Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop
Home β€Ί Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

E-Mail from MXroute - E-Mail Accounts compromised?

Hello dear folks,

today at 3 am I got an email from MXroute stating that they got a report from Spamhouse that my email accounts (master@*** and noreply@***) got compromised and that I should change the passwords of my email accounts immediately. Which I then did, but did this also happen to others?

Please find attached the email from Spamhouse, which was linked in MXroute's ticket:

Good morning/afternoon

Recently, multiple botnets involved with ransomware were taken
down[1]. Spamhaus is working with various law enforcement agencies
to help remediate compromised accounts[2]. We are contacting you
because we believe that some of the compromised accounts are
attached to email or Active Directory accounts on
quickpacket.com's network - so urgent action is requested.

What action do you need to take?

- The only action requested is to change the passwords for all
the affected accounts.
- This is urgent - please do this as quickly as possible. These
breached accounts may have been shared with other criminals for use with
different active botnets for malicious purposes. These accounts have all
been abused by the botnet operators in the timeframe of February until
end of March 2024.


How has this data been compiled?

- The law enforcement agencies have made available the compromised
account/addresses to Spamhaus.
- Using this data, we have obtained the primary MX record for the
compromised account's domain and the network responsible for the MX's
IP. In case of ADFS accounts we used the IP associated with the ADFS
login URL. We hope this network can directly or indirectly assist in
these remediation efforts.


Thank you for your time and willingness to help!


[1] https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem
[2] https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/

--
Marvin Adams
The Spamhaus Project
https://www.spamhaus.org

Comments

  • tentortentor Member, Host Rep
    edited June 2024

    Sounds like you have an infected device under your control as well (because botnet operators somehow got credentials to your email). Please check that as well https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors

  • @tentor said:
    Sounds like you have an infected device under your control as well (because botnet operators somehow got credentials to your email). Please check that as well https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors

    Nah, I highly doubt that one of my devices are infected, already checked them and they are well secured. It sounds more like a password database leak or something like this

  • tentortentor Member, Host Rep

    @kamikatzelp said: It sounds more like a password database leak or something like this

    My concern is where the data was gathered from. If that would be MXRoute themselves, this forum would already be loud about that. So I can conclude the situation is specific for you.

  • I did not receive this mail.

  • kamikatzelpkamikatzelp Member
    edited June 2024

    @tentor said:

    @kamikatzelp said: It sounds more like a password database leak or something like this

    My concern is where the data was gathered from. If that would be MXRoute themselves, this forum would already be loud about that. So I can conclude the situation is specific for you.

    Hmm, very weird. As I said, everything is secured, no device infected.
    Also they didn't give me any further details on this, so I can't do much about it "^^.

  • kamikatzelpkamikatzelp Member
    edited June 2024

    Also the thing is, I didn't even create email accounts for master@*** and noreply@***.
    And they are also not listed in the directadmin panel!

  • @JerryHou said:
    I did not receive this mail.

    Do you have a webhosting service from MXroute too?

  • Also, the content of MXroute's ticket:

    The mentioned email account has been compromised. Please note that the security of your email password is your responsibility, and we thank you for taking it seriously. Due to the potential damage of such an event, we do require that you respond to us and detail your plans for resolving this. Until you have done so, you will be unable to unsuspend the email account or change it’s password. You can find more information about this event below. It is in a question/answer form as this email is based on a template for quick deployment.
    

    None of my email accounts are suspended, so I think this was sent by error and they contacted the wrong person which email accounts were compromised πŸ‘.

  • ahnlakahnlak Member

    @kamikatzelp said:
    Also, the content of MXroute's ticket:

    The mentioned email account has been compromised. Please note that the security of your email password is your responsibility, and we thank you for taking it seriously. Due to the potential damage of such an event, we do require that you respond to us and detail your plans for resolving this. Until you have done so, you will be unable to unsuspend the email account or change it’s password. You can find more information about this event below. It is in a question/answer form as this email is based on a template for quick deployment.
    

    None of my email accounts are suspended, so I think this was sent by error and they contacted the wrong person which email accounts were compromised πŸ‘.

    Are you sure this actually came from MXroute, and it's not some sort of weird phishing thing?

  • kamikatzelpkamikatzelp Member
    edited June 2024

    @ahnlak said:

    @kamikatzelp said:
    Also, the content of MXroute's ticket:

    The mentioned email account has been compromised. Please note that the security of your email password is your responsibility, and we thank you for taking it seriously. Due to the potential damage of such an event, we do require that you respond to us and detail your plans for resolving this. Until you have done so, you will be unable to unsuspend the email account or change it’s password. You can find more information about this event below. It is in a question/answer form as this email is based on a template for quick deployment.
    

    None of my email accounts are suspended, so I think this was sent by error and they contacted the wrong person which email accounts were compromised πŸ‘.

    Are you sure this actually came from MXroute, and it's not some sort of weird phishing thing?

    They created a ticket for this in their billing panel.

  • @jar is not yet tagged

  • Hmm, don't know what I'm supposed to do now, everything still works perfectly. So I would consider the case as closed.

  • /close

  • quagsquags Member, Host Rep

    This data is probably from https://www.spamhaus.org/endgame/

  • @quags said:
    This data is probably from https://www.spamhaus.org/endgame/

    Seems to be, yes. But I still don't know how the accounts got compromised (if they got even compromised, or it's just a mistake and they mean another domain).

  • jarjar Patron Provider, Top Host, Veteran
    edited June 2024

    Multiple people receive this kind of ticket every day. It rarely comes from external reports like this one. One of our unique features is that we find out when your email accounts have been compromised when other providers have no clue. Tons of email accounts are compromised across a huge number of ESPs and no one knows about it, because unless or until it's used to send spam they don't even know what to look for.

    Through audits of logs from the SMTP server, taken from events where customer accounts were involuntarily used to send spam, we have identified a huge number of indicators. Almost all of those indicators are of the 0% false positive variety.

    Many of your neighbors here have been compromised through credential stuffing, viruses, and phishing forms (fake cPanel email quota emails, etc). Even a few of the hosts here have had their WHMCS emails compromised, but we halted it immediately through human monitored automation.

    This is one of my favorite features and I wish we got more credit for going above and beyond to look out for customer's security where no one else is. But rarely does anyone want to talk about being on the other side of it for obvious reasons. So thank you for posting this where I could take a moment to be a little less humble because sometimes I do want my daily work to be known so others can know that someone has their back.

    As for this case yes it was Spamhaus working with law enforcement who sent it through abuse contact channels to our upstream provider. The top line of the pastebin link I gave had the first few characters of the password so if that was accurate you know they were working on good info. Otherwise I can't vouch for it but given their source I would say if there was a mistake it was that the email account in question existed on another system and that system might be the one containing the compromised account. It would be true to say that if the email domain existed on two ESPs (maybe even shared hosting services?) and SH chose us based on MX records, it could be that we were the incorrect choice. I mean, I like to think I would have caught it before they did. Regardless, I think it was right to action it with the same half-automation that I use for every other case.

    Thanked by 2kamikatzelp sh97
  • this is not related to mxroute actually.

    it's just a big leak, and spamhaus contacted to any provider who has an email account hosted on that list.

    i got the report from different providers, different DC's, related to different mail accounts.

    Thanked by 2sillycat Marx
  • It seems like Spamhouse reported a leak somewhere, not MXRoute related but your email was compromised somewhere on a different service.

  • kamikatzelpkamikatzelp Member
    edited June 2024

    @jar said:
    Multiple people receive this kind of ticket every day. It rarely comes from external reports like this one. One of our unique features is that we find out when your email accounts have been compromised when other providers have no clue. Tons of email accounts are compromised across a huge number of ESPs and no one knows about it, because unless or until it's used to send spam they don't even know what to look for.

    Through audits of logs from the SMTP server, taken from events where customer accounts were involuntarily used to send spam, we have identified a huge number of indicators. Almost all of those indicators are of the 0% false positive variety.

    Many of your neighbors here have been compromised through credential stuffing, viruses, and phishing forms (fake cPanel email quota emails, etc). Even a few of the hosts here have had their WHMCS emails compromised, but we halted it immediately through human monitored automation.

    This is one of my favorite features and I wish we got more credit for going above and beyond to look out for customer's security where no one else is. But rarely does anyone want to talk about being on the other side of it for obvious reasons. So thank you for posting this where I could take a moment to be a little less humble because sometimes I do want my daily work to be known so others can know that someone has their back.

    Oh, this is really cool that you check this more in detail than other providers, I didn't know that you put so much effort in it and I do very appreciate your further work on this. I was just so confused because I read it today morning and it seemed like there was something wrong because both of the emails accounts which were mentioned in the report don't even exist, so I asked for more info about this.
    Of course I take such messages very seriously, but in this case I didn't know exactly what to do because the messages referred to e-mail addresses I didn't recognize.

    As for this case yes it was Spamhaus working with law enforcement who sent it through abuse contact channels to our upstream provider. The top line of the pastebin link I gave had the first few characters of the password so if that was accurate you know they were working on good info. Otherwise I can't vouch for it but given their source I would say if there was a mistake it was that the email account in question existed on another system and that system might be the one containing the compromised account. It would be true to say that if the email domain existed on two ESPs (maybe even shared hosting services?) and SH chose us based on MX records, it could be that we were the incorrect choice. I mean, I like to think I would have caught it before they did. Regardless, I think it was right to action it with the same half-automation that I use for every other case.

    I also checked the top line in both the pastebin links you mentioned in your post, but no passwords I use for the emails accounts contain these characters.
    But again, I very appreciate your work on this and I'm happy to be a MXroute customer.
    I was just confused because of the things I mentioned here "^^.

    Thanked by 1jar
  • @listerine90 said:
    It seems like Spamhouse reported a leak somewhere, not MXRoute related but your email was compromised somewhere on a different service.

    But then it was a service I don't even know it exists "^^

  • @kamikatzelp said:

    @listerine90 said:
    It seems like Spamhouse reported a leak somewhere, not MXRoute related but your email was compromised somewhere on a different service.

    But then it was a service I don't even know it exists "^^

    Basing off on my own experiences, Spammers can get hands on email address by various means for spam purposes, it could be from other services, database breach or peer to peer. Not sure how specifically but they somehow get it.

    I even found my own email to be somehow breached from an unknown site I have not even signed up for nor heard of it.

    I also checked the top line in both the pastebin links you mentioned in your post, but no passwords I use for the emails accounts contain these characters.
    But again, I very appreciate your work on this and I'm happy to be a MXroute customer.
    I was just confused because of the things I mentioned here "^^.

    I would still change passwords, just incase.

  • @listerine90 said:

    @kamikatzelp said:

    @listerine90 said:
    It seems like Spamhouse reported a leak somewhere, not MXRoute related but your email was compromised somewhere on a different service.

    But then it was a service I don't even know it exists "^^

    Basing off on my own experiences, Spammers can get hands on email address by various means for spam purposes, it could be from other services, database breach or peer to peer. Not sure how specifically but they somehow get it.

    But I don't really know what exactly they got access to, because the report of Spamhouse mentioned the email accounts master@*** and noreply@***, which clearly doesn't exist (at least that's what I know and I can see so far "^^).

    I even found my own email to be somehow breached from an unknown site I have not even signed up for nor heard of it.

    I also checked the top line in both the pastebin links you mentioned in your post, but no passwords I use for the emails accounts contain these characters.
    But again, I very appreciate your work on this and I'm happy to be a MXroute customer.
    I was just confused because of the things I mentioned here "^^.

    I would still change passwords, just incase.

    Yea, already changed passwords for everything, also for the da account itself (just to be sure). πŸ‘

  • jarjar Patron Provider, Top Host, Veteran

    @kamikatzelp said:

    @listerine90 said:

    @kamikatzelp said:

    @listerine90 said:
    It seems like Spamhouse reported a leak somewhere, not MXRoute related but your email was compromised somewhere on a different service.

    But then it was a service I don't even know it exists "^^

    Basing off on my own experiences, Spammers can get hands on email address by various means for spam purposes, it could be from other services, database breach or peer to peer. Not sure how specifically but they somehow get it.

    But I don't really know what exactly they got access to, because the report of Spamhouse mentioned the email accounts master@*** and noreply@***, which clearly doesn't exist (at least that's what I know and I can see so far "^^).

    I even found my own email to be somehow breached from an unknown site I have not even signed up for nor heard of it.

    I also checked the top line in both the pastebin links you mentioned in your post, but no passwords I use for the emails accounts contain these characters.
    But again, I very appreciate your work on this and I'm happy to be a MXroute customer.
    I was just confused because of the things I mentioned here "^^.

    I would still change passwords, just incase.

    Yea, already changed passwords for everything, also for the da account itself (just to be sure). πŸ‘

    Could be true that someone just spoofed your domain in whatever the activity was, I'd guess. Probably less common but plausible.

Sign In or Register to comment.