email from idnet

Started by jane, Nov 20, 2010, 17:18:39

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

jane

Sorry if this sounds paranoid but I have just received an email purportedly from idnet requiring me to enter my username and password. The spelling mistakes in it make me suspicious. Has anyone else got one of these?
Jane

pctech

Chances are its not from them, indeed I'd 100% say its not from them.

Glenn

If it is asking for account details, then I would say it's a scam.
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

.Griff.

What's the original header of the email?

zappaDPJ

It certainly sounds like a scam to me, I can't see any reason at all why IDNet would ask for that information as they already have it. If there's a URL contained within the email, I'd strongly advise you NOT to click it.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

jane

#5
Thanks, as I suspected then. Here's what it says (my deatils deleted of course)

Return-Path: <helpdesk@idnet.com>
Delivered-To:Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
   by mail.idnet.com (Postfix) with ESMTP id 1CA283A471F
   for <***>; Sat, 20 Nov 2010 16:31:09 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 3EDEE981CA
   for <***>; Sat, 20 Nov 2010 16:30:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 2.795
X-Spam-Level: **
X-Spam-Status: No, score=2.795 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
   FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151,
   RCVD_IN_BRBL_LASTEXT=1.449] autolearn=unavailable
Received: from mailfilter1.idnet.net ([127.0.0.1])
   by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
   with LMTP id Z2mlhnVRn712 for <removed - Rik>;
   Sat, 20 Nov 2010 16:30:12 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 1A27C97A5E
   for <****>; Sat, 20 Nov 2010 16:30:12 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from btsskynet.net (mail.btsskynet.net [74.5.204.249])
   by mx1.idnet.net (Postfix) with SMTP id 4734053B98
   for <>; Sat, 20 Nov 2010 16:31:07 +0000 (GMT)
Received: (qmail 12791 invoked by uid 453); 20 Nov 2010 16:24:17 -0000
X-Virus-Checked: Checked by ClamAV on btsskynet.net
Received: from localhost (HELO localhost) (127.0.0.1)
   by btsskynet.net (qpsmtpd/0.40) with ESMTP; Sat, 20 Nov 2010 10:24:17 -0600
Received: from 41.138.184.9 ([41.138.184.9]) by mail.btsskynet.net (Horde
Framework) with HTTP; Sat, 20 Nov 2010 10:24:15 -0600
Message-ID: <20101120102415.69964p987v6mprms@mail.btsskynet.net>
Date: Sat, 20 Nov 2010 10:24:15 -0600
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Reply-to: verification.teams77@hotmail.com
To: undisclosed-recipients:;
Subject: Account  Upgrade
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.5)



Dear Idnet.com Subscriber,

We are currently carrying-out a  maintenance
process to your Idnet.com account, to complete
this, you must reply to this mail immediately,
and enter your User Name here (,,,,,,,,) And
Password here (.......)  if you are the
rightful owner of this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address in-active
from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7) working days after
undergoing this process for security reasons.

Thank you for using Idnet.com!
THE Idnet.com  TEAM




Jane

Personal details removed - Rik

Rik

Scam, an IDNet email wouldn't have a hotmail address in it, Jane.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

jane

Thank a lot. Be interesting to see if anyone else gets one.

Cheers

Jane

Rik

I've alerted support - thanks for letting us know.  :thumb:
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Baz

oppsss


yes my daughter has one.

Apologies to Rik about the PM for this,I should read the forum first.  :)

the Hotmail addy is a giveaway.

Rik

Plus IDNet don't use the idnet.com form of address, nor do they send to undisclosed recipients, all email would be one to one.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.


jrboden

Hi all just had this mail via my idnet email account  :slap:

Hi just had this email!!! perhaps warn your other customers about this!!!

"--------------------------------------------------
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Sent: Saturday, November 20, 2010 4:24 PM
To: "undisclosed-recipients:"
Subject: Account  Upgrade

>
>
> Dear Idnet.com Subscriber,
>
> We are currently carrying-out a  maintenance
> process to your Idnet.com account, to complete
> this, you must reply to this mail immediately,
> and enter your User Name here (,,,,,,,,) And
> Password here (.......)  if you are the
> rightful owner of this account.
>
> This process we help us to fight against
> spam mails.Failure to summit your password,
> will render your email address in-active
> from our database.
>
> NOTE: If your have done this before, you may ignore
> this mail. You will be send a password reset
> messenge in next seven (7) working days after
> undergoing this process for security reasons.
>
> Thank you for using Idnet.com!
> THE Idnet.com  TEAM
>
>
>
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1153 / Virus Database: 424/3267 - Release Date: 11/19/10
>

The sender was verification.teams77@hotmail.com<verification.teams77@hotmail.com>;


I work in "IT" so seen it all before but some may fall for it - IDNET not sure if I was the only target so pleasd warn your customers!!!

Rik

Thanks, merged with existing thread. :thumb:
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Technical Ben

Wow. How do they know your with... oh wait. IDNet customers have "@idnet" addresses. Naturally. So it's a fishing expedition. Thanks for the heads up.
I use to have a signature, then it all changed to chip and pin.

Simon_idnet

Quote from: Technical Ben on Nov 20, 2010, 20:00:56
Wow. How do they know your with... oh wait. IDNet customers have "@idnet" addresses. Naturally. So it's a fishing expedition. Thanks for the heads up.

It's known as "Spear Phishing"

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

It's great having two Simons. ;)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

You've got me hooked, go on. :)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

You mean, you don't get the point?
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

No, it must be the 'net. ;)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Baz

update on this.seems my daughter has had another email about it calling it ' Final Notification '

Dear Idnet.com Subscriber,

We are currently carrying-out a  maintenance process to your Idnet.com
account, to complete this, you must reply to this mail immediately, and
enter your User Name here (,,,,,,,,) And Password here (.......)  if you
are the rightful owner of this account.

This process we help us to fight against spam mails.Failure to summit your
password,will render your email address in-active from our database.

NOTE: If your have done this before, you may ignore this mail. You will be
send a password reset messenge in next seven (7)working days after
undergoing this process for security reasons.

Thank you for using Idnet.com!
THE Idnet.com TEAM



Rik

Fairly standard 'push', Baz. Let's just hope no-one takes it as genuine.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Baz

yeah  hope not.its surprising just how many fall for this type of scam though isnt it.  :(

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Technical Ben

Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.
I use to have a signature, then it all changed to chip and pin.

pctech

ISP mentioned in the headers, btskynet.net is apparently in Kansas.


Rik

Quote from: Technical Ben on Nov 21, 2010, 14:38:05
Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.

I don't think it touches IDNet's servers until delivery, Ben. Blocking the sending host may be too much of a broad brush.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

pctech

btshynet would have to apply a filter to their mailservers to drop any mail that did not have btskynet.net as the from address.


armadillo

I also think that a lot of this kind of mail goes out from compromised zombie machines. That would definitely make blocking a sender too broad brush.

Rik

Good point, Dill. My worry is that if IDNet customers respond, IDNet will find itself blacklisted.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

cecilsboy

I had one of these to an IDNET email address I seldom use. It set me wondering how the spammers got hold of that address. Could they have breached IDNET's security to gain access to IDNET's client's emails?

Peter

Rik

I'd guess that the breach, if there is one, happened elsewhere, eg a compromised machine or website. I have about 10 idnet addresses, my primary one receives well over 100 messages/day and I have not had the scam email.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

I also have several IDNet email addresses, none of which have been 'hit'.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

jane

Just out of interest, compare my 'final notifaction' to my previous one

Return-Path: <helpdesk@idnet.com>
Delivered-To:
Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
   by mail.idnet.com (Postfix) with ESMTP id F14834A4222;
   Sun, 21 Nov 2010 17:31:19 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 19DB79820F;
   Sun, 21 Nov 2010 17:30:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 1.346
X-Spam-Level: *
X-Spam-Status: No, score=1.346 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
   FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151]
   autolearn=no
Received: from mailfilter1.idnet.net ([127.0.0.1])
   by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
   with LMTP id i0JMHBckqAxN; Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 28DA19828D;
   Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from mail.cds1.net (xena.cds1.net [216.174.197.150])
   by mx1.idnet.net (Postfix) with ESMTP id 87F4953B1F;
   Sun, 21 Nov 2010 17:31:15 +0000 (GMT)
Received: from secure.cds1.net (mercury [172.16.10.1])
   by mail.cds1.net (Postfix) with ESMTP id C3A81E010153;
   Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Received: from 41.138.171.141
        (SquirrelMail authenticated user tedwilliams)
        by secure.cds1.net with HTTP;
        Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Message-ID: <4900.41.138.171.141.1290339296.squirrel@secure.cds1.net>
Date: Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Subject: Final Notification
From: "Idnet.com  Support  Team" <helpdesk@idnet.com>
Reply-To: verification.teams77@hotmail.com
User-Agent: SquirrelMail/1.4.11
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;

Jane

Technical Ben

Also, to those worrying about their email address getting out. Never reply to these emails, as that is how they get your address. Also chain mail/messages are culprits for snagging peoples emails.
Although, this could just be a random name generator and @IDNET.com put at the end. A lot of spammers get through, just by randomly typing names out.
I use to have a signature, then it all changed to chip and pin.

Noelle

I received it too on one of my 5 email addresses.

armadillo

I have 20 idnet.com addresses and not been hit on any of them. I agree with Rik that a big source of email addresses will be a compromised machine that holds your email address in stored emails or the address book.

I never get spam or phishing on any of my email addresses. At least not for long and I have never had any on an idnet address. I do not use any filtering of any kind, either on the ISP's server or on my PC and I never have in over ten years.

The reason I use so many email addresses is that each one is for a particular group of contacts, e.g. I have one for banks, one for on-line shopping etc. If I get a single spam message or two, I just delete and ignore. If I get three, I expect it to escalate. When it reaches 10 spams on the same email address, I delete the email address. Usually, nobody needs informing as often the contacts are not ones I need to receive further unsolicited mails from.

Another big cause of escalating spam is clicking an "unsubscribe" link in a spam email. It does not unsubscribe you. It just increases the spam value of your email address by confirming that your email address is used.

Also, do not display images in emails by default. Specifically display images only when you trust the source of the email. Spam emails often contain one or two pixel square transparent gif images whose sole purpose is to confirm to the spammer that your address has accessed his spam. (Those transparent images have unique URLs and they use standard hitcount software, available on all web hosts, to count whether or not each image has been accessed). The small transparent images can be included in emails that appear to be text only.

They use these tricks to trap even those who do not actively do anything to deserve it!

Once an email address has been confirmed as active, it becomes much more marketable on emailing lists. There are websites where it is possible to purchase lists of email addresses which have previously responded to spam. Often, they use stolen credit card details to make the purchases. And they can buy lists of stolen credit cards too.

Hey, there are some nice people out there.  :evil:

Simon

Good advice, Dill.  :thumb:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

cecilsboy

I posted yesterday commenting that I had been hit on an email address that was infrequently used and asking whether the spammers could have access to IDNET's list of email addresses. The replies suggest that this is improbable and my email address may have been obtained elsewhere. However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.

How do IDNET protect their email addresses and what guarantees are there that a disgruntled ex employee has not sold on email addresses?

Sorry to be so persistent but a similar scenario happened with a previous ISP.

Peter




Rik

No-one here can give you the guarantees you seek, Peter, you'll need to seek them directly from IDNet. What I can say, however, is that from thousands of customers, we've only seen a handful of reports. Had the database been compromised, I'd expect to see many more. The message headers we've seen have been to undisclosed recipients, so we don't know who else was addressed, and there are no recently left employees, disgruntled or otherwise. The last person to leave did so two years ago.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

cecilsboy

Thanks Rik for your assurances.

I'll close that email account anyhow.

Peter

Baz

I dont know enough about how these attacks happen but at my last ISP as I neared the end of my time with them I started to receive a lot of spam,from nothing to loads and was told by them, I think this has been mentioned in this thread too, that it may have just been my address format which was just my name 'Baz' with the first letter of my surname, then the '@oldisp.wotever' and it could have been random going through names adding letters and getting lucky.

My daughter has a similar format now with her address so it could be that.Would be interesting to know if the others that have been hit have a similar format.

Rik

Dictionary attacks, where you take a surname, say Smith, and then try different initials are the most common form of attack, Baz. They can be turned around to work on first names though.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Quote from: cecilsboy on Nov 22, 2010, 16:48:31
However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.

As Rik says, dictionary spam is very common, i.e. they just use a bot to generate email addresses of the form {random character string}surname@isp.com

But if your three-mail correspondent was the source, there is no reason why he should have had any idnet address on his system apart from yours. The only idnet address gleaned from his system was your address. The other idnet addresses were gleaned from other sources.

The spammer did not filter out idnet addresses to receive the spam.

They use a program which starts with the text of the spam message with a gap to insert the isp name. The program then goes through the list of target email addresses (merged from one or more sources) and sorts them by isp. Then it inserts the appropriate isp name in the gaps. Then it uses a compromised zombie machine to email out the full set of completed emails to all the isps. The emails are loaded onto the zombie by interacting with a trojan which the spammer's software polls for over the internet. They can poll thousands of machines per second. A suitable trojan is often included in a spam email too.

Believe me, these guys are clever and mean and they make big profits. They will not learn anything from what I have written here!

Rik

Great explanation, Dill. I would add one point in support of what you say. The email purported to come from the IDNet.com team. IDNet have never used that term, to my mind, is was clearly extracted from an email addy.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Thanks Rik. Yes, the spammers probably have "{ISP} team" in the pro-forma email input to the program.  The program just replaces {ISP} with the name of the isp, hence Idnet.com team. That whole email is consistent with a simple automated program.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

I love where it has "messenge" instead of message.

Rik

Exactly. :)

Mind you, Miriam's spelling...  :whistle:
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

I am usually not suspicious of spelling mistakes that are commonly made by native English speakers. But the ones made in the spam mails suggest that the programmer comes from Khazakstan or some such place.

Rik

I'd got it down as Russian. ;)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Yep. I'd go along with that.