email from idnet

jane · Nov 20, 2010, 17:18:39

Sorry if this sounds paranoid but I have just received an email purportedly from idnet requiring me to enter my username and password. The spelling mistakes in it make me suspicious. Has anyone else got one of these?
Jane

pctech · Nov 20, 2010, 17:22:58

Chances are its not from them, indeed I'd 100% say its not from them.

Glenn · Nov 20, 2010, 17:24:50

If it is asking for account details, then I would say it's a scam.

.Griff. · Nov 20, 2010, 17:29:09

What's the original header of the email?

zappaDPJ · Nov 20, 2010, 17:29:36

It certainly sounds like a scam to me, I can't see any reason at all why IDNet would ask for that information as they already have it. If there's a URL contained within the email, I'd strongly advise you NOT to click it.

jane · Nov 20, 2010, 17:33:47

Thanks, as I suspected then. Here's what it says (my deatils deleted of course)

Return-Path: <helpdesk@idnet.com>
Delivered-To:Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
   by mail.idnet.com (Postfix) with ESMTP id 1CA283A471F
   for <***>; Sat, 20 Nov 2010 16:31:09 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 3EDEE981CA
   for <***>; Sat, 20 Nov 2010 16:30:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 2.795
X-Spam-Level: **
X-Spam-Status: No, score=2.795 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
   FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151,
   RCVD_IN_BRBL_LASTEXT=1.449] autolearn=unavailable
Received: from mailfilter1.idnet.net ([127.0.0.1])
   by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
   with LMTP id Z2mlhnVRn712 for <removed - Rik>;
   Sat, 20 Nov 2010 16:30:12 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 1A27C97A5E
   for <****>; Sat, 20 Nov 2010 16:30:12 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from btsskynet.net (mail.btsskynet.net [74.5.204.249])
   by mx1.idnet.net (Postfix) with SMTP id 4734053B98
   for <>; Sat, 20 Nov 2010 16:31:07 +0000 (GMT)
Received: (qmail 12791 invoked by uid 453); 20 Nov 2010 16:24:17 -0000
X-Virus-Checked: Checked by ClamAV on btsskynet.net
Received: from localhost (HELO localhost) (127.0.0.1)
by btsskynet.net (qpsmtpd/0.40) with ESMTP; Sat, 20 Nov 2010 10:24:17 -0600
Received: from 41.138.184.9 ([41.138.184.9]) by mail.btsskynet.net (Horde
Framework) with HTTP; Sat, 20 Nov 2010 10:24:15 -0600
Message-ID: <20101120102415.69964p987v6mprms@mail.btsskynet.net>
Date: Sat, 20 Nov 2010 10:24:15 -0600
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Reply-to: verification.teams77@hotmail.com
To: undisclosed-recipients:;
Subject: Account Upgrade
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.5)

Dear Idnet.com Subscriber,

We are currently carrying-out a maintenance
process to your Idnet.com account, to complete
this, you must reply to this mail immediately,
and enter your User Name here (,,,,,,,,) And
Password here (.......) if you are the
rightful owner of this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address in-active
from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7) working days after
undergoing this process for security reasons.

Thank you for using Idnet.com!
THE Idnet.com TEAM

Jane

Personal details removed - Rik

Rik · Nov 20, 2010, 17:35:34

Scam, an IDNet email wouldn't have a hotmail address in it, Jane.

jane · Nov 20, 2010, 17:37:00

Thank a lot. Be interesting to see if anyone else gets one.

Cheers

Jane

Rik · Nov 20, 2010, 17:39:59

I've alerted support - thanks for letting us know.

Baz · Nov 20, 2010, 17:45:19

oppsss

yes my daughter has one.

Apologies to Rik about the PM for this,I should read the forum first.

the Hotmail addy is a giveaway.

Rik · Nov 20, 2010, 17:46:32

Plus IDNet don't use the idnet.com form of address, nor do they send to undisclosed recipients, all email would be one to one.

DorsetBoy · Nov 20, 2010, 17:58:20

The last 3 entries on this search page are rather interesting

http://www.google.co.uk/search?client=opera&rls=en&q=verification.teams77@hotmail.com&sourceid=opera&ie=utf-8&oe=utf-8

jrboden · Nov 20, 2010, 17:59:16

Hi all just had this mail via my idnet email account

Hi just had this email!!! perhaps warn your other customers about this!!!

"--------------------------------------------------
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Sent: Saturday, November 20, 2010 4:24 PM
To: "undisclosed-recipients:"
Subject: Account Upgrade

>
>
> Dear Idnet.com Subscriber,
>
> We are currently carrying-out a maintenance
> process to your Idnet.com account, to complete
> this, you must reply to this mail immediately,
> and enter your User Name here (,,,,,,,,) And
> Password here (.......) if you are the
> rightful owner of this account.
>
> This process we help us to fight against
> spam mails.Failure to summit your password,
> will render your email address in-active
> from our database.
>
> NOTE: If your have done this before, you may ignore
> this mail. You will be send a password reset
> messenge in next seven (7) working days after
> undergoing this process for security reasons.
>
> Thank you for using Idnet.com!
> THE Idnet.com TEAM
>
>
>
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1153 / Virus Database: 424/3267 - Release Date: 11/19/10
>

The sender was verification.teams77@hotmail.com<verification.teams77@hotmail.com>;

I work in "IT" so seen it all before but some may fall for it - IDNET not sure if I was the only target so pleasd warn your customers!!!

Rik · Nov 20, 2010, 18:00:13

Thanks, merged with existing thread.

Technical Ben · Nov 20, 2010, 20:00:56

Wow. How do they know your with... oh wait. IDNet customers have "@idnet" addresses. Naturally. So it's a fishing expedition. Thanks for the heads up.

Simon_idnet · Nov 21, 2010, 07:25:51

Quote from: Technical Ben on Nov 20, 2010, 20:00:56
Wow. How do they know your with... oh wait. IDNet customers have "@idnet" addresses. Naturally. So it's a fishing expedition. Thanks for the heads up.

It's known as "Spear Phishing"

Rik · Nov 21, 2010, 11:32:50

Why Spear, Simon?

Simon · Nov 21, 2010, 11:36:13

http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx

Rik · Nov 21, 2010, 11:36:57

It's great having two Simons.

Glenn · Nov 21, 2010, 11:37:58

Quote from: Rik on Nov 21, 2010, 11:32:50
Why Spear, Simon?

More precise than trawling?

Rik · Nov 21, 2010, 11:43:50

You've got me hooked, go on.

Simon · Nov 21, 2010, 11:49:43

You mean, you don't get the point?

Rik · Nov 21, 2010, 11:55:04

No, it must be the 'net.

Baz · Nov 21, 2010, 13:19:07

update on this.seems my daughter has had another email about it calling it ' Final Notification '

Dear Idnet.com Subscriber,

We are currently carrying-out a maintenance process to your Idnet.com
account, to complete this, you must reply to this mail immediately, and
enter your User Name here (,,,,,,,,) And Password here (.......) if you
are the rightful owner of this account.

This process we help us to fight against spam mails.Failure to summit your
password,will render your email address in-active from our database.

NOTE: If your have done this before, you may ignore this mail. You will be
send a password reset messenge in next seven (7)working days after
undergoing this process for security reasons.

Thank you for using Idnet.com!
THE Idnet.com TEAM

Rik · Nov 21, 2010, 13:25:01

Fairly standard 'push', Baz. Let's just hope no-one takes it as genuine.

Baz · Nov 21, 2010, 13:26:04

yeah hope not.its surprising just how many fall for this type of scam though isnt it.

Rik · Nov 21, 2010, 13:37:31

Too many, Baz.

Technical Ben · Nov 21, 2010, 14:38:05

Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.

pctech · Nov 21, 2010, 15:07:39

ISP mentioned in the headers, btskynet.net is apparently in Kansas.

Rik · Nov 21, 2010, 15:35:12

Quote from: Technical Ben on Nov 21, 2010, 14:38:05
Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.

I don't think it touches IDNet's servers until delivery, Ben. Blocking the sending host may be too much of a broad brush.

pctech · Nov 21, 2010, 16:28:50

btshynet would have to apply a filter to their mailservers to drop any mail that did not have btskynet.net as the from address.

armadillo · Nov 21, 2010, 17:08:07

I also think that a lot of this kind of mail goes out from compromised zombie machines. That would definitely make blocking a sender too broad brush.

Rik · Nov 21, 2010, 17:09:33

Good point, Dill. My worry is that if IDNet customers respond, IDNet will find itself blacklisted.

cecilsboy · Nov 21, 2010, 18:12:52

I had one of these to an IDNET email address I seldom use. It set me wondering how the spammers got hold of that address. Could they have breached IDNET's security to gain access to IDNET's client's emails?

Peter

Rik · Nov 21, 2010, 18:15:35

I'd guess that the breach, if there is one, happened elsewhere, eg a compromised machine or website. I have about 10 idnet addresses, my primary one receives well over 100 messages/day and I have not had the scam email.

Simon · Nov 21, 2010, 18:27:40

I also have several IDNet email addresses, none of which have been 'hit'.

jane · Nov 21, 2010, 20:38:05

Just out of interest, compare my 'final notifaction' to my previous one

Return-Path: <helpdesk@idnet.com>
Delivered-To:
Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
   by mail.idnet.com (Postfix) with ESMTP id F14834A4222;
   Sun, 21 Nov 2010 17:31:19 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 19DB79820F;
   Sun, 21 Nov 2010 17:30:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 1.346
X-Spam-Level: *
X-Spam-Status: No, score=1.346 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
   FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151]
   autolearn=no
Received: from mailfilter1.idnet.net ([127.0.0.1])
   by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
   with LMTP id i0JMHBckqAxN; Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 28DA19828D;
   Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from mail.cds1.net (xena.cds1.net [216.174.197.150])
   by mx1.idnet.net (Postfix) with ESMTP id 87F4953B1F;
   Sun, 21 Nov 2010 17:31:15 +0000 (GMT)
Received: from secure.cds1.net (mercury [172.16.10.1])
   by mail.cds1.net (Postfix) with ESMTP id C3A81E010153;
   Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Received: from 41.138.171.141
(SquirrelMail authenticated user tedwilliams)
by secure.cds1.net with HTTP;
Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Message-ID: <4900.41.138.171.141.1290339296.squirrel@secure.cds1.net>
Date: Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Subject: Final Notification
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Reply-To: verification.teams77@hotmail.com
User-Agent: SquirrelMail/1.4.11
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;

Jane

Technical Ben · Nov 21, 2010, 20:49:22

Also, to those worrying about their email address getting out. Never reply to these emails, as that is how they get your address. Also chain mail/messages are culprits for snagging peoples emails.
Although, this could just be a random name generator and @IDNET.com put at the end. A lot of spammers get through, just by randomly typing names out.

Noelle · Nov 21, 2010, 21:23:34

I received it too on one of my 5 email addresses.

armadillo · Nov 21, 2010, 21:54:48

I have 20 idnet.com addresses and not been hit on any of them. I agree with Rik that a big source of email addresses will be a compromised machine that holds your email address in stored emails or the address book.

I never get spam or phishing on any of my email addresses. At least not for long and I have never had any on an idnet address. I do not use any filtering of any kind, either on the ISP's server or on my PC and I never have in over ten years.

The reason I use so many email addresses is that each one is for a particular group of contacts, e.g. I have one for banks, one for on-line shopping etc. If I get a single spam message or two, I just delete and ignore. If I get three, I expect it to escalate. When it reaches 10 spams on the same email address, I delete the email address. Usually, nobody needs informing as often the contacts are not ones I need to receive further unsolicited mails from.

Another big cause of escalating spam is clicking an "unsubscribe" link in a spam email. It does not unsubscribe you. It just increases the spam value of your email address by confirming that your email address is used.

Also, do not display images in emails by default. Specifically display images only when you trust the source of the email. Spam emails often contain one or two pixel square transparent gif images whose sole purpose is to confirm to the spammer that your address has accessed his spam. (Those transparent images have unique URLs and they use standard hitcount software, available on all web hosts, to count whether or not each image has been accessed). The small transparent images can be included in emails that appear to be text only.

They use these tricks to trap even those who do not actively do anything to deserve it!

Once an email address has been confirmed as active, it becomes much more marketable on emailing lists. There are websites where it is possible to purchase lists of email addresses which have previously responded to spam. Often, they use stolen credit card details to make the purchases. And they can buy lists of stolen credit cards too.

Hey, there are some nice people out there.

Simon · Nov 21, 2010, 21:57:57

Good advice, Dill.

cecilsboy · Nov 22, 2010, 16:48:31

I posted yesterday commenting that I had been hit on an email address that was infrequently used and asking whether the spammers could have access to IDNET's list of email addresses. The replies suggest that this is improbable and my email address may have been obtained elsewhere. However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.

How do IDNET protect their email addresses and what guarantees are there that a disgruntled ex employee has not sold on email addresses?

Sorry to be so persistent but a similar scenario happened with a previous ISP.

Peter

Rik · Nov 22, 2010, 17:15:47

No-one here can give you the guarantees you seek, Peter, you'll need to seek them directly from IDNet. What I can say, however, is that from thousands of customers, we've only seen a handful of reports. Had the database been compromised, I'd expect to see many more. The message headers we've seen have been to undisclosed recipients, so we don't know who else was addressed, and there are no recently left employees, disgruntled or otherwise. The last person to leave did so two years ago.

cecilsboy · Nov 22, 2010, 18:25:37

Thanks Rik for your assurances.

I'll close that email account anyhow.

Peter

Baz · Nov 22, 2010, 19:20:31

I dont know enough about how these attacks happen but at my last ISP as I neared the end of my time with them I started to receive a lot of spam,from nothing to loads and was told by them, I think this has been mentioned in this thread too, that it may have just been my address format which was just my name 'Baz' with the first letter of my surname, then the '@oldisp.wotever' and it could have been random going through names adding letters and getting lucky.

My daughter has a similar format now with her address so it could be that.Would be interesting to know if the others that have been hit have a similar format.

Rik · Nov 22, 2010, 19:23:28

Dictionary attacks, where you take a surname, say Smith, and then try different initials are the most common form of attack, Baz. They can be turned around to work on first names though.

armadillo · Nov 22, 2010, 23:46:16

Quote from: cecilsboy on Nov 22, 2010, 16:48:31
However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.

As Rik says, dictionary spam is very common, i.e. they just use a bot to generate email addresses of the form {random character string}surname@isp.com

But if your three-mail correspondent was the source, there is no reason why he should have had any idnet address on his system apart from yours. The only idnet address gleaned from his system was your address. The other idnet addresses were gleaned from other sources.

The spammer did not filter out idnet addresses to receive the spam.

They use a program which starts with the text of the spam message with a gap to insert the isp name. The program then goes through the list of target email addresses (merged from one or more sources) and sorts them by isp. Then it inserts the appropriate isp name in the gaps. Then it uses a compromised zombie machine to email out the full set of completed emails to all the isps. The emails are loaded onto the zombie by interacting with a trojan which the spammer's software polls for over the internet. They can poll thousands of machines per second. A suitable trojan is often included in a spam email too.

Believe me, these guys are clever and mean and they make big profits. They will not learn anything from what I have written here!

Rik · Nov 23, 2010, 10:11:22

Great explanation, Dill. I would add one point in support of what you say. The email purported to come from the IDNet.com team. IDNet have never used that term, to my mind, is was clearly extracted from an email addy.

armadillo · Nov 23, 2010, 11:58:39

Thanks Rik. Yes, the spammers probably have "{ISP} team" in the pro-forma email input to the program. The program just replaces {ISP} with the name of the isp, hence Idnet.com team. That whole email is consistent with a simple automated program.

Rik · Nov 23, 2010, 12:04:15

Which can't spell.

armadillo · Nov 23, 2010, 12:12:46

I love where it has "messenge" instead of message.

Rik · Nov 23, 2010, 12:14:55

Exactly.

Mind you, Miriam's spelling...

armadillo · Nov 23, 2010, 12:18:40

I am usually not suspicious of spelling mistakes that are commonly made by native English speakers. But the ones made in the spam mails suggest that the programmer comes from Khazakstan or some such place.

Rik · Nov 23, 2010, 12:19:21

I'd got it down as Russian.

armadillo · Nov 23, 2010, 12:23:46

Yep. I'd go along with that.