email from idnet

[Baz]

yeah  hope not.its surprising just how many fall for this type of scam though isnt it. 

[Rik]

Too many, Baz.

[Technical Ben]

Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.

[pctech]

ISP mentioned in the headers, btskynet.net is apparently in Kansas.

[Rik]

Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.

I don't think it touches IDNet's servers until delivery, Ben. Blocking the sending host may be too much of a broad brush.

[pctech]

btshynet would have to apply a filter to their mailservers to drop any mail that did not have btskynet.net as the from address.

[armadillo]

I also think that a lot of this kind of mail goes out from compromised zombie machines. That would definitely make blocking a sender too broad brush.

[Rik]

Good point, Dill. My worry is that if IDNet customers respond, IDNet will find itself blacklisted.

[cecilsboy]

I had one of these to an IDNET email address I seldom use. It set me wondering how the spammers got hold of that address. Could they have breached IDNET's security to gain access to IDNET's client's emails?

Peter

[Rik]

I'd guess that the breach, if there is one, happened elsewhere, eg a compromised machine or website. I have about 10 idnet addresses, my primary one receives well over 100 messages/day and I have not had the scam email.

[Simon]

I also have several IDNet email addresses, none of which have been 'hit'.

[jane]

Just out of interest, compare my 'final notifaction' to my previous one

Return-Path: <helpdesk@idnet.com>
Delivered-To:
Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
   by mail.idnet.com (Postfix) with ESMTP id F14834A4222;
   Sun, 21 Nov 2010 17:31:19 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 19DB79820F;
   Sun, 21 Nov 2010 17:30:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 1.346
X-Spam-Level: *
X-Spam-Status: No, score=1.346 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
   FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151]
   autolearn=no
Received: from mailfilter1.idnet.net ([127.0.0.1])
   by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
   with LMTP id i0JMHBckqAxN; Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
   by mailfilter1.idnet.net (Postfix) with ESMTP id 28DA19828D;
   Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from mail.cds1.net (xena.cds1.net [216.174.197.150])
   by mx1.idnet.net (Postfix) with ESMTP id 87F4953B1F;
   Sun, 21 Nov 2010 17:31:15 +0000 (GMT)
Received: from secure.cds1.net (mercury [172.16.10.1])
   by mail.cds1.net (Postfix) with ESMTP id C3A81E010153;
   Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Received: from 41.138.171.141
        (SquirrelMail authenticated user tedwilliams)
        by secure.cds1.net with HTTP;
        Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Message-ID: <4900.41.138.171.141.1290339296.squirrel@secure.cds1.net>
Date: Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Subject: Final Notification
From: "Idnet.com  Support  Team" <helpdesk@idnet.com>
Reply-To: verification.teams77@hotmail.com
User-Agent: SquirrelMail/1.4.11
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;

Jane

[Technical Ben]

Also, to those worrying about their email address getting out. Never reply to these emails, as that is how they get your address. Also chain mail/messages are culprits for snagging peoples emails.
Although, this could just be a random name generator and @IDNET.com put at the end. A lot of spammers get through, just by randomly typing names out.

[Noelle]

I received it too on one of my 5 email addresses.

[armadillo]

I have 20 idnet.com addresses and not been hit on any of them. I agree with Rik that a big source of email addresses will be a compromised machine that holds your email address in stored emails or the address book.

I never get spam or phishing on any of my email addresses. At least not for long and I have never had any on an idnet address. I do not use any filtering of any kind, either on the ISP's server or on my PC and I never have in over ten years.

The reason I use so many email addresses is that each one is for a particular group of contacts, e.g. I have one for banks, one for on-line shopping etc. If I get a single spam message or two, I just delete and ignore. If I get three, I expect it to escalate. When it reaches 10 spams on the same email address, I delete the email address. Usually, nobody needs informing as often the contacts are not ones I need to receive further unsolicited mails from.

Another big cause of escalating spam is clicking an "unsubscribe" link in a spam email. It does not unsubscribe you. It just increases the spam value of your email address by confirming that your email address is used.

Also, do not display images in emails by default. Specifically display images only when you trust the source of the email. Spam emails often contain one or two pixel square transparent gif images whose sole purpose is to confirm to the spammer that your address has accessed his spam. (Those transparent images have unique URLs and they use standard hitcount software, available on all web hosts, to count whether or not each image has been accessed). The small transparent images can be included in emails that appear to be text only.

They use these tricks to trap even those who do not actively do anything to deserve it!

Once an email address has been confirmed as active, it becomes much more marketable on emailing lists. There are websites where it is possible to purchase lists of email addresses which have previously responded to spam. Often, they use stolen credit card details to make the purchases. And they can buy lists of stolen credit cards too.

Hey, there are some nice people out there. 

[Simon]

Good advice, Dill. 

[cecilsboy]

I posted yesterday commenting that I had been hit on an email address that was infrequently used and asking whether the spammers could have access to IDNET's list of email addresses. The replies suggest that this is improbable and my email address may have been obtained elsewhere. However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.

How do IDNET protect their email addresses and what guarantees are there that a disgruntled ex employee has not sold on email addresses?

Sorry to be so persistent but a similar scenario happened with a previous ISP.

Peter

[Rik]

No-one here can give you the guarantees you seek, Peter, you'll need to seek them directly from IDNet. What I can say, however, is that from thousands of customers, we've only seen a handful of reports. Had the database been compromised, I'd expect to see many more. The message headers we've seen have been to undisclosed recipients, so we don't know who else was addressed, and there are no recently left employees, disgruntled or otherwise. The last person to leave did so two years ago.

[cecilsboy]

Thanks Rik for your assurances.

I'll close that email account anyhow.

Peter

[Baz]

I dont know enough about how these attacks happen but at my last ISP as I neared the end of my time with them I started to receive a lot of spam,from nothing to loads and was told by them, I think this has been mentioned in this thread too, that it may have just been my address format which was just my name 'Baz' with the first letter of my surname, then the '@oldisp.wotever' and it could have been random going through names adding letters and getting lucky.

My daughter has a similar format now with her address so it could be that.Would be interesting to know if the others that have been hit have a similar format.

[Rik]

Dictionary attacks, where you take a surname, say Smith, and then try different initials are the most common form of attack, Baz. They can be turned around to work on first names though.

[armadillo]

However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.

As Rik says, dictionary spam is very common, i.e. they just use a bot to generate email addresses of the form {random character string}surname@isp.com

But if your three-mail correspondent was the source, there is no reason why he should have had any idnet address on his system apart from yours. The only idnet address gleaned from his system was your address. The other idnet addresses were gleaned from other sources.

The spammer did not filter out idnet addresses to receive the spam.

They use a program which starts with the text of the spam message with a gap to insert the isp name. The program then goes through the list of target email addresses (merged from one or more sources) and sorts them by isp. Then it inserts the appropriate isp name in the gaps. Then it uses a compromised zombie machine to email out the full set of completed emails to all the isps. The emails are loaded onto the zombie by interacting with a trojan which the spammer's software polls for over the internet. They can poll thousands of machines per second. A suitable trojan is often included in a spam email too.

Believe me, these guys are clever and mean and they make big profits. They will not learn anything from what I have written here!

[Rik]

Great explanation, Dill. I would add one point in support of what you say. The email purported to come from the IDNet.com team. IDNet have never used that term, to my mind, is was clearly extracted from an email addy.

[armadillo]

Thanks Rik. Yes, the spammers probably have "{ISP} team" in the pro-forma email input to the program.  The program just replaces {ISP} with the name of the isp, hence Idnet.com team. That whole email is consistent with a simple automated program.

[Rik]

Which can't spell.