Updated: Sunday, October 25, to include guess of countries for each domain.
Updated: Sunday, May 1, to include more domain listings, many submitted by readers.
Updated: Sunday, May 29 to include additional domains.
The email spoofing described in the article in the link below
Email sent under my name not from me with a subject such as "Fw: important" or "Fw: read this" or "Fw: new message"
uses targeted lists of addresses for spam distribution. Users of many different kinds of email addresses in many countries have reported this problem.
If you have been affected by this problem, and the last part of your email address is not shown below, then please consider submitting it for inclusion into the list by entering a comment below. I will update this list until a point where managing the list becomes too time consuming because there are a very large number of entries.
If the last part of your email address is a custom one, for hosting, then please also specify which company provides the hosting.
Based on a sample of more than 850 addresses known to be experiencing this problem, I have compiled a list of the 15 email address types with the most cases. Table 1 below lists the domains in order of decreasing number of cases.
Table 1. Fifteen domains with the most cases
yahoo.com Known to have had a data breach |
gmx.de |
ntlworld.com |
free.fr |
talktalk.net Known to have had a data breach |
web.de |
comcast.net Known to have had a data breach |
orange.fr |
tiscali.co.uk Known to have had a data breach |
tiscali.it |
virgin.net |
blueyonder.co.uk |
virgilio.it |
charter.net |
mail.com |
Table 2. French Internet Providers Known to Have Cases
Name | Domain | Examples |
Groupe Iliad, Free | @free.fr | Example with headers |
@numericable.fr | ||
Orange | @orange.fr @wanadoo.fr | Example with headers Second example with headers |
Société Française du Radiotéléphone - SFR | @cegetel.net @club-internet.fr @sfr.fr |
Table 3. German and Austrian Internet Providers Known to Have Cases
Name | Domain | Examples |
@arcor.de | Case with partial headers | |
A1 Telekom Austria | @aon.at | Blog example Facebook example |
Deutsche Telekom | @t-online.de | Example with headers Discussion of cases, August 2015 |
freenet | @freenet.de | Facebook example Case report with bounceback message |
united internet, 1&1 Mail & Media | @gmx.at @gmx.de @web.de | Example with headers Second example with headers Third example with headers |
Table 4. British Internet Providers Known to Have Cases
Name | Domains | Examples |
TalkTalk | @lineone.net @talktalk.net @tinyworld.co.uk @tiscali.co.uk | Example with headers Mailing list example |
Liberty Global, Virgin Media | @blueyonder.co.uk @ntlworld.co.uk @virgin.com @virginmedia.com | Partial list of reported cases Example with headers Second example with headers |
Table 5. Belgian Internet Providers Known to Have Cases
Name | Domains | Examples |
Liberty Global, Telenet | @telenet.be | Discussion of cases since September 2015 |
Proximus | @skynet.be | Example with headers |
Table 6. Dutch Internet Providers Known to Have Cases
Name | Domains | Examples |
Liberty Global, Ziggo | @home.nl @ziggo.nl | Discussion of four cases |
@dds.nl |
Table 7. Danish Internet Providers Known to Have Cases
Name | Domains | Examples |
one.com | Domains hosted by one.com |
Table 8. Swiss Internet Providers Known to Have Cases
Name | Domains | Examples |
Swisscom | @bluemail.ch @bluewin.ch | Case with partial headers Facebook example |
Table 9. North American Universities and Colleges Known to Have Cases
Name | Domain | Examples |
Arkansas Northeastern College | @smail.anc.edu | |
Brown University | @alumni.brown.edu | Example Second Example |
California State University, Dominguez Hills | @toromail.csudh.edu | |
Carnegie Mellon University, School of Computer Science | @cs.cmu.edu | |
Clemson University | @g.clemson.edu | |
College of Lake County, Illinois | @stu.clcillinois.edu | |
Fairleigh Dickinson University | @student.fdu.edu | |
Georgetown University | @georgetown.edu | |
Harrisburg Area Community College | @hawkmail.hacc.edu | Example with partial headers |
Kansas State University | @ksu.edu | Example Second Example |
Miami Dade College | @mymdc.net | Discussion of case |
Seminole State College of Florida | @live.seminolestate.edu | |
State University of New York at Oswego | @oswego.edu | Mailing list example |
University of Alabama | @crimson.ua.edu | Blog example |
Virginia Community Colleges | @email.vccs.edu | |
Valparaiso University | @valpo.edu | |
West Virginia University | @mix.wvu.edu | |
Wilfrid Laurier University | @mylaurier.ca | |
Willamette University | @willamette.edu | Explanation from IT Office |
York College | @york.edu |
Table 10. Canadian Internet Providers Known to Have Cases
Name | Domain | Examples |
Bell Canada | @islandtelecom.com @nbnet.nb.ca @nb.sympatico.ca @northwestel.net @pei.sympatico.ca | |
eastlink | @eastlink.ca | Mailing list example |
Rogers Communications | @rogers.com | Example with headers Mailing list example Another mailing list example |
Shaw Communications | @shaw.ca | Blog example Mailing list example |
TELUS Corporation | @telus.net | Mailing list example |
Vidéotron | @videotron.ca | |
Xplornet | @xplornet.ca @xplornet.com |
Table 11. Italian Internet Providers Known to Have Cases
Name | Domain | Examples |
Italiaonline | @libero.it @virgilio.it | Mailing list example |
Tiscali Italia | @tiscali.it |
Table 12. Japanese Internet Providers Known to Have Cases
Name | Domain | Examples |
SoftBank | @i.softbank.jp | Blog example |
Yahoo! Japan Corporation | @yahoo.co.jp @ybb.ne.jp |
Table 13. Yahoo Domains Known to Have Cases
Country | Domain |
Australia | @yahoo.com.au |
Brazil | @yahoo.com.br |
France | @yahoo.fr |
Germany | @yahoo.de |
Singapore | @yahoo.com.sg |
United States | @rocketmail.com @yahoo.com |
Vietnam | @yahoo.com.vn |
Table 14. Domains in the United States Known to Have Cases
Name | Domain | Examples |
1&1 Mail & Media | @email.com @myself.com @post.com @priest.com @usa.com @witty.com @writeme.com | Example with headers |
AT&T | @att.net | Mailing list example |
Buckeye Cablevision | @bex.net @buckeye-express.com | |
Charter Communications | @charter.net @suddenlink.net | Example with headers |
Comcast | @comcast.net | Example with partial headers Mailing list example Article about Comcast Address Lists |
Earthlink | @earthlink.net | |
ViaSat Communications, Wildblue | @wildblue.net | |
Windstream Communications | @windstream.net |
Table 15. Polish Domains Known to Have Cases
Name | Domain | Examples |
AZ | @wp.pl | |
Grupa Interia | @interia.pl @poczta.fm | Facebook example |
Grupa Onet | @onet.pl @op.pl @vp.pl |
Table 16. Australian Domains Known to Have Cases
Name | Domain | Examples |
Aussie Broadband | @westvic.com.au | Mailing list example |
iinet | @netspace.net.au | Mailing list example Another mailing list example |
Westnet Pty Ltd | @westnet.com.au | Known data breach, http://www.smh.com.au/digital-life/consumer-security/more-than-30000-iinet-customer-passwords-hacked-20150609-ghjmo2.html |
Also bluewin.ch is used for sending E-Mails with "WORLDST-UQ3K9Q0" in the header.
ReplyDeleteThank you very much for the new email address type. I've added it to the list.
ReplyDelete@dds.nl
ReplyDeleteIn my case started on 22 September 2015
Martin
@freenet.de
ReplyDeleteThank you for collecting the data. Before I found your blog, I was pretty unsure, if my PC and smartphone were infected or not because none of the many scanners have found something.
Spam-waves arriving every ~3 days since 22th Sept. I have both in my header, WORLDST-UQ3K9Q0 and WIN-NPPN1JPV75J
Marcel
In my humble opinion every of theese mail spam has repetition cycle of 7 days, so if you receive both of them it seems like "Spam-waves arriving every ~3 days"
DeleteYou can see examples of the intervals between spam waves in the cases reported here:
Deletehttps://docs.google.com/spreadsheets/d/1zcVGW18r9CyUAeEOmGRGWnvUPnZuqmYSUkg1f8Q6GuM/pubhtml
Thank you very much for the additional email types. I have added them to the list.
ReplyDeleteI don't know if this is anyway helpful, but... I think my IMAP account got hit&run and that has caused the spam waves. Source email for sent addresses are all from my IMAP folders, I archieve most of my correspondence to local Outlook folders regularly, some random email get forgotten. Some addresses I have used only once, some being as old as 2008 ranging to summer 2015. Many of those addresses are not in my address book at all. Significant malware or viruses haven't been found from my computers or Samsung phone.
DeleteIndeed, many people report the use of addresses which are several years old, some of which may no longer exist. It may be useful to determine the newest address and look for even newer addresses which have not been used. By this method, you may be able to determine a range of dates when the addresses were collected. To do this thoroughly, you may need to write to the recipients of the messages so that they can send back examples with the list of addresses so that you can piece together a full list of recipients. The recipient lists are always alphabetized by display name and a typical message contains quite a few email addresses.
DeleteThe domain @vanderstaak.net is used to send these spam messages. It started at September 22nd. In each message the domain is spoofed by WORLDST-UQ3K9Q0 or WIN-NPPN1JPV75J.
ReplyDeleteFrank
Thank you, Frank. I've added your domain. September 22nd was a common date for this problem to start for many people.
ReplyDeleteI had a @aon.at email a long time ago which is now doing this. I have spam emails from the aon.at that go back to at least September 29 that have the WIN-NPPN1JPV75J in the header.
ReplyDeleteI don't know of any examples of WIN-NPPN1JPV75J before 29 September or examples of WORLDST-UQ3K9Q0 after 29 September.
DeleteI encountered this problem 4 months ago.
ReplyDeleteTwo weeks ago It was WORLDST-UQ3K9Q0
This morning WIN-NPPN1JPV75J
@changnoy.nl
This morning I had a new series after I changed my TXT file which was the solution my provider told me to do.
Last time the emails where sent from the US.
This morning they where send from New Zealand.
I have contacted the profider and I have no idea what to do next.
Any suggestions?
Were these emails a problem four months ago? It seems more likely that you might have meant four weeks ago, since this particular kind of email spoofing seem to first have became common in August.
DeleteYes, certainly change the password to your email account to a good long complicated password which does not contain any words in any language, forwards or backwards.
If your email provide offers two-factor authentication like Google does, then turn two-factor authentication on.
If you used the password to your email on any other account at any time, then also change password there and make the passwords different from your new email password.
If you are synchronizing your email contents to any other application, turn the synchronization off. For example, LinkedIn has a feature to synchronize email to your LinkedIn account.
We know that this problem can continue for any given person for more than a month with periodic rounds of email sent at irregular intervals. If that would be problem, then consider obtaining a new email address and letting your correspondents know that you have a new address. For example, I have not seen any examples yet of this problem from a Google Gmail account.
This is the third time in about a month that this has happened to me. Just got a bunch of NDRs overnight, all with the source of WIN-NPPN1JPV75J. I too changed my password, told the rest of my organization to change their passwords, scanned my PC, thought about taking my new smartphone back, setup extra SPF records, etc. I'm glad this is a spoof and not a hack; just wish there was something someone could do about it.
ReplyDelete@orion-net.com
The emails which are sent are certainly spoofed. The from address is added incorrectly, so that the emails appear to be from you even though the email account used to send the messages belongs to someone else. On the other hand, since the list of email recipients appears to come from the contents of the email account of the person affected, this problem is not benign and indicates that a personal group of email addresses has been shared and stored.
DeleteFrom these headers, I'm under the impression that spammers are using compromised workstations around the globe to send the spam. You'll notice that some of these were sent using authenticated creds.
ReplyDeleteReceived: from node-4t1.pool-125-27.dynamic.totbb.net ([125.27.24.85] helo=WIN-NPPN1JPV75J) by srv2.letzgohost.be with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85)
Received: from WIN-NPPN1JPV75J ([90.154.215.201]) by mrelayeu.kundenserver.de (mreue001) with ESMTPSA (Nemesis) id 0LgQz7-1aTmPv192T-00o0Ng; Tue, 29 Sep 2015 04:25:20 +0200
Received: from WIN-NPPN1JPV75J (unknown [203.145.165.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jun-k-ameagari@ozzio.jp) by access03.SiriusCloud.jp (Postfix) with ESMTPSA id 8EB94300DD5E6; Sun, 11 Oct 2015 11:43:41 +0900 (JST)
Received: from WIN-NPPN1JPV75J (212.33.107.200) by mr005msr.fastwebnet.it (8.5.140.03) (authenticated as castello.andrea@fastwebnet.it) id 5523019B0A0EC472; Tue, 29 Sep 2015 04:20:53 +0200
Received: from WORLDST-UQ3K9Q0 (unknown [78.187.158.120]) by admin.balto.dk (Postfix) with ESMTPSA id BD4272A68094; Thu, 17 Sep 2015 06:10:47 +0200 (CEST)
Received: from WORLDST-UQ3K9Q0 (103.252.41.128) by jenni2.inet.fi (8.5.142.08) (authenticated as ada.yli-houhala@puunkaatopalvelu.fi) id 55EEB20400134D15; Fri, 11 Sep 2015 05:39:21 +0300
Received: from [2.51.71.85] (port=55215 helo=WORLDST-UQ3K9Q0) by server.tatamotors.es with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80)
Received: from 193.187.0.110.ap.yournet.ne.jp ([110.0.187.193]:55996 helo=WORLDST-UQ3K9Q0) by dell83.tebilisim.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85)
Received: from [112.203.179.45] (port=52639 helo=WORLDST-UQ3K9Q0) by cpanel.24registry.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85)
Yes, your analysis is correct. Those sending the messages have access to a large number of email account user names and passwords. The links inside the spam messages also indicate the knowledge of a large number of web sites which have been compromised and used for redirects since the links included in the message are highly variable.
DeleteI saw the problem on the domain @eykel.nl
ReplyDelete@msmithfamily.com has the problem. It started 09/07. WIN-NPPN1JPV75J
ReplyDeleteHello.
ReplyDeleteIs anybody still affected by the sending of spam mails? My last wave was on the 16th of Oct. Before there was a wave every 3-4 days.
Even when nobody has a clue about the cause of the attack, it is at least pleasend that it stopped doing it...
greetings
Marcel
More than eight months on, there are many hundreds of people whose addresses are still being periodically attached to outgoing spam.
DeleteHi Marcel,
ReplyDeleteMy last wave was also send at october 16th. It's quite for 12 days now. I hope it stopped forever.
Frank
Another wave at 28 october 7.37 pm. Damn.....
DeleteGreetings, Frank
I am still clean... *fingerscrossed*
DeleteMarcel
I'm sorry to report that I have not yet become aware of a case for which this problem has stopped. You should work under the assumption that it will not and that spam messages will be sent to your correspondents several times a month at irregular intervals. Therefore, you may want to establish a new email address, one with a good strong password and two-factor authentication turned on in the account, and let your correspondents know that all emails from your old address are fraudulent.
DeleteThanks for the answer. yes, as you said, I cheered to early. Today in the morning a new wave arrived. I will search for a new E-mail Provider with two-factor-authentication. I also have a google-mail but personally I don't like to use it so much...
ReplyDeleteMarcel
^ Two step doesnt resolve it. We've switch servers, enabled DKIM and SPF records which stopped the spam for about a month. Now they are sending back out.
ReplyDeleteReceived: from unknown (HELO WIN-NPPN1JPV75J) (rreyes@wtxs.net@109.121.60.254)
ReplyDeleteby mailhub0.ispdone.com with (DHE-RSA-AES256-GCM-SHA384 encrypted) SMTP
(236ab43a-8585-11e5-9462-001a4bbf2de8); Sat, 07 Nov 2015 13:24:28 -0600
Affected Domain: foxwerk.de
Mail-Hoster: STRATO.DE
These spoofed emails have been sent from perhaps 10 of us in the same office for some time now. Not coming from really 10 of use but display name from a number of different people including a one that has not been active for 2+ years. It does seem like they got an address book. it must have been limited though. While I do receive them so far my name has not been used as a 'sender'. not everyone the sender (the name under the display name) would have in their address is receiving the spam. Are they just selecting a few to send to out of many. Did they hack a device that only had a few of the addresses rather than our usual (shared) main contact list? i.e. a phone that was used occasionally after hours for work email as opposed to the email client at the office.
ReplyDeleteIt was quiet but I received new batch 'from them' today
Have been getting my email spoofed for months now. About 5 attacks so far. People I know are getting pissed, but not much I can do about it save for telling them to block me, and making a new email. Spoken to my provider - they have no suggestions but to say "it will stop eventually". Not so convinced.
ReplyDelete@telus.net - Alberta, Canada. Provider: Telus.
WIN-NPPN1JPV75J
One of our family email accounts is having this problem since October-ish. A new batch was sent just this morning. We've tightened up our SPF record and that's helped manage some of the noise for the recipients.
ReplyDeleteWith regards to how the spammer got these addresses, we've very puzzled. It isn't a standard address book hack as many/most of the addresses aren't in the address book. It seems to be a harvest of the mail file as it includes email addresses for mailing lists and others which the user never sent any email to. I checked the IPs of everyone who accessed the user's account and they're completely ours. The user's system is protected by a current firewall/anti-virus package.
A possible weak link is the user's iphone. It seems to me this started happening around the time that Apple identified a compromised version of Xcode was in the wild. Coincidence?
Indeed, it is definitely not a standard address book hack. Addresses will have been harvested that are years old, that may no longer function, to which you have never sent email, and that belong to automated systems.
DeleteOn the iPhone, does the user read mail with web mail (rather than an email app), and if so, on the web browser, might it be the case that cookies are turned off?
whale-rock.com hosted by 1and1.com
ReplyDelete@index.hu has it too. It started around last October (2015).
ReplyDeleteThank you, Wrock, and I also read Evil Security's posts. This has been bordering on total nightmare for me since August. I'm at least able to explain to people why I'm seemingly "spam bombing" the world when it happens. This one also posts to forums and subscribed Facebook groups of affected email address owners, but in my case, only if my machine is on. (I have only experienced this going on with Facebook. I noticed forums and user groups having this unknown spam posting by Googling "Fw: New Message" "Spam".)
ReplyDeleteAs I type this, I'm watching the bounce backs from the current wave climb over 1000 on my phone. Since Evil Security identified the offender, what can be done to go after the guy?
ReplyDeleteAsk your correspondents who are receiving the spam to report it to the Federal Trade Commission as described here: https://www.consumer.ftc.gov/articles/0038-spam#report
DeleteThe Federal Trade Commission has recently settled a lawsuit against one group which was sending this kind of spam and is returning millions of dollars to people who visited the web sites in the spam links and were scammed: https://www.ftc.gov/news-events/press-releases/2016/02/court-settlement-bars-weight-loss-pill-merchants-deceptive
We have what seems like the same problem, but the bottom-most "received" line doesn't indicate WORLDST-UQ3K9Q0 or WIN-NPPN1JPV75J, rather:
ReplyDeleteReceived: from bzsm.com (unknown [189.127.226.41])
by mail.btnet.hr (Postfix) with ESMTPSA id B6665442FD8;
Wed, 27 Apr 2016 00:29:15 +0200 (CEST)
Could this be the same thing, perhaps done by a different person/machine/whatever?
Yes, definitely. The pattern where the HELO string WORLDST-UQ3K9Q0 was in the headers persisted through late September 2015, followed by WIN-NPPN1JPV75J for a number of weeks in October 2015 and and early November. More recently, the headers look like the example you give with a four-letter.com domain name. Your example is bzsm.com. If you look up bzsm.com on the ICANN domain-name registration web site at
Deletehttps://whois.icann.org
you'll find that the domain is registered to "Xiamen PrivacyProtection Service Co. Ltd." In general, legitimate domains don't need any "privacy protection" since they are not up to things and don't mind people knowing their email address and telephone number!
What is your email provider, if you don't mind sharing that information?