Sorry if this sounds paranoid but I have just received an email purportedly from idnet requiring me to enter my username and password. The spelling mistakes in it make me suspicious. Has anyone else got one of these?
Jane
Chances are its not from them, indeed I'd 100% say its not from them.
If it is asking for account details, then I would say it's a scam.
What's the original header of the email?
It certainly sounds like a scam to me, I can't see any reason at all why IDNet would ask for that information as they already have it. If there's a URL contained within the email, I'd strongly advise you NOT to click it.
Thanks, as I suspected then. Here's what it says (my deatils deleted of course)
Return-Path: <helpdesk@idnet.com>
Delivered-To:Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
by mail.idnet.com (Postfix) with ESMTP id 1CA283A471F
for <***>; Sat, 20 Nov 2010 16:31:09 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
by mailfilter1.idnet.net (Postfix) with ESMTP id 3EDEE981CA
for <***>; Sat, 20 Nov 2010 16:30:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 2.795
X-Spam-Level: **
X-Spam-Status: No, score=2.795 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151,
RCVD_IN_BRBL_LASTEXT=1.449] autolearn=unavailable
Received: from mailfilter1.idnet.net ([127.0.0.1])
by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
with LMTP id Z2mlhnVRn712 for <removed - Rik>;
Sat, 20 Nov 2010 16:30:12 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
by mailfilter1.idnet.net (Postfix) with ESMTP id 1A27C97A5E
for <****>; Sat, 20 Nov 2010 16:30:12 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from btsskynet.net (mail.btsskynet.net [74.5.204.249])
by mx1.idnet.net (Postfix) with SMTP id 4734053B98
for <>; Sat, 20 Nov 2010 16:31:07 +0000 (GMT)
Received: (qmail 12791 invoked by uid 453); 20 Nov 2010 16:24:17 -0000
X-Virus-Checked: Checked by ClamAV on btsskynet.net
Received: from localhost (HELO localhost) (127.0.0.1)
by btsskynet.net (qpsmtpd/0.40) with ESMTP; Sat, 20 Nov 2010 10:24:17 -0600
Received: from 41.138.184.9 ([41.138.184.9]) by mail.btsskynet.net (Horde
Framework) with HTTP; Sat, 20 Nov 2010 10:24:15 -0600
Message-ID: <20101120102415.69964p987v6mprms@mail.btsskynet.net>
Date: Sat, 20 Nov 2010 10:24:15 -0600
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Reply-to: verification.teams77@hotmail.com
To: undisclosed-recipients:;
Subject: Account Upgrade
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.5)
Dear Idnet.com Subscriber,
We are currently carrying-out a maintenance
process to your Idnet.com account, to complete
this, you must reply to this mail immediately,
and enter your User Name here (,,,,,,,,) And
Password here (.......) if you are the
rightful owner of this account.
This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address in-active
from our database.
NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7) working days after
undergoing this process for security reasons.
Thank you for using Idnet.com!
THE Idnet.com TEAM
Jane
Personal details removed - Rik
Scam, an IDNet email wouldn't have a hotmail address in it, Jane.
Thank a lot. Be interesting to see if anyone else gets one.
Cheers
Jane
I've alerted support - thanks for letting us know. :thumb:
oppsss
yes my daughter has one.
Apologies to Rik about the PM for this,I should read the forum first. :)
the Hotmail addy is a giveaway.
Plus IDNet don't use the idnet.com form of address, nor do they send to undisclosed recipients, all email would be one to one.
The last 3 entries on this search page are rather interesting
http://www.google.co.uk/search?client=opera&rls=en&q=verification.teams77@hotmail.com&sourceid=opera&ie=utf-8&oe=utf-8
Hi all just had this mail via my idnet email account :slap:
Hi just had this email!!! perhaps warn your other customers about this!!!
"--------------------------------------------------
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Sent: Saturday, November 20, 2010 4:24 PM
To: "undisclosed-recipients:"
Subject: Account Upgrade
>
>
> Dear Idnet.com Subscriber,
>
> We are currently carrying-out a maintenance
> process to your Idnet.com account, to complete
> this, you must reply to this mail immediately,
> and enter your User Name here (,,,,,,,,) And
> Password here (.......) if you are the
> rightful owner of this account.
>
> This process we help us to fight against
> spam mails.Failure to summit your password,
> will render your email address in-active
> from our database.
>
> NOTE: If your have done this before, you may ignore
> this mail. You will be send a password reset
> messenge in next seven (7) working days after
> undergoing this process for security reasons.
>
> Thank you for using Idnet.com!
> THE Idnet.com TEAM
>
>
>
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1153 / Virus Database: 424/3267 - Release Date: 11/19/10
>
The sender was verification.teams77@hotmail.com<verification.teams77@hotmail.com>;
I work in "IT" so seen it all before but some may fall for it - IDNET not sure if I was the only target so pleasd warn your customers!!!
Thanks, merged with existing thread. :thumb:
Wow. How do they know your with... oh wait. IDNet customers have "@idnet" addresses. Naturally. So it's a fishing expedition. Thanks for the heads up.
Quote from: Technical Ben on Nov 20, 2010, 20:00:56
Wow. How do they know your with... oh wait. IDNet customers have "@idnet" addresses. Naturally. So it's a fishing expedition. Thanks for the heads up.
It's known as "Spear Phishing"
Why Spear, Simon?
http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
It's great having two Simons. ;)
Quote from: Rik on Nov 21, 2010, 11:32:50
Why Spear, Simon?
More precise than trawling?
You've got me hooked, go on. :)
You mean, you don't get the point?
No, it must be the 'net. ;)
update on this.seems my daughter has had another email about it calling it ' Final Notification '
Dear Idnet.com Subscriber,
We are currently carrying-out a maintenance process to your Idnet.com
account, to complete this, you must reply to this mail immediately, and
enter your User Name here (,,,,,,,,) And Password here (.......) if you
are the rightful owner of this account.
This process we help us to fight against spam mails.Failure to summit your
password,will render your email address in-active from our database.
NOTE: If your have done this before, you may ignore this mail. You will be
send a password reset messenge in next seven (7)working days after
undergoing this process for security reasons.
Thank you for using Idnet.com!
THE Idnet.com TEAM
Fairly standard 'push', Baz. Let's just hope no-one takes it as genuine.
yeah hope not.its surprising just how many fall for this type of scam though isnt it. :(
Too many, Baz. :(
Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.
ISP mentioned in the headers, btskynet.net is apparently in Kansas.
Quote from: Technical Ben on Nov 21, 2010, 14:38:05
Could IDNet ban the sender from their servers? if not for incoming, at least outgoing mail? If they use more than one address this is difficult I guess. But it must break T&C somewhere so a block is justified.
I don't think it touches IDNet's servers until delivery, Ben. Blocking the sending host may be too much of a broad brush.
btshynet would have to apply a filter to their mailservers to drop any mail that did not have btskynet.net as the from address.
I also think that a lot of this kind of mail goes out from compromised zombie machines. That would definitely make blocking a sender too broad brush.
Good point, Dill. My worry is that if IDNet customers respond, IDNet will find itself blacklisted.
I had one of these to an IDNET email address I seldom use. It set me wondering how the spammers got hold of that address. Could they have breached IDNET's security to gain access to IDNET's client's emails?
Peter
I'd guess that the breach, if there is one, happened elsewhere, eg a compromised machine or website. I have about 10 idnet addresses, my primary one receives well over 100 messages/day and I have not had the scam email.
I also have several IDNet email addresses, none of which have been 'hit'.
Just out of interest, compare my 'final notifaction' to my previous one
Return-Path: <helpdesk@idnet.com>
Delivered-To:
Received: from mailfilter1.idnet.net (mailfilter1.idnet.net [212.69.36.213])
by mail.idnet.com (Postfix) with ESMTP id F14834A4222;
Sun, 21 Nov 2010 17:31:19 +0000 (GMT)
Received: from localhost (unknown [127.0.0.1])
by mailfilter1.idnet.net (Postfix) with ESMTP id 19DB79820F;
Sun, 21 Nov 2010 17:30:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at idnet.com
X-Spam-Flag: NO
X-Spam-Score: 1.346
X-Spam-Level: *
X-Spam-Status: No, score=1.346 tagged_above=0 required=6 tests=[BAYES_00=-1.9,
FREEMAIL_FORGED_REPLYTO=2.095, FREEMAIL_REPLYTO_END_DIGIT=1.151]
autolearn=no
Received: from mailfilter1.idnet.net ([127.0.0.1])
by localhost (mailfilter1.idnet.net [127.0.0.1]) (amavisd-new, port 10040)
with LMTP id i0JMHBckqAxN; Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
Received: from mx1.idnet.net (mx1.idnet.net [212.69.36.17])
by mailfilter1.idnet.net (Postfix) with ESMTP id 28DA19828D;
Sun, 21 Nov 2010 17:30:19 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from mail.cds1.net (xena.cds1.net [216.174.197.150])
by mx1.idnet.net (Postfix) with ESMTP id 87F4953B1F;
Sun, 21 Nov 2010 17:31:15 +0000 (GMT)
Received: from secure.cds1.net (mercury [172.16.10.1])
by mail.cds1.net (Postfix) with ESMTP id C3A81E010153;
Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Received: from 41.138.171.141
(SquirrelMail authenticated user tedwilliams)
by secure.cds1.net with HTTP;
Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Message-ID: <4900.41.138.171.141.1290339296.squirrel@secure.cds1.net>
Date: Sun, 21 Nov 2010 03:34:56 -0800 (PST)
Subject: Final Notification
From: "Idnet.com Support Team" <helpdesk@idnet.com>
Reply-To: verification.teams77@hotmail.com
User-Agent: SquirrelMail/1.4.11
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;
Jane
Also, to those worrying about their email address getting out. Never reply to these emails, as that is how they get your address. Also chain mail/messages are culprits for snagging peoples emails.
Although, this could just be a random name generator and @IDNET.com put at the end. A lot of spammers get through, just by randomly typing names out.
I received it too on one of my 5 email addresses.
I have 20 idnet.com addresses and not been hit on any of them. I agree with Rik that a big source of email addresses will be a compromised machine that holds your email address in stored emails or the address book.
I never get spam or phishing on any of my email addresses. At least not for long and I have never had any on an idnet address. I do not use any filtering of any kind, either on the ISP's server or on my PC and I never have in over ten years.
The reason I use so many email addresses is that each one is for a particular group of contacts, e.g. I have one for banks, one for on-line shopping etc. If I get a single spam message or two, I just delete and ignore. If I get three, I expect it to escalate. When it reaches 10 spams on the same email address, I delete the email address. Usually, nobody needs informing as often the contacts are not ones I need to receive further unsolicited mails from.
Another big cause of escalating spam is clicking an "unsubscribe" link in a spam email. It does not unsubscribe you. It just increases the spam value of your email address by confirming that your email address is used.
Also, do not display images in emails by default. Specifically display images only when you trust the source of the email. Spam emails often contain one or two pixel square transparent gif images whose sole purpose is to confirm to the spammer that your address has accessed his spam. (Those transparent images have unique URLs and they use standard hitcount software, available on all web hosts, to count whether or not each image has been accessed). The small transparent images can be included in emails that appear to be text only.
They use these tricks to trap even those who do not actively do anything to deserve it!
Once an email address has been confirmed as active, it becomes much more marketable on emailing lists. There are websites where it is possible to purchase lists of email addresses which have previously responded to spam. Often, they use stolen credit card details to make the purchases. And they can buy lists of stolen credit cards too.
Hey, there are some nice people out there. :evil:
Good advice, Dill. :thumb:
I posted yesterday commenting that I had been hit on an email address that was infrequently used and asking whether the spammers could have access to IDNET's list of email addresses. The replies suggest that this is improbable and my email address may have been obtained elsewhere. However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.
How do IDNET protect their email addresses and what guarantees are there that a disgruntled ex employee has not sold on email addresses?
Sorry to be so persistent but a similar scenario happened with a previous ISP.
Peter
No-one here can give you the guarantees you seek, Peter, you'll need to seek them directly from IDNet. What I can say, however, is that from thousands of customers, we've only seen a handful of reports. Had the database been compromised, I'd expect to see many more. The message headers we've seen have been to undisclosed recipients, so we don't know who else was addressed, and there are no recently left employees, disgruntled or otherwise. The last person to leave did so two years ago.
Thanks Rik for your assurances.
I'll close that email account anyhow.
Peter
I dont know enough about how these attacks happen but at my last ISP as I neared the end of my time with them I started to receive a lot of spam,from nothing to loads and was told by them, I think this has been mentioned in this thread too, that it may have just been my address format which was just my name 'Baz' with the first letter of my surname, then the '@oldisp.wotever' and it could have been random going through names adding letters and getting lucky.
My daughter has a similar format now with her address so it could be that.Would be interesting to know if the others that have been hit have a similar format.
Dictionary attacks, where you take a surname, say Smith, and then try different initials are the most common form of attack, Baz. They can be turned around to work on first names though.
Quote from: cecilsboy on Nov 22, 2010, 16:48:31
However, my spammed email address was set up for a specific purpose, it has never sent emails and has only ever received 5 emails, one from IDNET, one from me (testing), and three from a single known correspondent. If the latter was the ultimate source for this email, I find it impossible to accept that his address book should also contain umpteen other IDNET.com addresses i.e. those who have also been spammed recently. If lists exist which contains multiple email addresses I find it unlikely that a spammer has filtered out selected IDNET.com addresses in order to send this recent spam.
As Rik says, dictionary spam is very common, i.e. they just use a bot to generate email addresses of the form {random character string}surname@isp.com
But if your three-mail correspondent was the source, there is no reason why he should have had any idnet address on his system apart from yours. The only idnet address gleaned from his system was your address. The other idnet addresses were gleaned from other sources.
The spammer did not filter out idnet addresses to receive the spam.
They use a program which starts with the text of the spam message with a gap to insert the isp name. The program then goes through the list of target email addresses (merged from one or more sources) and sorts them by isp. Then it inserts the appropriate isp name in the gaps. Then it uses a compromised zombie machine to email out the full set of completed emails to all the isps. The emails are loaded onto the zombie by interacting with a trojan which the spammer's software polls for over the internet. They can poll thousands of machines per second. A suitable trojan is often included in a spam email too.
Believe me, these guys are clever and mean and they make big profits. They will not learn anything from what I have written here!
Great explanation, Dill. I would add one point in support of what you say. The email purported to come from the IDNet.com team. IDNet have never used that term, to my mind, is was clearly extracted from an email addy.
Thanks Rik. Yes, the spammers probably have "{ISP} team" in the pro-forma email input to the program. The program just replaces {ISP} with the name of the isp, hence Idnet.com team. That whole email is consistent with a simple automated program.
Which can't spell. ;)
I love where it has "messenge" instead of message.
Exactly. :)
Mind you, Miriam's spelling... :whistle:
I am usually not suspicious of spelling mistakes that are commonly made by native English speakers. But the ones made in the spam mails suggest that the programmer comes from Khazakstan or some such place.
I'd got it down as Russian. ;)
Yep. I'd go along with that.