What does this email mean?

Dear Ms XXXXXXX,

Account username: abcdefghijk

Our Support Team have opened Ticket 9nnnnnn to track an issue on your account. Please see the comments shown below for more information.

==============
Dear Ms XXXXXXX,

During Monitoring of our platform we noticed a number of unsolicited emails are being sent from a remote IP address using your account login credentials.

These were identified as unsolicited by our spam filtering software and flagged to our attention, we then sanity checked the source IP address, Subject Line, From and To addresses and based on the content, we believe its quite possible your login credentials have been compromised.

The most probable reason is a insecure or weak password, possibly plain text which could have been obtained by a local virus / keylogger or brute forced using normal dictionary words.

Due to the resources required to handle such high quantities of email, there is the potential for this situation to negatively affect other users of our email platform and the reputation of our mail servers.

We have therefore taken the temporary measure of blocking your access to the email servers. This means that you will be unable to send or receive emails.

Before considering reinstating access to our servers you will need to take preventative measures to stop this from re-occurring, we suggest an audit of all passwords and sensitive information that may have been accessible from keyloggers etc and perform a full security audit & Virus/malware scan of any Pc's connected to your network.

Once you have taken action, please contact us to arrange for a new strong (cryptic) password to be applied to your account or mailbox , please use upper / lower case characters and numbers or special characters mixed.

Alternatively if you are confident you have secured all your local network / computers, you can re-enable the service by updating your password with a more secure cryptic password via your customer portal. Please note once you make these changes you will need to update any mail software which uses the password your changing to reflect the new password. If the password you are changing is your default password for your account and you use our broadband service, you may need to also update your router password to reflect the changes made.


--Internal--
Webmail component disabled where applicable.

Cryptic passwords only please,
If its a sub mailbox then the password(s) have already been updated, please advise full security audit. If the customer is using broadband and its the account default password that's been compromised, please update the router password and mail client after confirming full security audit has been completed.

If the customer had a cryptic password previously, this would suggest local keylogger/ viral activity

Regards,

Stephen Dean

It is plain enough what it is saying. That said, it could be a fishing email itself. Simple enough job to find out. Just try logging into your email, if you can get in, ignore it.

As it's not yours, you don't know.

Assuming it is genuine (check the ticket system or ask them), PlusNet:

• Think that somebody, somewhere, has got hold of your PlusNet mail account details and are using these to access PlusNet's mail system and spam the world.
• Have blocked your, and the spammer's, access to mail.
• Think that your password was weak and easily cracked by trying many times, e.g. Mary1 or, far worse, that malware on your system is logging interesting stuff you type (passwords, credit card numbers) or scanning your system for such and sending it to the spammer / credit card abuse merchants.
• Scan your systems for malware and clean any problems found.
• Suggest that you review and prepare to change all your passwords on your systems and remote systems you access via them. The new passwords should be a mixture of upper and lower case letters, numbers and special characters. Additionally I suggest that you should not use any words found in a dictionary. You may choose to use a password generator (e.g. apg, see examples below, or a Windows equivalent)
• Change your mail password or ask PlusNet to do it for you so that your mail flows again.
• Get on with the chore of changing all your passwords on remote systems.

apg examples
Do not use any of these as passwords, as they are now public.

pronounceable (sort of) passwords
[aw1@swelter ~]$ apg -M SNCL
6twiv{Si
goj6Odd}
MyWil4Od:
,OnEggAv4
Joaw6oj\
Eb9Ownaj(

random passwords
[aw1@swelter ~]$ apg -a 1 -M SNCL
T1VET(vT
R.{2ib(Y:8
^I'?^t2gGx
=>2OiqKTol
z#WJ^8V!A
pVMk8?)[4:

It's genuine.
It seems that PlusNet decided to suspend her email (former MadAsAFish) account with no warning except the email above sent to a non PlusNet email servce.
The unintended consequence was that her internet access was cut off. Or is that really just coincidence?
No internet - no way to read the email.
When service did not resume within a couple of days, she rang support.
Router blamed - £40 demanded for a new one.
Rang customer services and persuaded to take out new 12 month contract.

I'll get access to her router in the morning. And the PC. But my guess is that there is nothing wrong with the router, its the account that's suspended.

Likewise I'll check her PC. Interesting that the email mentions a remote IP, so the spam emails are originating from elsewhere. We'll see.

People often take a list like that of things to do as not necessarily to be followed in the sequence given, so long as they do them.

Importantly there, there is no point in changing any passwords until sure there isn't a key logger running.

Unless they changed the main password which would stop authentication

Which they might do if they suspected unauthorised access to the account (Member Centre).

The computer is clean. It is not the source of the spam email, if indeed there really are any.

Upon further investigation it seems that internet access was working except for madasafish webmail, which makes sense. She had several calls with support to get access restored. The password on the account was changed and internet access was lost. She was advised to update the router password, which she did, but still no access. Reset etc made no difference. Supports answer to this is that the router is faulty - pay £40 and we will send you a new one.

Neither the original (previously working) or the new password work with webmail. The webmail password reset procedure does not work. In the 'Account Details' section on the website it says "Email: Not active". So email is not working because it has been deactivated and who knows what the password might be now.

The 'Account Details' section also says that the 'Broadband Username:' is mf******[email protected]. The router itself has ??***plusdsl.net. In any event, surely the Plusnet branded Thomson technicolor TG582n should auto configure the line / login? If not which login ID should be used?

All help appreciated. Thanks,

Edited by deleted (Sat 30-Aug-14 02:49:28)

Who is the ISP is it Madasafish or Plusnet?

The login in my Netgear router for PN BB is ********@plusdsl.net +PN password

When maaf was my ISP the login for the router was *********@go-broadband.com + maaf password

Sounds the usual Plusnet email layout birds-nest. Always was strange.

In reply to a post by professor973:

Sounds the usual Plusnet email layout birds-nest. Always was strange.

Rats nest even!

In reply to a post by Apprentice:

Who is the ISP is it Madasafish or Plusnet?

Started life as MAAF. Became PlusNet maybe 2 years ago. That said the bills say MAAF. So maybe it's still MAAF, but surely they are now one and the same. The difference is just branding and cost?

The router cannot authenticate, so the credentials are wrong somewhere. And this only happened when the account password was updated by a much more complicated password with the aid of support.

Surely the PlusNet auto configure should have input the correct credentials.

Anyway I was just reporting what the router had configured versus what the account status on the website says. I can't try again till tonight or maybe the morning. I want to reset the router and let it auto configure. That's how the router got set up when it was originally supplied about two years ago. Any reason why that won't work?

It was entirely out of order for support to suggest that the router is kaput. And the customer still has no access to the MAAF email account. Sending a new router isn't going to fix that.

Hi Enceladus,

I'm sorry to hear of the issues with the MAAF email and the broadband connection.

Can you PM me the username and I'll be happy to take a look at this?

Regards,

Uodate:
As I suspected router auto configuration does not work with (migrated) MAAF accounts. The router connects just fine once the mf******[email protected] ID and the updated password is manually input. I also notice that a similar scenario occurred just over a year ago. The bottom line is that there was nothing wrong with her router and support were totally out of order to try to sell her one for £40. Customer Services have sent her one, on some sort of deferred payment, but it is simply not required.

As stated earlier the PC proved to be clean as a whistle. And in particular there is/was no keylogger. So if the email password was compromised then I can only conclude it was discovered by brute force. (That said I haven't seen a shred of evidence to suggest that the email account was actually ever compromised.)

And webmail remains disabled despite the fact that she has complied with the request to update with "a new strong (cryptic) password". So the original issue is still not fixed.

Trouble is that to spoof someone's address you don't need to hack their email at all. Most mail clients will allow you to set a different "from" address incredibly easily. And if that is what they have done then changing passwords makes no difference whatsoever.

Exactly! That's how it's usually done. So I wonder how it is possible that PN noticed this:

In reply to a post by Enceladus:

During Monitoring of our platform we noticed a number of unsolicited emails are being sent from a remote IP address using your account login credentials.

The spoofed emails in the way you say would never go thro' PN's platform.

Unless PN are saying that the spoofer, from the remote IP address, is using the PN SMTP with the OP's creds. That would be a compromisation of OP's a/c.

Are users on another ISP allowed to use PN's port 25 SMTP? If not, that would indicate spoofer is a PN user. Or does PN have a non-port 25 authenticated SMTP? That might be what PN is getting at.

Ah, yes. Forgot that part of the post - that's what happens when I don't reread a thread. That does suggest that the account itself was compromised.