SPAM Help Please - PN Staff?

Hello,

I'm not with PlusNet (used to be but not since (Mr Potesta's time infamous outburst)

I've since put quite a few people on plusnet and had set up email accounts (purely for this and each unique). Now I am receiving copious quantities of SPAM from these addresses. No one know these except PlusNet. Have plusnet sold user info or have they been compromised? What can be done to sort this. I really need some decent response here, I'll not be putting anyone else in PN direction unless this is sorted

Thanks for any help

You're not alone. See the thread Plusnet Spam in this forum.

In reply to a post by smiffy12:

I've since put quite a few people on plusnet and had set up email accounts (purely for this and each unique). Now I am receiving copious quantities of SPAM from these addresses. No one know these except PlusNet.

I presume you mean to these addresses. As MCM said, you are not alone and there is a long thread going in the Community Forum, linked to from the other TBB post. Needless to say there is a lot of ranting and irrelevant stuff on it and, from the responses from Plusnet so far, it is looking increasingly unlikely that they will get to the bottom of it. However, any leak should only be of addresses already supplied to Plusnet, if there were still a "hole" through which future addresses could be leaked, that would be very serious. In my case, the quantity of spam has been fairly limited and manageable (and I can shut down the email addresses in any case if I want to) and all of it has been from the same source (but from various different domains), Gamer SEO, in New Jersey.

Edited by kasg (Thu 04-Dec-14 10:11:53)

I had the spam for about a week but haven't had any for at least a week now. Odd for it to stop like that.

Same here, almost, got them for a week, then nothing for about two weeks, then one odd one.

In reply to a post by ian72:

I had the spam for about a week but haven't had any for at least a week now.

Did the spam say something like 'test message'? I had similar sent to my banking email addys. Guess they are testing in preparation for phishing.

In reply to a post by XRaySpeX:

Did the spam say something like 'test message'? I had similar sent to my banking email addys. Guess they are testing in preparation for phishing.

No, those are totally different SPAM messages that were doing the rounds a few weeks back, nothing to do with the Plusnet leak.

I'm sure I registered and posted here donkey's years ago but couldn't seem to find or work out what it was so gave up and am now the proud owner of a shiny new one !

@kasg

It's a somewhat different story to your minimal nuisance factor from a single source here I'm afraid A relatively small (only at the moment of course) but regular stream arriving on an almost daily basis as they clearly attempt to assess the 'quality' of the database they've acquired by one way or another from PN.

A quicky looky see at the stats for November shows the following servers being used and as of December there's an additional bunch of IPs and dodgy domain registrations being used needless to say. Classic spammer tactics and all that, not going to go away anytime soon and can only get worse over time ... unless by some miracle those responsible get caught and shut down before passing on the database they've acquired. Not likely to happen in reality so in short, after suffering all the consequences of the last PN data breach over the past 7+ years, I now have to look forward to several more years of major abuse coming to a network near me solely due to PN screwing up yet again. Suffice it to say I'm a million miles away from being a happy bunny and all that :angry:

Text

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 2425 2627 2829 3031 3233 3435 3637 3839 4041 4243 4445 4647 4849 5051 5253 5455 5657 5859 6061 6263 64

IP Address              Reverse DNS LookUp              First Used On ----------              ------------------              -------------  138.128.1.75            mx1.liveuknews.co.uk            14th November138.128.1.76            liveuknews.co.uk                18th November 74.221.215.108          ??????                          18th November138.128.146.25          newstorun.com                   19th November 138.128.1.70            mx2.ukbrandnews.co.uk           19th November23.229.2.10             onepoundnews.co.uk              21st November 138.128.1.74            mx2.liveuknews.co.uk            22nd November23.229.2.14             rockmsockmnews.com              25th November 23.229.2.13             bigtimenewstime.com             26th November23.229.2.11             originalknowledgedropper.com    29th November    NetRange:       138.128.0.0 - 138.128.127.255CIDR:           138.128.0.0/17 NetName:        B2NETSOLUTIONSNetHandle:      NET-138-128-0-0-1 Parent:         NET138 (NET-138-0-0-0-0)NetType:        Direct Allocation OriginAS:       Organization:   B2 Net Solutions Inc. (BNS-34) OrgName:        B2 Net Solutions Inc.OrgId:          BNS-34 Address:        350 Main StreetCity:           Buffalo StateProv:      NYPostalCode:     14202 Country:        US  NetRange:       74.221.208.0 - 74.221.223.255CIDR:           74.221.208.0/20 NetName:        DMEHOSTINGNetHandle:      NET-74-221-208-0-1 Parent:         NET74 (NET-74-0-0-0-0)NetType:        Direct Allocation OriginAS:       AS19194, AS30058, AS3356Organization:   DME Hosting LLC (DHL-28) OrgName:        DME Hosting LLCOrgId:          DHL-28 Address:        DME Hosting LLCAddress:        P.O. Box 6727 Address:        Chandler, AZ 85246City:           Chandler StateProv:      AZPostalCode:     85246 Country:        US  NetRange:       23.229.0.0 - 23.229.127.255CIDR:           23.229.0.0/17 NetName:        B2NETSOLUTIONSNetHandle:      NET-23-229-0-0-1 Parent:         NET23 (NET-23-0-0-0-0)NetType:        Direct Allocation OriginAS:       AS55286Organization:   B2 Net Solutions Inc. (BNS-34) OrgName:        B2 Net Solutions Inc.OrgId:          BNS-34 Address:        350 Main StreetCity:           Buffalo StateProv:      NYPostalCode:     14202 Country:        US

Edited by ambrougham (Fri 05-Dec-14 03:06:12)

This is the latest one I've received

"30 second application to reclaim your mis-sold PPI - News"

from

"The Claims Guys" <[email protected]>

And uknews4u.co.uk is also registered to Gamer SEO in New Jersey. Maybe someone needs to alert Nominet, perhaps they might have some grounds for blocking these people from registering loads of .uk domain names.

Erhm, news just in: Apart from some (in)famous saying ... involving horses, stable doors and the implied need for ensuring said doors are always kept securely closed ... that immediately springs to mind, the reality is no one actually cares ! Not that there's anything much of significant benefit that can ever be done after the event in any case of course.

The book entitled "Abuse reports that not only got a surprise response but were actually dealt with satisfactorily and in a timely manner" might have a stupidly long title but it's a *very* slim book

Edited by ambrougham (Fri 05-Dec-14 16:36:14)

And today

"Save up to 75% on Term Life Insurance!"

from

"1 Click life cover" <[email protected]>" again

Three more yesterday, two to MAAF address and one to Plusnet address, all three from our "friends" in New Jersey. They seem to come in waves.

enom have taken domains down that have been spamming me in the past. http://www.enom.com/help/abusepolicy.aspx

Fortunately i'm not receiving this spam but that means I can't report it.

On the subject of spam I have seen lately that the daily archive I receive from TBB of this forum is being marked as spam by PN spam filtering:

From - Sun Dec 7 08:26:13 2014
X-Account-Key: account2
X-UIDL: UID3448-1354415677
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <[email protected]>
Envelope-to: ********************
Delivery-date: Sun, 07 Dec 2014 04:00:17 +0000
Received: from [212.159.9.108] (helo=avasin06.plus.net)
by inmx18.plus.net with esmtp (PlusNet MXCore v2.00) id 1XxT17-0000dO-Bs
for **********************; Sun, 07 Dec 2014 04:00:17 +0000
Received: from forums.thinkbroadband.com ([80.249.99.126])
by avasin06.plus.net with Plusnet Cloudmark Gateway
id QU0F1p0012jd2Xk01U0Hc5; Sun, 07 Dec 2014 04:00:17 +0000
X-BV-Spam-Flag: Yes
X-IPAS: Level1
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.1 cv=CskxcxID c=1 sm=1 tr=0 p=kKBspZn8AAAA:8
a=VJZ0osYEP1XnyGb118CJIQ==:117 a=VJZ0osYEP1XnyGb118CJIQ==:17 a=N3r_kG5WAAAA:8
a=0Bzu9jTXAAAA:8 a=jPJDawAOAc8A:10 a=cQpbHXsq0P4A:10 a=IkcTkHD0fZMA:10
a=V6u8MI9HLkQA:10 a=A92cGCtB03wA:10 a=8eBxuBjjAAAA:8 a=fT603s4aAAAA:8
a=-J5X6f-VI9n8anj7NRAA:9 a=gr2WIAH1ojpKKubq:21 a=96KzL2GI1kb2Azlg:21
a=QEXdDO2ut3YA:10 a=QqwN5xhc_0QA:10 a=Llc_S52AEjQA:10 a=ETL-AuEiIIQA:10
Received: from rootby forums.thinkbroadband.com with local (Exim 4.69)
id 1XxT15-00080x-7d
for *************************; Sun, 07 Dec 2014 04:00:15 +0000
To: **************************
From: [email protected]
Reply-to: [email protected]
Sender: [email protected]
X-Mailer: thinkbroadband.com Forums
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Sun, 07 Dec 2014 04:00:15 +0000
X-pn-pstn: Spam 1
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: [-SPAM-] =?UTF-8?B?dGhpbmticm9hZGJhbmQuY29tIC0gRGFpbHkgYXJjaGl2ZSBvZiBQbHVzTmV0IHBsYw==?=

The Register has picked it up - Link

It doesn't look like there is any spam to the unique email address I have given Plusnet - I have only been with them for 11 months so maybe only partial hit or old hack/data

In reply to a post by mbeenham:

On the subject of spam I have seen lately that the daily archive I receive from TBB of this forum is being marked as spam by PN spam filtering:

That's par for the course. I've not used PN's latest spam filter offering but I do know without any doubt whatsoever that every previous offering has been a complete nightmare for false positives and other major side-effects. Vast amounts of totally genuine mail unreasonably detected as spam if not just silently deleted on receipt. Forum digests, forum post notifications, newsletters, e-commerce stuff, mail from overseas organisations ... no end of genuine problems. I have never been able to use filtering unless I really wanted to lose lots of genuine and often very important mail into the bargain. The only way of ensuring I get all my genuine mail has always been to not let PN do anything other than deliver everything to me so I can attempt to deal with the complete mess they've created.

Whilst spam filtering is notoriously difficult, it has to be said from my experience that historically PN have made a pretty poor job of it. For instance, when PN's in-house forum messages were routinely deleted as spam and "not spam" reports sent to PN in order to 'train' the system were also deleted as spam you just know you're not onto a winner. However in the above case with TBB forum digests recently being tagged, you can probably blame me (and others) for posting domain and IP info etc. relating to known spam sources in this thread I suspect which perhaps only goes to prove that the latest PN offering is just as bad as all previous attempts ! Nothing even remotely spammy about the digests in reality regardless of specific content so genuine mail is simply being tagged or deleted for no good reason whatsoever.

The only way of not receiving spam is to not have your e-mail addresses compromised in the first place. A situation I managed to enjoy for more than 10 years until PN first managed to provide a 3rd party with a customer e-mail database. Something they appear to have done on at least 3 occasions now. Just how many security breaches does a so-called professional IT company need to be in some way responsible for before some sort of external action gets taken and/or heads roll ? A somewhat insincere 'sorry' and providing a poor filtering system which at best only limits the problems PN experience in house just doesn't cut it.

With this particular data loss problem, all that appears to have happened to date is PN have ensured that there's no obvious smoking gun for any 3rd party investigation to find. Without such irrefutable evidence they can simply deny everything and walk away without so much as an insincere apology despite the mass of 'evidence' provided by customers various. It would appear that this is exactly what PN have chosen to do. It stinks, bigtime.

Edited by ambrougham (Sun 07-Dec-14 12:12:08)

And another article from Register called "Plusnet could face DATA BREACH probe over SPAM HELL gripes"