General Discussion
  >> ISP Unhappiness


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User RobertoS
(elder) Thu 10-Dec-20 21:01:27
Print Post

Plusnet data leak?


[link to this post]
 
I have just received an email advertising:- Heavily discounted, fully tenanted Doncaster city centre apartments from 90,000 pounds

It has come from an email address on one of my domains, with the part before the @ uniquely issued to and used on my Plusnet account for sending emails to me.

I migrated from Plusnet to AAISP several years ago.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User ian72
(eat-sleep-adslguide) Fri 11-Dec-20 11:03:44
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Are you sure it came from a PlusNet server rather than from a spoofed address? I get lots of emails from my email addresses but they do not come from my email server. If it didn't come from a PlusNet server and you have ever used that email address before then it is likely the "leak" was from somewhere else - ie one of the services that had your email address. You can put the email address in https://haveibeenpwned.com/ and see if it has been added to any leaked email address lists.
Standard User gary333
(experienced) Fri 11-Dec-20 12:00:23
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
I have just received an email advertising:- Heavily discounted, fully tenanted Doncaster city centre apartments from 90,000 pounds

It has come from an email address on one of my domains, with the part before the @ uniquely issued to and used on my Plusnet account for sending emails to me.

I migrated from Plusnet to AAISP several years ago.


All I can say is don't buy, there are no nice apartments in Doncaster for that price smile


Register (or login) on our website and you will not see this ad.

Standard User JennyCide
(newbie) Fri 11-Dec-20 12:02:58
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
I don't think he's saying that the email was sent by plusnet but that it was sent to a unique email address which should only be known and used by plusnet. I do the same thing - I use the format [email protected] for every company I deal with and have had the same thing happen multiple times. Often it's a rogue employee (often in call centres) selling contact details but occasionally it will be a hack and leak/dump of data.
I've found responses hard to get from most companies - I wish I could name and shame as some companies were superb in engaging and others were utterly abysmal and in denial (one international company were fined for a massive data leak in 2017 but I'd had issues with them over a decade beforehand and they were not interested in any proof or any help I offered whereas another UK pc supplier held daily calls with me for a fortnight even after I'd given them all I could, they still wanted to update me, getting me to liaise with the Incident Response team they brought in and I couldn't fault their investigation or response)

Do try to see if you can track the sender (use something like https://whatismyipaddress.com/trace-email) but it'll probably just be a gmail account. Any info you can gather will help

It is worth alerting the cybersecurity team in Plusnet but also the DPO (snail mail only ironically);
FAO: The Data Protection Officer
Plusnet Plc
The Balance
2 Pinfold Street
Sheffield
S1 2GU

If you can't get any link to the security team from their website or forums then look on linkedin - I usually find that if I politely approach people that way and ask to be directed to the right person to discuss a potential breach I get a reasonable response.
ISP Representative uno
(isp) Fri 11-Dec-20 12:12:58
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Also factor in that this may not have been Plusnet at all. It could have also been any service in between i.e your email provider.

They will have logs of who you send mail to and receive mail from and a leak could have been from there also.

Matt

uno Communications
t: 0333 773 7700
uno Speedtest
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
Standard User ian72
(eat-sleep-adslguide) Fri 11-Dec-20 12:15:50
Print Post

Re: Plusnet data leak?


[re: JennyCide] [link to this post]
 
I don't think he's saying that the email was sent by plusnet but that it was sent to a unique email address which should only be known and used by plusnet.
OK, re-reading it I think you are right.

However, putting the address on haveibeenpwned would show if it has been part of a known data leak and what that leak was.
Standard User RobertoS
(elder) Fri 11-Dec-20 15:21:19
Print Post

Re: Plusnet data leak?


[re: JennyCide] [link to this post]
 
Thanks Jenny. Exactly as you say, except it was a bit more complex than "company name". That would be a fairly simple one for a scammer or whatever to experiment with.

I'll do some checks later.

I have sneaking feeling/memory that there was a publicised Plusnet leak a few years ago.

It isn't an address that I ever emailed or replied to either. The sign-up/login type.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User RobertoS
(elder) Fri 11-Dec-20 15:26:34
Print Post

Re: Plusnet data leak?


[re: uno] [link to this post]
 
That's a good point Matt, but I think unlikely in this case. Otherwise I would expect similar to have happened on several domains through the same mail host, over several decades.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User E300
(member) Fri 11-Dec-20 15:41:50
Print Post

Re: Plusnet data leak?


[re: uno] [link to this post]
 
I do the same thing, use a unique bit before the @ as I have my own domain for email. I've had numerous leaks as well, a couple of times it has been companies long since closed, then all of a sudden emails start coming in to the email address. I assume in these cases some hardware has been found and spun up and data has then been extracted.

I've tried contacting companies and letting them know and I've never been able to get any of them to take any interest and its usually denials so now just don't bother.

It's become much less of a problem in recent years though for me, I can't remember the last time an email address that was unique to me has started getting spammed so companies seem to be taking it more seriously.

The adobe hack in 2013 I still get emails to this day, I never see them in my inbox though as the email address is black listed, but just see them now and again if I'm checking in the trash for something. Once hacked those emails seem to keep on coming.
Standard User ian72
(eat-sleep-adslguide) Fri 11-Dec-20 16:58:54
Print Post

Re: Plusnet data leak?


[re: E300] [link to this post]
 
I have had Linkedin leak an email address I used as part of their big data loss.

Also, Curse (gaming add-ons), Gotowebinar, IWOOT and William Hill have all had unique addresses that are now used for spam. I don't know if it was because they had a data breach or another means but it seems to happen a lot. Only Linkedin and William Hill show up on haveibeenpwned as being spotted in dark web lists so not sure why the others get spam.
Standard User RobertoS
(elder) Fri 11-Dec-20 17:26:09
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
Are you sure it came from a PlusNet server rather than from a spoofed address? I get lots of emails from my email addresses but they do not come from my email server. If it didn't come from a PlusNet server and you have ever used that email address before then it is likely the "leak" was from somewhere else - ie one of the services that had your email address. You can put the email address in https://haveibeenpwned.com/ and see if it has been added to any leaked email address lists.
I had forgotten about the pwned lookup site.

I'd also for some reason not thought of checking the mail header before my OP. That contains a structure I haven't seen before:
envelope-from <studentbuildsmail-my relevant email address@mail.taylorcvance.com>

The email was received by my host's server "Received: from mail.taylorcvance.com", so that above must be a spoofing structure.

The "Return path" contains exactly the same structure.

The pwned site says:
Oh no — pwned!
Pwned in 1 data breach and found no pastes (subscribe to search sensitive breaches)
...

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.
I shan't bother going any deeper smile.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User RobertoS
(elder) Fri 11-Dec-20 17:29:07
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Thanks to all who contributed.

It'll be interesting to see if any others from the same spammer, (a rather irrelevant website by the way), or other "Plusnet-secret" email addresses are reported here later.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Administrator MrSaffron
(staff) Sat 12-Dec-20 10:35:27
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
My known addresses have been seeing apartment spam for various places for some time

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User scuda
(newbie) Sat 12-Dec-20 11:31:58
Print Post

Re: Plusnet data leak?


[re: MrSaffron] [link to this post]
 
I have been getting spam type emails via Plusnet for some time now.
This website https://www.ncsc.gov.uk/information/report-suspiciou... is the part of GCHQ that looks into suspect emails. I use it to report all spams I get.

Hope this helps

Scuda
Standard User RobertoS
(elder) Sat 12-Dec-20 11:43:41
Print Post

Re: Plusnet data leak?


[re: MrSaffron] [link to this post]
 
So have mine. The point is, the address involved was not "known" except by Plusnet.

There is also the oddity that the website of the spammer was nothing to do with apartments.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User ian72
(eat-sleep-adslguide) Mon 14-Dec-20 14:58:37
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
I'm guessing someone has hacked that email server and is using it to send spam emails. I doubt the owners of the domain have any idea it is happening. Makes it very easy for spammers to just move around sending servers that are compromised to keep the spam flowing.
Standard User RobertoS
(elder) Mon 14-Dec-20 16:56:06
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
Which server? Which domain?

How does your explanation explain the presence in the header of my unpublished email address in the strange construction, in that the only two domains in the email are mine and the purported sender, and the purported sender could not have any legitimate reason for knowing mine?

Even if the purported sender has been hacked, the email has still come to an address held only on a supposedly secure Plusnet database.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User ian72
(eat-sleep-adslguide) Mon 14-Dec-20 17:22:13
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
The from address is just a constructed address - they quite possibly include part of your email address to try and fool some simple filters.

If the trace in the headers comes from the domain shown as the sender as appears then it means it has come from their mail server - that means they've either been hacked or they are sending out spam themselves. The "hacker" would be using a spam address list (quite possibly from the breach you found listed on haveibeenpwned) and using the hacked mailserver to send them.

The breach you found is not a breach of PlusNet but of other services on the Internet - don't know much about the breach itself but somehow addresses were harvested and then were released in a breach. It is possible that the addresses were collected using hacked email relay servers at some point in the past and had nothing at all to do with PlusNet being hacked. If you get some malware onto an email relay server (or lots of them) then you could intercept email addresses that are going through that relay server.

Do you have the full header details from the email - it should have all of the routing information including the original source IP which would confirm if it definitely originated from the email servers it purports to be from - if so then they are hacked, if not then it just happens someone is spoofing their domain name to send the email.
Standard User RobertoS
(elder) Mon 14-Dec-20 19:19:24
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
I can PM you the whole email source if you wish. Removing anything resembling my Plusnet-secret email address is too complex as it occurs in both normal and unusual formats. I don't know enough to know whether it is safe published on this site, even with the obvious actual address removed.

I'd rather not continue in public at that level of detail.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User jaba
(member) Mon 14-Dec-20 20:56:41
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Thanks Jenny. Exactly as you say, except it was a bit more complex than "company name". That would be a fairly simple one for a scammer or whatever to experiment with.

I'll do some checks later.

I have sneaking feeling/memory that there was a publicised Plusnet leak a few years ago.

It isn't an address that I ever emailed or replied to either. The sign-up/login type.


There was a major email hacking incident quite a few years ago before Plusnet became a BT sub genre. I forget the details now but it was bad, so bad that Plusnet offered me a free .co.uk domain for life presumably to use as a fresh email address. I accepted it but never used it. Plusnet however did renew it for years even when I had left Plusnet.

It ran out eventually and I was left to renew it last year myself. I didn't bother though.
Coincidentally I joined Ionos for emailing recently and they offered me a free domain so I have got it back again. The same domain free from two registrars might be a record of some sort.
Standard User jabuzzard
(experienced) Mon 14-Dec-20 23:14:21
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
You do know that they sometimes dictionary spam the domain? So if your "supersecret" bit of [email protected] is in their dictionary of things to try then you are jiggered and they don't need to have ever seen for you to get the email.
Standard User RobertoS
(elder) Mon 14-Dec-20 23:23:37
Print Post

Re: Plusnet data leak?


[re: jabuzzard] [link to this post]
 
So far as I know it isn't in any dictionary. I'm not stupid.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User RobertoS
(elder) Mon 14-Dec-20 23:42:24
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Unless anyone has experienced the same for "Plusnet-secret" email addresses, (as I said earlier it only came into existence as a unique login email address), please can people stop giving reasons why I could be wrong. The main reason for my OP was to see if it was something affecting multiple Plusnet login addresses.

I don't want to be impolite by not replying to suggestions, but in itself I'm not worried by it.

Doing a search on my emails I have found another couple in 2019 that had been moved direct to Junk by Thunderbird on receipt, so I didn't even know they had occurred. The reason I saw this one was I have a new laptop and a new installation of TB, which of course hasn't self-trained from my own Junking smile.

There are many reasons why I could be wrong! That is why I also posted earlier that I had stopped, given the age of that detection.

If ian72 would like to see the whole source, as a matter of analysis by him and education for me as a result, that would interest me smile. Beyond that, it doesn't bother me.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.

Edited by RobertoS (Mon 14-Dec-20 23:45:16)

Standard User ian72
(eat-sleep-adslguide) Tue 15-Dec-20 13:32:30
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Feel free to PM it to me if you want me to have a look - not guaranteeing any startling insight but I might be able to make some sense of it and give an idea of where it originated.
Standard User ian72
(eat-sleep-adslguide) Tue 15-Dec-20 13:34:04
Print Post

Re: Plusnet data leak?


[re: jabuzzard] [link to this post]
 
If they were doing that there would be loads of emails received in this case - I believe Bob uses the same technique as I do by redirecting anything@domain to the actual email account. If using a dictionary spam everything would ultimately be received so the chance of accidentally coming across a single address that was used with a service is low - especially as Bob says it isn't a dictionary word.
Standard User RobertoS
(elder) Tue 15-Dec-20 16:40:43
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
If they were doing that there would be loads of emails received in this case - I believe Bob uses the same technique as I do by redirecting anything@domain to the actual email account. If using a dictionary spam everything would ultimately be received so the chance of accidentally coming across a single address that was used with a service is low - especially as Bob says it isn't a dictionary word.
Correct.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User Andrue
(eat-sleep-adslguide) Tue 15-Dec-20 20:29:54
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Unless anyone has experienced the same for "Plusnet-secret" email addresses, (as I said earlier it only came into existence as a unique login email address)
I also use a DEA system and there's nothing showing in my mail server's rules log that might be the old address I used.

---
Andrue Cope
Brackley, UK
Standard User Andrue
(eat-sleep-adslguide) Tue 15-Dec-20 20:44:05
Print Post

Re: Plusnet data leak? *DELETED*


[re: ian72] [link to this post]
 
Post deleted by Andrue

Edited by Andrue (Tue 15-Dec-20 20:46:55)

Standard User Andrue
(eat-sleep-adslguide) Tue 15-Dec-20 20:56:13
Print Post

Re: Plusnet data leak?


[re: ian72] [link to this post]
 
I use the same system (it's official name is 'DEA' - Disposable Email Address) and how the address got out isn't the issue. As long as it's not something really simple like '[email protected]' which might conceivably be guessed or generated via a dictionary you can be sure that something nefarious is going on and it started with PN.

Yes a mail relay (should such things still exist) and snooping routers (paging the CIA?) could grab addresses but neither of those is very likely. Most SMTP exchanges are sender server connection direct to recipient server and I don't think the CIA and their ilk are likely to be the culprit here smile

If I tell PN to communicate with me as '[email protected]' that address is highly unlikely to be guessed or generated via a dictionary. So if spam starts appearing with that address anywhere in it then PN are to blame.

It's true that from: can be faked but that only means that most people can't be sure who the email was actually addressed to. It still remains true that a DEA address is a secret shared by only two people. I run my own mail server so I filter on RCPT TO: so I actually do know the address the email was sent to. And (should I care to look) the IP address of the sending mail server smile

---
Andrue Cope
Brackley, UK

Edited by Andrue (Tue 15-Dec-20 20:59:27)

Standard User Andrue
(eat-sleep-adslguide) Tue 15-Dec-20 21:04:34
Print Post

Re: Plusnet data leak?


[re: JennyCide] [link to this post]
 
Exactly Jenny. If we're relying on the from: field reported by a mail client then we don't reliably know the actual address used to send the email. However the mere fact that someone other than PN and RobertoS know that email to be valid is highly suspicious and whatever happened almost certainly started with PN or their servers.

- assuming it's a slightly obfuscated address.

---
Andrue Cope
Brackley, UK
Standard User pyarwood
(newbie) Thu 17-Dec-20 15:45:32
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
this is a classic email spoof attempt

look in the headers to see the full details.
Standard User pyarwood
(newbie) Thu 17-Dec-20 15:48:45
Print Post

Re: Plusnet data leak?


[re: Andrue] [link to this post]
 
ANY email address on the internet is easy to get
they probably accessed a database of a company the user used,

but this is exactly the reason SPF and Dmarc were created
Standard User broadband66
(knowledge is power) Thu 17-Dec-20 16:45:24
Print Post

Re: Plusnet data leak?


[re: pyarwood] [link to this post]
 
If you read the OP that is what is being said. The address was only used to communicate with one company and one only.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Utility Warehouse (up to 16mbps) via Talk Talk, upgraded to fibre 40/10
Standard User RobertoS
(elder) Thu 17-Dec-20 17:09:06
Print Post

Re: Plusnet data leak?


[re: broadband66] [link to this post]
 
And only from that company. Never used by me to send an email to anyone.

Edit: I see the poster registered here purely to make those two posts. That's odd in itself, seeing as everything they posted has been thoroughly covered in the thread.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.

Edited by RobertoS (Thu 17-Dec-20 17:11:18)

Standard User iannewson
(newbie) Thu 17-Dec-20 19:11:32
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
I receive spam emails to an old [email protected] email address( but nothing to the [email protected] address) According to Have I been pwned it was in the "Onliner spambot" breech list https://haveibeenpwned.com/PwnedWebsites#OnlinerSpambot . Having seen how insecure certain forum software has been in the past I wouldn't be surprised if thats what route it came from ( but I'm surmising).
Standard User ambrougham
(newbie) Thu 17-Dec-20 22:25:54
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
I've seen similar content spam messages to some of my PN compromised addresses on and off for ages now. Most prevalent in 2019 and earlier it has to be said though.

The primary data breach was in May 2007 with the webmail platform being hacked. Long out-of-date OS/software with known vulnerabilities resulting in a database containing virtually all PN customers' e-mail addresses being acquired. Even if, like me, you didn't actually use webmail you were still screwed because PN had pre-loaded the webmail system with all customer's account and contact e-mail addresses etc. just in case they wanted to use the webmail system. Also, any e-mail address that had been 'seen' in any customer's webmail account was compromised. If, for instance, you had sent an e-mail from, say, gmail to a PN customer who used the webmail system then your gmail address was almost certainly compromised.

A secondary data breach occurred in November 2014 although I think from memory that PN denied everything so it's unclear exactly what happened. However, there was absolutely no shortage of evidence from a good many reliable PN customers that various e-mail addresses allegedly known only to PN had been compromised. A shiny new and to all intents and purposes unused PN account that I'd set up 'just in case' following the 2007 breach suddenly started receiving spam and occasionally still does. The e-mail addresses being abused were only known to PN and PUG plus possibly also to one other PN customer who generally used PN webmail all the time. IMHO there was definitely a smoking gun in Plusnet Towers.

I also have a certain amount of evidence suggesting several other possible data leaks but nowhere near sufficient to be in any way sure that it was actually down to PN. I believe that there were also some data breach(es) during 2017/18/19 mostly relating to the billing system although I didn't appear to be affected

I'm still monitoring the use/abuse of my compromised PN addresses and accounts ... really must get a life ! However, I don't see any recent evidence of further PN breaches but I can say that the level of spam to all compromised addresses has been on the increase again after a fairly lengthy lull. From past experience this is typical in the run up to Christmas and other public holidays in general although it does seem worse than usual.

I've also had something very odd going on with one address and Amazon recently. A specific PN address used only to open an Amazon A/C and place one single order. The Amazon A/C was then closed shortly afterwards with all personal data allegedly being permanently deleted. However, it now receives regular phishing attempts that are mostly, but not exclusively, Amazon related. The address was known only to PN & Amazon and it was only in use and/or visible to anyone in any way for literally just a couple of weeks during October 2020.

Click Here to see ye olde weekly F9/PN Spam Volume Chart. More spam than you can possibly shake a stick at tongue
Thank you Plusnet, grrrrrrrrrr ...

Edited by ambrougham (Thu 17-Dec-20 22:30:22)

Standard User user7423
(committed) Fri 18-Dec-20 07:08:26
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
I receive email spam about Doncaster and Liverpool city centre apartments daily. I am not with Plusnet or have any Plusnet email addresses.
Standard User clyde123
(member) Fri 18-Dec-20 09:48:02
Print Post

Re: Plusnet data leak?


[re: user7423] [link to this post]
 
Yes, the same. Multiple spam daily except weekends for those properties.
Comes in to various email accounts I've used over the years. None Plusnet.
Those ones come in to email addresses that have been business related.
The headers change every day. They use different From addresses every day. They use a system with different sending domains every day. It's probably a big operation.

I fully understand the point the OP is making. The email address that it's being sent to (him) - that was obviously leaked from PN.
But once an address is on a spam list, it never dies.

A bit like my landline - for days now, I'm getting up to about 10 or 12 phone calls a day from "an automated message from Amazon". They start about 09.01 in the morning and generally never last beyond 2pm or so.
Standard User user7423
(committed) Fri 18-Dec-20 11:57:06
Print Post

Re: Plusnet data leak?


[re: clyde123] [link to this post]
 
Same here, all to my business email accounts, except one, that I only use for social media. Mailwasher catches them, so I haven't looked closely at headers, but the sender email does change daily.
Standard User RobertoS
(elder) Fri 18-Dec-20 13:51:12
Print Post

Re: Plusnet data leak?


[re: user7423] [link to this post]
 
Thanks to all that have contributed since my previous post, especially the plusnet.f9 ones.

Like you all. i get loads of similar ones about apartments and such, but to random addresses on my domains. Most being automatically routed to spam/junk.

It was the specific address that bothered me, and that does seem to have come as a result of the single hacked/copied database that got out a few years ago.

Just as a side question, are anyone's all from [email protected]random domain? Mine are. Given they are all on the same topic, apartments, it wouldn't be surprising.

smile 🎶

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Administrator MrSaffron
(staff) Fri 18-Dec-20 14:09:29
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Yes to the Steve part

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User ian72
(eat-sleep-adslguide) Fri 18-Dec-20 14:45:05
Print Post

Re: Plusnet data leak?


[re: MrSaffron] [link to this post]
 
Yep, Steve has sent me 4 in the last hour - 3 for Doncaster and 1 for Edinburgh.
Standard User clyde123
(member) Fri 18-Dec-20 15:40:54
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
Sadly I feel very lonely - I've got none from Steve !!!

I've only got two today - one Doncaster & one Edinburgh - but neither mention Steve.

I've actually been able to reduce this particular spam flow. PM me.
Standard User Andrue
(eat-sleep-adslguide) Fri 18-Dec-20 16:17:24
Print Post

Re: Plusnet data leak?


[re: ambrougham] [link to this post]
 
In reply to a post by ambrougham:
Click Here to see ye olde weekly F9/PN Spam Volume Chart. More spam than you can possibly shake a stick at tongue
Thank you Plusnet, grrrrrrrrrr ...
Haha, I don't monitor mine as such but from time to time when browsing the server logs I see a few I recognise. There's one in particular that I blacklisted over fifteen years ago that still makes a frequent appearance. I suppose that's going to be my lasting contribution to the internet.

The reason I mostly only shop from the big boys now is because most of the independents managed to leak my email address eventually. Sad.

---
Andrue Cope
Brackley, UK
Standard User Andrue
(eat-sleep-adslguide) Fri 18-Dec-20 16:19:18
Print Post

Re: Plusnet data leak?


[re: clyde123] [link to this post]
 
In reply to a post by clyde123:
A bit like my landline - for days now, I'm getting up to about 10 or 12 phone calls a day from "an automated message from Amazon". They start about 09.01 in the morning and generally never last beyond 2pm or so.
Get a TrueCall unit. You'll still be called but the machine will deal with them without you ever noticing. I occasionally see it's 'in use' light light up but after a few seconds it goes dark again and the caller goes off to bother someone else smile

---
Andrue Cope
Brackley, UK
Standard User Andrue
(eat-sleep-adslguide) Fri 18-Dec-20 16:23:23
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
What makes me laugh are bouts of actual hack attempts on my server. Every now and again it will come under attack from someone actually trying to log on via IMAP or the website using a dictionary attack. And when I say 'dictionary attack' I've seen user names like:
dfgfdg
rfyrty56674763t
jhguyk
fghshstye46
4hdhj
tgdjd...

And one time the quite hilarious
GGGGGGGGGGGG
HHHHHHHHHHHHH
IIIIIIIIIII...

I suppose they have to start somewhere. But my server is setup with an escalating naughty step and after three failed attempts the IP address is blocked for three months. A drop in the ocean and it doesn't do it for IPv6 but hopefully it deters a few of them.

---
Andrue Cope
Brackley, UK
Standard User user7423
(committed) Fri 18-Dec-20 20:23:14
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Just as a side question, are anyone's all from [email protected]random domain? Mine are. Given they are all on the same topic, apartments, it wouldn't be surprising.

smile 🎶


Just checked mine in Mailwasher recycle bin, the Doncaster ones start with [email protected] different domains, [email protected] different domains [email protected] different domains [email protected] diffferent domains and [email protected] different domains
Standard User RobertoS
(elder) Fri 18-Dec-20 23:31:50
Print Post

Re: Plusnet data leak?


[re: user7423] [link to this post]
 
Not the domain smile. We know those are all over the place. I mean before the @. All mine are from "steve", whatever the domain, and others have seen the same.

__________________________________________________________
Sovereignty Means Sovereignty

My broadband basic info/help site - www.robertos.me.uk. Domains, sites and mail hosting - Tsohost & Ionos.
Connections: OnePlus 8 Pro max 165Mbps down, 24Mbps up on Three, and B311 4G, tbb tests normally 35-45Mpbs down, 65Mbps off-peak, 9-24 up.
========================
Experience shows us that love does not consist in gazing at each other but in looking together in the same direction.
Antoine de Saint-Exupéry.
Standard User user7423
(committed) Sat 19-Dec-20 08:40:13
Print Post

Re: Plusnet data leak?


[re: RobertoS] [link to this post]
 
No Steve's, all started with the town before the @
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to