New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
E-Mail from MXroute - E-Mail Accounts compromised?
in Help
Hello dear folks,
today at 3 am I got an email from MXroute stating that they got a report from Spamhouse that my email accounts (master@*** and noreply@***) got compromised and that I should change the passwords of my email accounts immediately. Which I then did, but did this also happen to others?
Please find attached the email from Spamhouse, which was linked in MXroute's ticket:
Good morning/afternoon
Recently, multiple botnets involved with ransomware were taken
down[1]. Spamhaus is working with various law enforcement agencies
to help remediate compromised accounts[2]. We are contacting you
because we believe that some of the compromised accounts are
attached to email or Active Directory accounts on
quickpacket.com's network - so urgent action is requested.
What action do you need to take?
- The only action requested is to change the passwords for all
the affected accounts.
- This is urgent - please do this as quickly as possible. These
breached accounts may have been shared with other criminals for use with
different active botnets for malicious purposes. These accounts have all
been abused by the botnet operators in the timeframe of February until
end of March 2024.
How has this data been compiled?
- The law enforcement agencies have made available the compromised
account/addresses to Spamhaus.
- Using this data, we have obtained the primary MX record for the
compromised account's domain and the network responsible for the MX's
IP. In case of ADFS accounts we used the IP associated with the ADFS
login URL. We hope this network can directly or indirectly assist in
these remediation efforts.
Thank you for your time and willingness to help!
[1] https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem
[2] https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/
--
Marvin Adams
The Spamhaus Project
https://www.spamhaus.org

Comments
Sounds like you have an infected device under your control as well (because botnet operators somehow got credentials to your email). Please check that as well https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors
Nah, I highly doubt that one of my devices are infected, already checked them and they are well secured. It sounds more like a password database leak or something like this
My concern is where the data was gathered from. If that would be MXRoute themselves, this forum would already be loud about that. So I can conclude the situation is specific for you.
I did not receive this mail.
Hmm, very weird. As I said, everything is secured, no device infected.
Also they didn't give me any further details on this, so I can't do much about it "^^.
Also the thing is, I didn't even create email accounts for master@*** and noreply@***.
And they are also not listed in the directadmin panel!
Do you have a webhosting service from MXroute too?
Also, the content of MXroute's ticket:
None of my email accounts are suspended, so I think this was sent by error and they contacted the wrong person which email accounts were compromised π.
Are you sure this actually came from MXroute, and it's not some sort of weird phishing thing?
They created a ticket for this in their billing panel.
@jar is not yet tagged
Hmm, don't know what I'm supposed to do now, everything still works perfectly. So I would consider the case as closed.
/close
This data is probably from https://www.spamhaus.org/endgame/
Seems to be, yes. But I still don't know how the accounts got compromised (if they got even compromised, or it's just a mistake and they mean another domain).
Multiple people receive this kind of ticket every day. It rarely comes from external reports like this one. One of our unique features is that we find out when your email accounts have been compromised when other providers have no clue. Tons of email accounts are compromised across a huge number of ESPs and no one knows about it, because unless or until it's used to send spam they don't even know what to look for.
Through audits of logs from the SMTP server, taken from events where customer accounts were involuntarily used to send spam, we have identified a huge number of indicators. Almost all of those indicators are of the 0% false positive variety.
Many of your neighbors here have been compromised through credential stuffing, viruses, and phishing forms (fake cPanel email quota emails, etc). Even a few of the hosts here have had their WHMCS emails compromised, but we halted it immediately through human monitored automation.
This is one of my favorite features and I wish we got more credit for going above and beyond to look out for customer's security where no one else is. But rarely does anyone want to talk about being on the other side of it for obvious reasons. So thank you for posting this where I could take a moment to be a little less humble because sometimes I do want my daily work to be known so others can know that someone has their back.
As for this case yes it was Spamhaus working with law enforcement who sent it through abuse contact channels to our upstream provider. The top line of the pastebin link I gave had the first few characters of the password so if that was accurate you know they were working on good info. Otherwise I can't vouch for it but given their source I would say if there was a mistake it was that the email account in question existed on another system and that system might be the one containing the compromised account. It would be true to say that if the email domain existed on two ESPs (maybe even shared hosting services?) and SH chose us based on MX records, it could be that we were the incorrect choice. I mean, I like to think I would have caught it before they did. Regardless, I think it was right to action it with the same half-automation that I use for every other case.
this is not related to mxroute actually.
it's just a big leak, and spamhaus contacted to any provider who has an email account hosted on that list.
i got the report from different providers, different DC's, related to different mail accounts.
It seems like Spamhouse reported a leak somewhere, not MXRoute related but your email was compromised somewhere on a different service.
Oh, this is really cool that you check this more in detail than other providers, I didn't know that you put so much effort in it and I do very appreciate your further work on this. I was just so confused because I read it today morning and it seemed like there was something wrong because both of the emails accounts which were mentioned in the report don't even exist, so I asked for more info about this.
Of course I take such messages very seriously, but in this case I didn't know exactly what to do because the messages referred to e-mail addresses I didn't recognize.
I also checked the top line in both the pastebin links you mentioned in your post, but no passwords I use for the emails accounts contain these characters.
But again, I very appreciate your work on this and I'm happy to be a MXroute customer.
I was just confused because of the things I mentioned here "^^.
But then it was a service I don't even know it exists "^^
Basing off on my own experiences, Spammers can get hands on email address by various means for spam purposes, it could be from other services, database breach or peer to peer. Not sure how specifically but they somehow get it.
I even found my own email to be somehow breached from an unknown site I have not even signed up for nor heard of it.
I would still change passwords, just incase.
But I don't really know what exactly they got access to, because the report of Spamhouse mentioned the email accounts master@*** and noreply@***, which clearly doesn't exist (at least that's what I know and I can see so far "^^).
Yea, already changed passwords for everything, also for the da account itself (just to be sure). π
Could be true that someone just spoofed your domain in whatever the activity was, I'd guess. Probably less common but plausible.