ATTENTION: Security breach

L

Lanni

New Member
Hi,

just wanted to inform you that I got SPAM mail on my dedicated zoneeit.com-email address (which was known only to you (and me, naturally)).
So either your company or an illoyal/criminal (ex-)employee sold the address or if you were serious then your security was compromised because someone had stolen this address from your server(s).
You might want to take action to secure your servers or look (out) for your staffs doing.
Please do not forget to change the address on your records.

HTH, Lanni


FAQ:
Q: How can you know 'we' sold (lost) your address?
A: The address was created just/only for you and only known to me and you. A random part of the address makes it impossible to guess that address from any other I built up with the same semantics.
Q: Are you absolutely sure that you have not used this e-mail anywere else?
A: I am absolutely sure to never have used this address in another relation than contact with your company (and it's payment provider(s)). I do maintain a separate address for every company I am in regular contact with. All others get non-persistent generic addresses.
Q: Has your computer ever had been infected by mail viruses (maybe it can explain the e-mail "leak") ?
A: I do maintain far over 500 of such aliases and I only got SPAM on 'yours'. Probability is pretty high it didn't happen on my side, wouldn't you agree?
 
L

Lanni

New Member
I'm sorry but that's not the case here.
You stated here: "so it was configured to relay out via mail.easyzone.ca (64.68.198.156). This is what they used it to send the phish."

The two mails I received* so far
a) were received today
b) were no spearphish but infected Word docs (VBA virus) and
c) came from 116.110.76.253 (Vietnam) and 59.98.61.96 (India).

If you're interested I can forward these mails to you.


Best regards, Lanni

*"The attached document is a transaction payment confirmation from Spilo Worldwide in the amount of $6,498,84. Your transaction reference number is 12345678".
"Please review the attached copy of your Electronic document., A paper copy of this document is being mailed, but this email is being sent, in addition for your convenience., Thank you for your business, Wahl Canada Inc."
 
L

Lanni

New Member
BTW: I had a look in my mail servers log files and you're completely wrong.
a) I received mails like you described since 20150218! First entry I found:
T 20150218 092102 54d92222 EHLO mail.easyzone.ca
T 20150218 092102 54d92222 MAIL FROM:<zebounce@iem.zoneedit.com> SIZE=15562
T 20150218 092103 54d92222 RCPT TO:<non-zoneedit(!)-recipient@domain.com>
E 20150218 092103 54d92222 RCPT from 64.68.198.156 - user <non-zoneedit(!)-recipient@domain.com> not known.
I couldn't alert you back then as those mails were addressed to other (already burnt) canary addresses and so only appear in the log file (see above).
So this issue was happening at least 8 months! Pretty weak, don't you think?!
Besides you appear to have operated an open relay as "non-zoneedit(!)-recipient@domain.com" (and other such addresses) were by no chance in any of your databases.
b) the IP addresses differed over time but all (before today) were 64.68.0.0/16
c) as stated in post #3 today other sending IPs were used, so it's a completely different issue you sincerely should investigate!
 
Last edited:
You must log in or register to reply here.
Top