General Discussion
  >> ISP Unhappiness


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | 3 | 4 | 5 | (show all)   Print Thread
Standard User RobertoS
(elder) Fri 11-Dec-20 17:26:09
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
Are you sure it came from a PlusNet server rather than from a spoofed address? I get lots of emails from my email addresses but they do not come from my email server. If it didn't come from a PlusNet server and you have ever used that email address before then it is likely the "leak" was from somewhere else - ie one of the services that had your email address. You can put the email address in https://haveibeenpwned.com/ and see if it has been added to any leaked email address lists.
I had forgotten about the pwned lookup site.

I'd also for some reason not thought of checking the mail header before my OP. That contains a structure I haven't seen before:
envelope-from <studentbuildsmail-my relevant email address@mail.taylorcvance.com>

The email was received by my host's server "Received: from mail.taylorcvance.com", so that above must be a spoofing structure.

The "Return path" contains exactly the same structure.

The pwned site says:
Oh no — pwned!
Pwned in 1 data breach and found no pastes (subscribe to search sensitive breaches)
...

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.
I shan't bother going any deeper smile.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User RobertoS
(elder) Fri 11-Dec-20 17:29:07
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Thanks to all who contributed.

It'll be interesting to see if any others from the same spammer, (a rather irrelevant website by the way), or other "Plusnet-secret" email addresses are reported here later.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Administrator MrSaffron
(staff) Sat 12-Dec-20 10:35:27
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
My known addresses have been seeing apartment spam for various places for some time

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.


Register (or login) on our website and you will not see this ad.

Standard User scuda
(newbie) Sat 12-Dec-20 11:31:58
Print Post

Re: Plusnet data leak?


[re: MrSaffron] [link to this post]
 
I have been getting spam type emails via Plusnet for some time now.
This website https://www.ncsc.gov.uk/information/report-suspiciou... is the part of GCHQ that looks into suspect emails. I use it to report all spams I get.

Hope this helps

Scuda
Standard User RobertoS
(elder) Sat 12-Dec-20 11:43:41
Print Post

Re: Plusnet data leak?


[re: MrSaffron] [link to this post]
 
So have mine. The point is, the address involved was not "known" except by Plusnet.

There is also the oddity that the website of the spammer was nothing to do with apartments.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User ian72
(eat-sleep-adslguide) Mon 14-Dec-20 14:58:37
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
I'm guessing someone has hacked that email server and is using it to send spam emails. I doubt the owners of the domain have any idea it is happening. Makes it very easy for spammers to just move around sending servers that are compromised to keep the spam flowing.
Standard User RobertoS
(elder) Mon 14-Dec-20 16:56:06
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
Which server? Which domain?

How does your explanation explain the presence in the header of my unpublished email address in the strange construction, in that the only two domains in the email are mine and the purported sender, and the purported sender could not have any legitimate reason for knowing mine?

Even if the purported sender has been hacked, the email has still come to an address held only on a supposedly secure Plusnet database.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User ian72
(eat-sleep-adslguide) Mon 14-Dec-20 17:22:13
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
The from address is just a constructed address - they quite possibly include part of your email address to try and fool some simple filters.

If the trace in the headers comes from the domain shown as the sender as appears then it means it has come from their mail server - that means they've either been hacked or they are sending out spam themselves. The "hacker" would be using a spam address list (quite possibly from the breach you found listed on haveibeenpwned) and using the hacked mailserver to send them.

The breach you found is not a breach of PlusNet but of other services on the Internet - don't know much about the breach itself but somehow addresses were harvested and then were released in a breach. It is possible that the addresses were collected using hacked email relay servers at some point in the past and had nothing at all to do with PlusNet being hacked. If you get some malware onto an email relay server (or lots of them) then you could intercept email addresses that are going through that relay server.

Do you have the full header details from the email - it should have all of the routing information including the original source IP which would confirm if it definitely originated from the email servers it purports to be from - if so then they are hacked, if not then it just happens someone is spoofing their domain name to send the email.
Standard User RobertoS
(elder) Mon 14-Dec-20 19:19:24
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
I can PM you the whole email source if you wish. Removing anything resembling my Plusnet-secret email address is too complex as it occurs in both normal and unusual formats. I don't know enough to know whether it is safe published on this site, even with the obvious actual address removed.

I'd rather not continue in public at that level of detail.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User jaba
(member) Mon 14-Dec-20 20:56:41
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Thanks Jenny. Exactly as you say, except it was a bit more complex than "company name". That would be a fairly simple one for a scammer or whatever to experiment with.

I'll do some checks later.

I have sneaking feeling/memory that there was a publicised Plusnet leak a few years ago.

It isn't an address that I ever emailed or replied to either. The sign-up/login type.


There was a major email hacking incident quite a few years ago before Plusnet became a BT sub genre. I forget the details now but it was bad, so bad that Plusnet offered me a free .co.uk domain for life presumably to use as a fresh email address. I accepted it but never used it. Plusnet however did renew it for years even when I had left Plusnet.

It ran out eventually and I was left to renew it last year myself. I didn't bother though.
Coincidentally I joined Ionos for emailing recently and they offered me a free domain so I have got it back again. The same domain free from two registrars might be a record of some sort.
Pages in this thread: 1 | [2] | 3 | 4 | 5 | (show all)   Print Thread

Jump to