Thursday, October 1, 2015

Emails Domains with Cases of Spam Sent as Spoofed Emails to Lists of Addresses Stolen from Accounts

Updated: Saturday, October 24, to include recognition of TalkTalk hack.
Updated: Sunday, October 25, to include guess of countries for each domain.
Updated: Sunday, May 1, to include more domain listings, many submitted by readers.
Updated: Sunday, May 29 to include additional domains.


The email spoofing described in the article in the link below

Email sent under my name not from me with a subject such as "Fw: important" or "Fw: read this" or "Fw: new message"

uses targeted lists of addresses for spam distribution.  Users of many different kinds of email addresses in many countries have reported this problem.

If you have been affected by this problem, and the last part of your email address is not shown below, then please consider submitting it for inclusion into the list by entering a comment below. I will update this list until a point where managing the list becomes too time consuming because there are a very large number of entries.

If the last part of your email address is a custom one, for hosting, then please also specify which company provides the hosting.

Based on a sample of more than 850 addresses known to be experiencing this problem, I have compiled a list of the 15 email address types with the most cases. Table 1 below lists the domains in order of decreasing number of cases.


Table 1.  Fifteen domains with the most cases


yahoo.com
Known to have had a data breach
gmx.de
ntlworld.com
free.fr
talktalk.net
Known to have had a data breach
web.de
comcast.net
Known to have had a data breach
orange.fr
tiscali.co.uk
Known to have had a data breach
tiscali.it
virgin.net
blueyonder.co.uk
virgilio.it
charter.net
mail.com


Table 2. French Internet Providers Known to Have Cases

NameDomainExamples
Groupe Iliad, Free@free.frExample with headers
@numericable.fr
Orange@orange.fr
@wanadoo.fr
Example with headers
Second example with headers
Société Française du Radiotéléphone - SFR@cegetel.net
@club-internet.fr
@sfr.fr


Table 3.  German and Austrian Internet Providers Known to Have Cases

NameDomainExamples
@arcor.deCase with partial headers
A1 Telekom Austria@aon.atBlog example
Facebook example
Deutsche Telekom@t-online.deExample with headers
Discussion of cases, August 2015
freenet@freenet.deFacebook example
Case report with bounceback message
united internet, 1&1 Mail & Media@gmx.at
@gmx.de
@web.de
Example with headers
Second example with headers
Third example with headers


Table 4.  British Internet Providers Known to Have Cases

NameDomainsExamples
TalkTalk@lineone.net
@talktalk.net
@tinyworld.co.uk
@tiscali.co.uk
Example with headers
Mailing list example
Liberty Global,
Virgin Media
@blueyonder.co.uk
@ntlworld.co.uk
@virgin.com
@virginmedia.com
Partial list of reported cases
Example with headers
Second example with headers


Table 5.  Belgian Internet Providers Known to Have Cases

NameDomainsExamples
Liberty Global,
Telenet
@telenet.beDiscussion of cases since September 2015
Proximus@skynet.beExample with headers


Table 6.  Dutch Internet Providers Known to Have Cases

NameDomainsExamples
Liberty Global,
Ziggo
@home.nl
@ziggo.nl
Discussion of four cases
@dds.nl


Table 7.  Danish Internet Providers Known to Have Cases

NameDomainsExamples
one.comDomains hosted by one.com


Table 8.  Swiss Internet Providers Known to Have Cases

NameDomainsExamples
Swisscom@bluemail.ch
@bluewin.ch
Case with partial headers
Facebook example


Table 9.  North American Universities and Colleges Known to Have Cases

NameDomainExamples
Arkansas Northeastern College@smail.anc.edu
Brown University@alumni.brown.eduExample
Second Example
California State University, Dominguez Hills@toromail.csudh.edu
Carnegie Mellon University, School of Computer Science@cs.cmu.edu
Clemson University@g.clemson.edu
College of Lake County, Illinois@stu.clcillinois.edu
Fairleigh Dickinson University@student.fdu.edu
Georgetown University@georgetown.edu
Harrisburg Area Community College@hawkmail.hacc.eduExample with partial headers
Kansas State University@ksu.eduExample
Second Example
Miami Dade College@mymdc.netDiscussion of case
Seminole State College of Florida@live.seminolestate.edu
State University of New York at Oswego@oswego.eduMailing list example
University of Alabama@crimson.ua.eduBlog example
Virginia Community Colleges@email.vccs.edu
Valparaiso University@valpo.edu
West Virginia University@mix.wvu.edu
Wilfrid Laurier University@mylaurier.ca
Willamette University@willamette.eduExplanation from IT Office
York College@york.edu


Table 10.  Canadian Internet Providers Known to Have Cases

NameDomainExamples
Bell Canada@islandtelecom.com
@nbnet.nb.ca
@nb.sympatico.ca
@northwestel.net
@pei.sympatico.ca
eastlink@eastlink.caMailing list example
Rogers Communications@rogers.comExample with headers
Mailing list example
Another mailing list example
Shaw Communications@shaw.caBlog example
Mailing list example
TELUS Corporation@telus.netMailing list example
Vidéotron@videotron.ca
Xplornet@xplornet.ca
@xplornet.com


Table 11. Italian Internet Providers Known to Have Cases

NameDomainExamples
Italiaonline@libero.it
@virgilio.it
Mailing list example
Tiscali Italia@tiscali.it


Table 12. Japanese Internet Providers Known to Have Cases

NameDomainExamples
SoftBank@i.softbank.jpBlog example
Yahoo! Japan Corporation@yahoo.co.jp
@ybb.ne.jp


Table 13. Yahoo Domains Known to Have Cases

CountryDomain
Australia@yahoo.com.au
Brazil@yahoo.com.br
France@yahoo.fr
Germany@yahoo.de
Singapore@yahoo.com.sg
United States@rocketmail.com
@yahoo.com
Vietnam@yahoo.com.vn


Table 14. Domains in the United States Known to Have Cases

NameDomainExamples
1&1 Mail & Media@email.com
@myself.com
@post.com
@priest.com
@usa.com
@witty.com
@writeme.com
Example with headers
AT&T@att.netMailing list example
Buckeye Cablevision@bex.net
@buckeye-express.com
Charter Communications@charter.net
@suddenlink.net
Example with headers
Comcast@comcast.netExample with partial headers
Mailing list example
Article about Comcast Address Lists
Earthlink@earthlink.net
ViaSat Communications, Wildblue@wildblue.net
Windstream Communications@windstream.net


Table 15. Polish Domains Known to Have Cases

NameDomainExamples
AZ@wp.pl
Grupa Interia@interia.pl
@poczta.fm
Facebook example
Grupa Onet@onet.pl
@op.pl
@vp.pl


Table 16.  Australian Domains Known to Have Cases

NameDomainExamples
Aussie Broadband@westvic.com.auMailing list example
iinet@netspace.net.auMailing list example
Another mailing list example
Westnet Pty Ltd@westnet.com.auKnown data breach, http://www.smh.com.au/digital-life/consumer-security/more-than-30000-iinet-customer-passwords-hacked-20150609-ghjmo2.html

41 comments:

  1. Also bluewin.ch is used for sending E-Mails with "WORLDST-UQ3K9Q0" in the header.

    ReplyDelete
  2. Thank you very much for the new email address type. I've added it to the list.

    ReplyDelete
  3. @dds.nl
    In my case started on 22 September 2015

    Martin

    ReplyDelete
  4. @freenet.de

    Thank you for collecting the data. Before I found your blog, I was pretty unsure, if my PC and smartphone were infected or not because none of the many scanners have found something.

    Spam-waves arriving every ~3 days since 22th Sept. I have both in my header, WORLDST-UQ3K9Q0 and WIN-NPPN1JPV75J

    Marcel

    ReplyDelete
    Replies
    1. In my humble opinion every of theese mail spam has repetition cycle of 7 days, so if you receive both of them it seems like "Spam-waves arriving every ~3 days"

      Delete
    2. You can see examples of the intervals between spam waves in the cases reported here:

      https://docs.google.com/spreadsheets/d/1zcVGW18r9CyUAeEOmGRGWnvUPnZuqmYSUkg1f8Q6GuM/pubhtml

      Delete
  5. Thank you very much for the additional email types. I have added them to the list.

    ReplyDelete
    Replies
    1. I don't know if this is anyway helpful, but... I think my IMAP account got hit&run and that has caused the spam waves. Source email for sent addresses are all from my IMAP folders, I archieve most of my correspondence to local Outlook folders regularly, some random email get forgotten. Some addresses I have used only once, some being as old as 2008 ranging to summer 2015. Many of those addresses are not in my address book at all. Significant malware or viruses haven't been found from my computers or Samsung phone.

      Delete
    2. Indeed, many people report the use of addresses which are several years old, some of which may no longer exist. It may be useful to determine the newest address and look for even newer addresses which have not been used. By this method, you may be able to determine a range of dates when the addresses were collected. To do this thoroughly, you may need to write to the recipients of the messages so that they can send back examples with the list of addresses so that you can piece together a full list of recipients. The recipient lists are always alphabetized by display name and a typical message contains quite a few email addresses.

      Delete
  6. The domain @vanderstaak.net is used to send these spam messages. It started at September 22nd. In each message the domain is spoofed by WORLDST-UQ3K9Q0 or WIN-NPPN1JPV75J.

    Frank

    ReplyDelete
  7. Thank you, Frank. I've added your domain. September 22nd was a common date for this problem to start for many people.

    ReplyDelete
  8. I had a @aon.at email a long time ago which is now doing this. I have spam emails from the aon.at that go back to at least September 29 that have the WIN-NPPN1JPV75J in the header.

    ReplyDelete
    Replies
    1. I don't know of any examples of WIN-NPPN1JPV75J before 29 September or examples of WORLDST-UQ3K9Q0 after 29 September.

      Delete
  9. I encountered this problem 4 months ago.

    Two weeks ago It was WORLDST-UQ3K9Q0
    This morning WIN-NPPN1JPV75J

    @changnoy.nl

    This morning I had a new series after I changed my TXT file which was the solution my provider told me to do.
    Last time the emails where sent from the US.
    This morning they where send from New Zealand.

    I have contacted the profider and I have no idea what to do next.

    Any suggestions?

    ReplyDelete
    Replies
    1. Were these emails a problem four months ago? It seems more likely that you might have meant four weeks ago, since this particular kind of email spoofing seem to first have became common in August.

      Yes, certainly change the password to your email account to a good long complicated password which does not contain any words in any language, forwards or backwards.

      If your email provide offers two-factor authentication like Google does, then turn two-factor authentication on.

      If you used the password to your email on any other account at any time, then also change password there and make the passwords different from your new email password.

      If you are synchronizing your email contents to any other application, turn the synchronization off. For example, LinkedIn has a feature to synchronize email to your LinkedIn account.

      We know that this problem can continue for any given person for more than a month with periodic rounds of email sent at irregular intervals. If that would be problem, then consider obtaining a new email address and letting your correspondents know that you have a new address. For example, I have not seen any examples yet of this problem from a Google Gmail account.




      Delete
  10. This is the third time in about a month that this has happened to me. Just got a bunch of NDRs overnight, all with the source of WIN-NPPN1JPV75J. I too changed my password, told the rest of my organization to change their passwords, scanned my PC, thought about taking my new smartphone back, setup extra SPF records, etc. I'm glad this is a spoof and not a hack; just wish there was something someone could do about it.

    @orion-net.com

    ReplyDelete
    Replies
    1. The emails which are sent are certainly spoofed. The from address is added incorrectly, so that the emails appear to be from you even though the email account used to send the messages belongs to someone else. On the other hand, since the list of email recipients appears to come from the contents of the email account of the person affected, this problem is not benign and indicates that a personal group of email addresses has been shared and stored.

      Delete
  11. From these headers, I'm under the impression that spammers are using compromised workstations around the globe to send the spam. You'll notice that some of these were sent using authenticated creds.

    Received: from node-4t1.pool-125-27.dynamic.totbb.net ([125.27.24.85] helo=WIN-NPPN1JPV75J) by srv2.letzgohost.be with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85)

    Received: from WIN-NPPN1JPV75J ([90.154.215.201]) by mrelayeu.kundenserver.de (mreue001) with ESMTPSA (Nemesis) id 0LgQz7-1aTmPv192T-00o0Ng; Tue, 29 Sep 2015 04:25:20 +0200

    Received: from WIN-NPPN1JPV75J (unknown [203.145.165.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jun-k-ameagari@ozzio.jp) by access03.SiriusCloud.jp (Postfix) with ESMTPSA id 8EB94300DD5E6; Sun, 11 Oct 2015 11:43:41 +0900 (JST)

    Received: from WIN-NPPN1JPV75J (212.33.107.200) by mr005msr.fastwebnet.it (8.5.140.03) (authenticated as castello.andrea@fastwebnet.it) id 5523019B0A0EC472; Tue, 29 Sep 2015 04:20:53 +0200

    Received: from WORLDST-UQ3K9Q0 (unknown [78.187.158.120]) by admin.balto.dk (Postfix) with ESMTPSA id BD4272A68094; Thu, 17 Sep 2015 06:10:47 +0200 (CEST)

    Received: from WORLDST-UQ3K9Q0 (103.252.41.128) by jenni2.inet.fi (8.5.142.08) (authenticated as ada.yli-houhala@puunkaatopalvelu.fi) id 55EEB20400134D15; Fri, 11 Sep 2015 05:39:21 +0300

    Received: from [2.51.71.85] (port=55215 helo=WORLDST-UQ3K9Q0) by server.tatamotors.es with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80)

    Received: from 193.187.0.110.ap.yournet.ne.jp ([110.0.187.193]:55996 helo=WORLDST-UQ3K9Q0) by dell83.tebilisim.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85)

    Received: from [112.203.179.45] (port=52639 helo=WORLDST-UQ3K9Q0) by cpanel.24registry.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85)

    ReplyDelete
    Replies
    1. Yes, your analysis is correct. Those sending the messages have access to a large number of email account user names and passwords. The links inside the spam messages also indicate the knowledge of a large number of web sites which have been compromised and used for redirects since the links included in the message are highly variable.

      Delete
  12. I saw the problem on the domain @eykel.nl

    ReplyDelete
  13. @msmithfamily.com has the problem. It started 09/07. WIN-NPPN1JPV75J

    ReplyDelete
  14. Hello.

    Is anybody still affected by the sending of spam mails? My last wave was on the 16th of Oct. Before there was a wave every 3-4 days.
    Even when nobody has a clue about the cause of the attack, it is at least pleasend that it stopped doing it...

    greetings

    Marcel

    ReplyDelete
    Replies
    1. More than eight months on, there are many hundreds of people whose addresses are still being periodically attached to outgoing spam.

      Delete
  15. Hi Marcel,

    My last wave was also send at october 16th. It's quite for 12 days now. I hope it stopped forever.

    Frank

    ReplyDelete
    Replies
    1. Another wave at 28 october 7.37 pm. Damn.....

      Greetings, Frank

      Delete
    2. I am still clean... *fingerscrossed*

      Marcel

      Delete
    3. I'm sorry to report that I have not yet become aware of a case for which this problem has stopped. You should work under the assumption that it will not and that spam messages will be sent to your correspondents several times a month at irregular intervals. Therefore, you may want to establish a new email address, one with a good strong password and two-factor authentication turned on in the account, and let your correspondents know that all emails from your old address are fraudulent.

      Delete
  16. Thanks for the answer. yes, as you said, I cheered to early. Today in the morning a new wave arrived. I will search for a new E-mail Provider with two-factor-authentication. I also have a google-mail but personally I don't like to use it so much...

    Marcel

    ReplyDelete
  17. ^ Two step doesnt resolve it. We've switch servers, enabled DKIM and SPF records which stopped the spam for about a month. Now they are sending back out.

    ReplyDelete
  18. Received: from unknown (HELO WIN-NPPN1JPV75J) (rreyes@wtxs.net@109.121.60.254)
    by mailhub0.ispdone.com with (DHE-RSA-AES256-GCM-SHA384 encrypted) SMTP
    (236ab43a-8585-11e5-9462-001a4bbf2de8); Sat, 07 Nov 2015 13:24:28 -0600

    Affected Domain: foxwerk.de
    Mail-Hoster: STRATO.DE

    ReplyDelete
  19. These spoofed emails have been sent from perhaps 10 of us in the same office for some time now. Not coming from really 10 of use but display name from a number of different people including a one that has not been active for 2+ years. It does seem like they got an address book. it must have been limited though. While I do receive them so far my name has not been used as a 'sender'. not everyone the sender (the name under the display name) would have in their address is receiving the spam. Are they just selecting a few to send to out of many. Did they hack a device that only had a few of the addresses rather than our usual (shared) main contact list? i.e. a phone that was used occasionally after hours for work email as opposed to the email client at the office.

    It was quiet but I received new batch 'from them' today

    ReplyDelete
  20. Have been getting my email spoofed for months now. About 5 attacks so far. People I know are getting pissed, but not much I can do about it save for telling them to block me, and making a new email. Spoken to my provider - they have no suggestions but to say "it will stop eventually". Not so convinced.

    @telus.net - Alberta, Canada. Provider: Telus.

    WIN-NPPN1JPV75J

    ReplyDelete
  21. One of our family email accounts is having this problem since October-ish. A new batch was sent just this morning. We've tightened up our SPF record and that's helped manage some of the noise for the recipients.

    With regards to how the spammer got these addresses, we've very puzzled. It isn't a standard address book hack as many/most of the addresses aren't in the address book. It seems to be a harvest of the mail file as it includes email addresses for mailing lists and others which the user never sent any email to. I checked the IPs of everyone who accessed the user's account and they're completely ours. The user's system is protected by a current firewall/anti-virus package.

    A possible weak link is the user's iphone. It seems to me this started happening around the time that Apple identified a compromised version of Xcode was in the wild. Coincidence?

    ReplyDelete
    Replies
    1. Indeed, it is definitely not a standard address book hack. Addresses will have been harvested that are years old, that may no longer function, to which you have never sent email, and that belong to automated systems.

      On the iPhone, does the user read mail with web mail (rather than an email app), and if so, on the web browser, might it be the case that cookies are turned off?

      Delete
  22. whale-rock.com hosted by 1and1.com

    ReplyDelete
  23. @index.hu has it too. It started around last October (2015).

    ReplyDelete
  24. Thank you, Wrock, and I also read Evil Security's posts. This has been bordering on total nightmare for me since August. I'm at least able to explain to people why I'm seemingly "spam bombing" the world when it happens. This one also posts to forums and subscribed Facebook groups of affected email address owners, but in my case, only if my machine is on. (I have only experienced this going on with Facebook. I noticed forums and user groups having this unknown spam posting by Googling "Fw: New Message" "Spam".)

    ReplyDelete
  25. As I type this, I'm watching the bounce backs from the current wave climb over 1000 on my phone. Since Evil Security identified the offender, what can be done to go after the guy?

    ReplyDelete
    Replies
    1. Ask your correspondents who are receiving the spam to report it to the Federal Trade Commission as described here: https://www.consumer.ftc.gov/articles/0038-spam#report
      The Federal Trade Commission has recently settled a lawsuit against one group which was sending this kind of spam and is returning millions of dollars to people who visited the web sites in the spam links and were scammed: https://www.ftc.gov/news-events/press-releases/2016/02/court-settlement-bars-weight-loss-pill-merchants-deceptive

      Delete
  26. We have what seems like the same problem, but the bottom-most "received" line doesn't indicate WORLDST-UQ3K9Q0 or WIN-NPPN1JPV75J, rather:
    Received: from bzsm.com (unknown [189.127.226.41])
    by mail.btnet.hr (Postfix) with ESMTPSA id B6665442FD8;
    Wed, 27 Apr 2016 00:29:15 +0200 (CEST)
    Could this be the same thing, perhaps done by a different person/machine/whatever?

    ReplyDelete
    Replies
    1. Yes, definitely. The pattern where the HELO string WORLDST-UQ3K9Q0 was in the headers persisted through late September 2015, followed by WIN-NPPN1JPV75J for a number of weeks in October 2015 and and early November. More recently, the headers look like the example you give with a four-letter.com domain name. Your example is bzsm.com. If you look up bzsm.com on the ICANN domain-name registration web site at

      https://whois.icann.org

      you'll find that the domain is registered to "Xiamen PrivacyProtection Service Co. Ltd." In general, legitimate domains don't need any "privacy protection" since they are not up to things and don't mind people knowing their email address and telephone number!

      What is your email provider, if you don't mind sharing that information?

      Delete

Comments are welcome in all languages.