Home   Help Search Groups Login Register  
You are not logged in. To get the full experience of these forums, we recommend you log in or register
Plusnet Usergroup » All Users - The Open Forum » Plusnet Network and Technical Issues » Spam being recieved on Private e-mail addy
Pages: 1 ... 15 16 [17] 18 19 20
  Print  
Author Topic: Spam being recieved on Private e-mail addy  (Read 165492 times)
jelv1

Posts: 2130

« Reply #240 on: May 18, 2007, 07:47:47 am »

That's my guess. angry

So any confirmation e-mails you received when joining things like these forums which included usernames & passwords could have been harvested.  It would be just as easy to scan for the words username or password in an e-mail stored on the server as to scan for mail addresses within those e-mails.

Personally I've assumed all correspondence sent by e-mail has been read and made changes accordingly.  But I await Plusnets response to that particular question with anticipation.

Somewhere in one of the 4 parts of the long threads on the Plusnet portal forums I've seen a post from one of the comms team (I think it was Mand) confirming that this has not happened. It was a webmail server that was compromised, the mail storage servers were not compromised.

jelv
jelv1

Posts: 2130

« Reply #241 on: May 18, 2007, 08:05:18 am »

How many times do read on here and elsewhere that PN relay servers have been blacklisted by someone somewhere and as a consequence virtually all e-mail from PN to a specific ISP or domain is being dumped ?

The thing to remember is there are many different types of blacklist.

Some contain proven spammers, for example things like open relays which have actually sent spam to a honeypot run by one of the listing organisations. I.e. 110% certain that they are a source of spam and nothing real comes from them. This you might call the black blacklists. Plusnet does not accept emails from these and has not for many, many months (years?).

At the other end of the scale some blacklists contain lists of servers which have been reported as being a source of spam (often not confirmed). These blacklists should not be used as hard list but should be used as part of a scoring system (indeed some of the organisations recommend this is how they are used). You could call these grey blacklists. These are the lists that Plusnet's relay servers often pop up in. Unfortunately some peoples mail systems treat these lists as black blacklists and reject the mail out of hand. Plusnet use these as part of the scoring system which results in our mail being tagged.

AIUI, the change Plusnet have made is to treat more of the blacklists at the blacker end of the scale as outright rejections because monitoring has proven that no genuine mail has come from servers on this list.

jelv
godsell4

Posts: 397

« Reply #242 on: May 18, 2007, 08:11:36 am »

This you might call the black blacklists. Plusnet does not accept emails from these and has not for many, many months (years?).


The use of the 'black blacklists' is OK by me, and a vast majority of the SPAM does come via open relays so has this change to mxcore only increased the use of the RBL's? Does ClamSpam do more than using RBL information?

SW.

BBYW1/10GB
jelv1

Posts: 2130

« Reply #243 on: May 18, 2007, 08:23:01 am »

Another batch of spam overnight - seems it may still be coming in - and it is now apparent that yesterdays changes have not stopped them.

Sitting in the honeypot mailbox I've created with aliases for all the different long since dead addresses that are now being spammed are four spam emails from the same IP. What I can't tell is how many other Plusnet users have received spam from the same IP.

Tam's honeypot/blacklist suggestion would have blocked all of these after the first one sent to a monitored address.

Think about it. A big list of Plusnet addresses has been obtained, this has been added to a list of emails to be spammed. The list will be cut in to chunks and given to many different botnets to spew out. Unless the spammer has sorted/randomised the list, one botnet PC will probably get a chunk of Plusnet addresses. The honeypots may not catch all the botnet PCs, but every one detected could mean hundreds if not thousands of Plusnet addresses protected from that spam.

This is working exactly like some of the blacklist organisations with the beauty that it is targeted on botnet PCs that are spamming addresses in the stolen list. If anyone submits an email address for inclusion in the honeypot list, Plusnet could verify that it was in the stolen list before adding it.

jelv
godsell4

Posts: 397

« Reply #244 on: May 18, 2007, 09:06:38 am »


I only got 2 into an address that is long since defunct, and are known as coming through an open relay. The email header contained x-open-relay: 58.142.232.81 is in a black list at bl.spamcop.net

SW.

BBYW1/10GB
lmartin

Posts: 1404


Comms Team

« Reply #245 on: May 18, 2007, 09:26:10 am »

If the system is put into place that [-SPAM-] can go to a folder or specific mailbox, there is no need for this extra step with mxcore now deleting messages silently.

That was the plan.  Having said that, feedback so far has actually been very positive.  I expect we will revisit this next week and make a decision then.

Liam Martin
PlusNet Comms Team
godsell4

Posts: 397

« Reply #246 on: May 18, 2007, 10:38:41 am »

... feedback so far has actually been very positive.  I expect we will revisit this next week and make a decision then.

Well Yes, people are always going to be thankful for something that 'means I have to download fewer messages tagged with [-SPAM-]" however are those people aware 'the mxcore could be rejecting/deleting a message they really wanted'? I'd say not many people are too aware of the possible implications.

If Tagged Spam can go to a different folder/mailbox while keeping the mxcore, clamspam and despam usage the same would be best.

SW.

BBYW1/10GB
Daved

Posts: 71

« Reply #247 on: May 18, 2007, 12:22:56 pm »

To quote Jelv
Somewhere in one of the 4 parts of the long threads on the Plusnet portal forums I've seen a post from one of the comms team (I think it was Mand) confirming that this has not happened. It was a webmail server that was compromised, the mail storage servers were not compromised.

-----
You may also have noticed that the questions I asked for clarification:-

You are 100% sure, that those that were not logged into webmail at the time of the breach do not need to change passwords outside of plusnets services?
 
 Also you are 100% sure there is no possibility of access to any other information such as account details such as address and telephone numbers?
 
 You are 100% sure that no credit card details were available to the hackers?
 
 Yes would be an appropriate answer to all three questions.
 Can we have those assurance stated this simply?

They have finally realised that as I left plusnet some months ago and am only on the free dialup account they can deny me access to the forum. The assurances above will therefore not be answered except in the roundabout way of 'probably' and we are 'confident'.

The number of spam emails has decreased to two today on my personal domain address (not hosted with plusnet) so don't count your chickens as this must be a slowing down on the spammers part and not on the security measures put in place by plusnet.

One of the many reasons I left plusnet was the going astray of emails sent to me, rated as black listed. I can't see why anyone could be heralding losing more genuine emails which could be vital to a business by going down this route again.

dillons on Plusnet forum
mikeb

Posts: 657


« Reply #248 on: May 18, 2007, 01:25:40 pm »

If the system is put into place that [-SPAM-] can go to a folder or specific mailbox, there is no need for this extra step with mxcore now deleting messages silently.

That was the plan.  Having said that, feedback so far has actually been very positive.  I expect we will revisit this next week and make a decision then.

Yeah, well no surprises there esp as they don't necessarily know or understand what might be going on and PN aren't really saying either !  All they are seeing is little or none of the explicit spam (which is a good thing) but are blissfully unaware that there might be implications of other mail going missing either now or at some point in the future.

What I simply don't want to end up with here is PN tweaking the system to reject more and more spam so that on the surface it looks as though there really isn't any significant problem following the breach - but with a side effect of "a very small number of customers might possibly get a very small amount of genuine mail rejected" to quote the sort of wording one could reasonably expect to see in a PN service.status announcement ! Whilst PN might well consider that to be an acceptable situation I don't.  I do appreciate efforts being made to reduce the impact of spam in general but not if it errs on the side of over enthusiastic or erroneous deletion.

What often seems to happen with other ISPs who appear to be doing this kind of detection (simply to protect their servers by reducing volume rather than anything else) is that genuine mail IS deleted or bounced and other related problems DO occur.  For instance, a colleague is subscribed to various yahoo and similar groups and receives individual e-mails from these.  Every time some @rse spams the group(s) with iffy looking or sounding messages, the ISP bounces them as 'content rejected' or suchlike which results in yahoo stopping all further messages being sent to that address until it is reactivated.  Anyone here who uses yahoo groups no doubt knows that they are a bit quick in blocking addresses but very slow in letting you know that they have.  The result is that one or more times a week, one or more addresses are blocked by yahoo due to a single bounce, lots of genuine messages are lost and it's a right old PITA all round.  Yes I appreciate that PN appear to be silently deleting rather than bouncing so this kind of thing may not be a problem but I still want to understand fully what risk there is of any genuine mail getting silently deleted. Similarly, consider again the hotmail (and others) problem with the Booking Confirmations from a Ticket Agency that I mentioned earlier. The decision to silently delete all those 1000's of e-mails was apparently the result of a scoring-type system deciding that the messages were most likely spam rather than being some of the 150K genuine and desperately wanted messages that were sent out in a very short space of time.  The users of the services who rejected these messages were completely unaware that their service provider could and indeed was deciding which mails they could read and which they could not.  The deletion was automatic on receipt and occurred regardless of specific users' account settings to use a 'junk' folder or similar.

So, am I going to get more official detailed info as asked for (particularly on this ClamSpam thing) or should I just stop asking because PN are going to completely ignore the requests ?

Unfortunately some peoples mail systems treat these lists as black blacklists and reject the mail out of hand. Plusnet use these as part of the scoring system which results in our mail being tagged.

AIUI, the change Plusnet have made is to treat more of the blacklists at the blacker end of the scale as outright rejections because monitoring has proven that no genuine mail has come from servers on this list.

Understand all that fully and it all sounds very good of course BUT (and there's always a 'but' isn't there) How do I know that PN isn't one of those mail systems that could screw up when making the decision to delete ? How do I know that monitoring has in fact 'proven' that no genuine mail has ever been deleted ? I mean, in all fairness rather than intended to be insulting, PN doesn't have a particularly good track record in testing and monitoring anything does it. The only thing likely to flag a problem is customers complaining and in perhaps the majority of cases they wouldn't even be aware that genuine mail had been deleted. Also, I still get the impression that we are talking about 'silent deletion' on receipt here and not simply 'tagging' iffy stuff.  Tagging, whilst being a bit of a PITA to have to manually check 'junk' folders when you haven't ever needed to before is not so bad but it's the possibility of silent deletion or worse still silent bouncing that concerns me in all this.  It's all too easy for any ISP to dismiss any claims of stuff going missing as "just one of those things that happens sometimes and nothing directly to do with us" so even if you do know that something has got deleted by mistake, no one is ever likely to listen or do anything about it.
« Last Edit: May 18, 2007, 02:04:25 pm by mikeb »

--
WARNING: The e-mail address on my profile is not my usual address, all messages sent via this site have been redirected elsewhere for test purposes. This could result in messages not being received in a timely manner or potentially not being received at all.
kitz

Posts: 4323

WWW
« Reply #249 on: May 18, 2007, 01:36:31 pm »

>> The list will be cut in to chunks and given to many different botnets to spew out.

This does appear to be what is happening and I mentioned this in another thread yesterday.

Sunday the spam started on username@username.
Tues it started on a mailbox I deleted last year.
Yesterday it started on a name@domain name which previously had no spam, but had an association with PN.
Today, I've now started receiving it on pug@

Dont forget the Geeks!
kitz 2005
OldDave

Posts: 17

« Reply #250 on: May 19, 2007, 09:43:20 am »

I keep getting spam offering Photoshop CS for $89 all refering to a site soft-ag.com.

Why aren't Plusnet blocking this??? 

XPC exiled in NZ

Posts: 1382

« Reply #251 on: May 19, 2007, 12:47:03 pm »

Dave,

Are you getting any of these emails through a free dialup account; or do you have Spam turned off on your paid account?

The reason I ask is that I am getting those same emails, but on my old free account they are untagged (as free dialup doesn't include spam protection - although they are going to add it next week! Hurray!), whereas on my broadband account, the mails are ALL (so far) correctly tagged by PlusNet as Spam.

If you are getting any through the cracks, then send them to "spam@despamchecker.plus.com", where they will be added to the scoring database, to increase the chances of them being caught next time. There is talk of some accounts that are ONLY receiving this spam being given over to collecting and automatically adding to PlusNet's database of spam detection, but as far as I know this is a work in progress.

Mike
kitz

Posts: 4323

WWW
« Reply #252 on: May 19, 2007, 01:29:39 pm »

Got a pile of them overnight too - all mine are tagged ok.

Dont forget the Geeks!
kitz 2005
jelv1

Posts: 2130

« Reply #253 on: May 21, 2007, 09:09:26 am »

If they implemented Tam's honeypot/blacklist suggestion the majority of these messages wouldn't be tagged, they'd be binned.

jelv
Matt_2k34

Posts: 387

« Reply #254 on: May 21, 2007, 07:44:25 pm »

yeah try and keep it to tagging, so you dont lose anything you want to keep smiley

oh and i have been getting a bucketload of spam per day to the address with the catchall for MONTHS and PN blamed me for it, the last few days this has died down to nothing. which is good i guess *touch wood* it stays like it eh ?  tongue

-----------
=)
Pages: 1 ... 15 16 [17] 18 19 20
  Print  
 
Jump to: