubt who the offender is.

Edited; This thread now appears to be unlocked as offending posts have been removed.
« Last Edit: May 14, 2007, 11:06:38 am by Chemical Brother »
ianwild

Posts: 3979


Not to be confused with Mike, Wildmind.

WWW
« Reply #36 on: May 14, 2007, 11:02:08 am »

In fact - I have made the decision to remove 3 posts from this thread. Such accusations are not acceptable and although I'm not a mod I really hope people can understand why I've done this.

I will be discussing this with the forum mods and if they decide to re-instate the posts then that is down to them. Furthermore, if anyone wishes to know the exact reasons why I have taken the decision please do PM me.

In the mean time, I'd like to crack back on with dealing with the problem here, so if someone has more information please do repopen the thread.

Cheers,

Ian

Regards,

Ian Wild
PlusNet Support
James

Posts: 1010


3567190798

« Reply #37 on: May 14, 2007, 11:06:43 am »

Unlockinated as requested.

Lets keep the the matter in hand, and leave wild accusations off these boards - pointing fingers without evidence won't help  us get the best from the resource we have here.

(And thats not a request for evidence either)

Nuff said.

Best Wishes - James

Tell me and I'll forget; show me and I may remember; involve me and I'll understand. - Chinese Proverb
bpullen
Plusnet Staff

Posts: 1980


WWW
« Reply #38 on: May 14, 2007, 11:20:25 am »

I've just come here because of the same problem to see if anything was being reported. For example I've received spam on an email address which was created specifically for testing email and is known only to me and Bob Pullen. It hasn't been outside of Plusnet. I've also received some to prefixes which have not been used for at least a year.

Hi John,

Can you drop me a PM reminding me what the address was (I think I know but want to be sure). Did it arrive in the catch-all or to a specific mailbox?

Rgds,

Graham W

Posts: 73


WWW
« Reply #39 on: May 14, 2007, 11:43:32 am »

@Graham - re the "ED pills" - in the mail I had today, it was a graphic image. 


@Ultra: Thanks for that. As a matter of my own security I don't open such items where they contain HTML elements since that is a known path to validate the recipient's address.

I inspect the contents through OE's Properties->Message source method since that is not active and allows me to see the headers and plain text contents. Thus the sender is not aware that his message is being read. Trouble is I can't see the graphics which is why I asked.
godsell4

Posts: 397

« Reply #40 on: May 14, 2007, 11:46:40 am »


I am getting these too know, and are known by spamcop. Headers as shown:

Quote
Envelope-to: user@username.plus.com
Delivery-date: Sun, 13 May 2007 17:39:02 +0000
Received: from [81.181.192.251] (helo=lonestarhandyman.com)
by pih-sunmxcore09.plus.net with smtp (PlusNet MXCore v2.00) id 1HnI1m-0005yu-VH
for laj@godsell4.plus.com; Sun, 13 May 2007 17:39:01 +0000
Message-ID: <001101c7954a$6ed28f40$00c59794@home6lhmbd1eri>
From: Shanna Fish <ngexercitorial@lonestarhandyman.com>
To: user@username.plus.com
Subject: [-SPAM-] order good source Shanna
Date: Sun, 13 May 2007 10:35:32 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_000E_01C7954A.6ED28F40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.2969
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
x-open-relay: 81.181.192.251 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-ClamSpam: Found

I can not add to the conspiracy theory!

SW.

BBYW1/10GB
godsell4

Posts: 397

« Reply #41 on: May 14, 2007, 11:55:09 am »

I can not add to the conspiracy theory!

Yes I can. Sad Just sent PM to ianwild.

SW.

BBYW1/10GB
LC100

Posts: 283

« Reply #42 on: May 14, 2007, 01:01:41 pm »

Hi

I also received these spams to username@username.plus.com, I've never ever used this format as an email address and these were delivered directly to my own SMTP server.

My IP address doesn't resolve to my user name and hasn't for years so it hasn't been picked up that way.



godsell4

Posts: 397

« Reply #43 on: May 14, 2007, 01:11:00 pm »


I have also got this message to my yahoo.com e-mail address I used to register my PN account and to which my billing messages go to. Of course I get lots of SPAM to that account too.

I also have a coporate e-mail address, I usually get the same type of SPAM to *all* my accounts ... I am not getting this "ED pills" e-mail to my corporate e-mail.

SW.

BBYW1/10GB
XPC exiled in NZ

Posts: 1382

« Reply #44 on: May 14, 2007, 02:32:44 pm »

Ok, I too have got these spam's to several interesting addresses.

One in particular, which is very worrying, is sent to an address only ever used internally by my old router's email alert facilty (that router died last summer)! Eg it has never been posted anywhere on the internet ever or even used in communications with F9.

It has a redirect set up on my F9 account for this address. The only ever emails sent to this address are sent directly from my router to the F9 redirect, where is the resolves to my main email address mailbox on my main account.

There are only two places that this address could have been discovered (it certainly couldn't have been guessed!). One is from my house (very unlikely as a run a tight ship here, and others are reporting the same thing), or from some sort of grab of addresses. This could have been within PN towers as others have stated, or from the internet between PN and myself. The only place it will appear in PN towers is in the redirects list.

I can confirm (as above) that it has happened on my main F9 account (not sure if other F9 users had reported the breach, or only PN accounts), but also my PN backup account too. My PN backup account (free dialup), which is never normally used for anything, received spam to username@username.plus.com.
I don't get any emails to that account at all (spam or otherwaise) normally other than internal PN account generated advert emails etc. Again, this is mos likely to have been an internal breach.

I have received some of these same spam emails to my yahoo address too (never EVER had any spam here either before, as it is a non-guessable name, and non published), which follow the same pattern (first name of from address at the end of the subject line). Trying to work out if I have a link between these accounts from PN, or if it is just a weird coincidence.

I hope some of these details help to build a pattern. If anyone wants headers of any of these, then PM me.

Mike

Pages: 1 2 [3] 4 5 ... 20
  Print  
 
Jump to: