Over the last two weeks I have received two different letters in the post stating that my online security is at risk and to please take action. The ref from the most recent letter is VMIS42-F004809737.
The letter as i'm sure you are aware states that mail account may be have been used to send spam emails and advised me to change my password as well as take action to ensure that my account has not been compromised.
I have taken this action and having now changed my password twice in the last two weeks, as well as confirmed that no unauthorised emails are appearing in my sent item list on web mail.
Despite this action, I was informed this evening that spam email was received by a colleague with a from address of my virgin media email address. This is obviously embarrassing as it raises questions about my online security and something I would like to resolve.
My conclusion is that my email address is being spoofed. I can see from the forum that this is something that appears to be a widespread problem. Like many of the others who are suffering from this problem I would like to know what actions can be taken to solving this problem for my email address.
The research I have done suggests that there is no way that I can possibly prevent this from happening from my side since my account has not actually been compromised and I am somewhat helpless to prevent this occurring in the future.
However, I would like to know what actions Virgin Media can take as the email provider to remediate this problem? A third letter suggesting I change my password again would be unhelpful.
Now its started you'll probably get more letters, more texts from Virgin tell you your account has been blocked.
They don't seem to do anything about it, I have an old email address of my son that is causing the problem, it is not linked to my account and is no longer accessible by anyone except Virgin yet still my account gets blocked on a regular basis.
It may not be a big thing to Virgin but I'm considering a change if it continues.
Good luck and if you manage to get it sorted please post here so others know what to do.
1) Friends and colleagues report receiving short chatty emails containing a single link and an entreaty to click on the link. These spam messages have your from address attached and are signed with your name, even though you did not send them.
2) You have received messages letting you know that emails could not be delivered, emails which you did not send.
Do you have, or could you obtain, a copy of the email which your colleague received? It is worth looking at the subject line and text of the spam email to determine if your case resembles several hundred other cases of spoofing which have been chronic at Virgin Media since August 2015, especially because the cases are not just spoofing. The accounts have been compromised as well. If you have one of these cases, we have a great deal of advice for you.
Virgin Media could limit the damage done by spoofing by applying a DMARC p=reject policy to their email domains as AOL and Yahoo! both did in 2014 in response to widespread cases of spoofing. I see no signs that Virgin Media is likely to do so.
I understand this is not the short term answer you are looking for but Consider now whilst you have an issue of changing email providers away from one linked to any service provider, so yahoo, live, gmail and many other, don't have these ongoing issues, when they do they get resolved much faster, when you leave virgin, you lose the email account now is always the best time to prep up
You could then let all you contacts know the new email address, put an out of office reply on Virgins email giving your new email address.
It's less pain than long term virgin issues and loosing your email address with little or no warning at the time you leave!
Can you offer any advice how to proceed here as I am still having issues?
I was informed tonight that a few of my friends received spam emails today looking like they came from my virginmedia.com email address.
Your friends need to check the source code for the emails. It will have received headers in which will prove whether the mail has been sent through Virgin's or through other servers.
I haven't seen the content of the emails as they were quickly deleted but was informed that they did contain a single link.
In terms of message undeliverable emails, I haven't been receiving a lot of these but did receive four in quick succession on the 03/11 with timestamp 00:00:00 but none since that time.
Did the Undeliverables come from email@example.com? If so then the mails were sent via Virgin Media's servers.
One thing you need to understand that Virgin's SMTP servers, in fact the majority of SMTP servers the world over DO NOT copy mail to the sent mail folder. Where people use IMAP/SMTP together, the IMAP client syncs the Sent Mail folders with those online, but those using POP3/SMTP regularly find that their sent mails don't appear in webmail because POP3 only downloads mail.
So just because a mail doesn't appear in your Sent Objects folder in webmail, it doesn't prove that your account has not been compromised.
If I had your email address and password, I could quite happily authenticate on Virgin's servers using your details and send a mail, and you would never know, unless that mail bounced. This is not guesswork, this is fact.
When you receive a letter it is because Virgin have identified spam that has been sent via their outgoing relays at Knowsley. Typically from a non Virgin IP address.
Because it is a non Virgin IP the senders MUST authenticate BEFORE they are actually allowed to send mail, in the case of smtp.virginmedia.com, they have to authenticate at all times anyway.
I've checked with the Forum Team before now, in fact I sent a mail designed to try to fool them. I sent it from my virginmedia.com address, but used my blueyonder.co.uk address and password to authenticate the send.
Virgin was able to see.
1. The address I used to Authenticate - Can't be spoofed 2. The address I used as the sender's address - Can be spoofed 3. The recipient's address. - Can't be spoofed 4. My IP address - Can't be spoofed
And more besides.
Before Wrock claims the IP address can be spoofed, when you're sending an email you can't spoof the sending IP address as there is an extended conversation between client and server.
I'll ask @Jen_A or @Nicola_C if they can take a look at what's going on here and to confirm the address used to authenticate the send.
I'll also ask them to check if @smurf5599's account is properly closed. If not they can get the email team to do this. This will stop them being able to use the address in question to authenticate a send.
Only use Helpful answer if your problems been solved.
Thanks for providing detailed information about your issue as it's made my job much easier. I've checked the SMTP logs against the date referenced in the letter sent from the Security team. Interestingly VM320 (too many authentication attempts per hour) and VM321 (too many invalid authentication attempts per hour) resulted from failed authentication attempts from numerous IP's. There were no successful attempts thus your account was uncompromised and no spam was sent.
This obviously begs the question - why were you sent a standard Offnet BAU Spam evidence letter? I am querying this with the Email Security team and I'll get back to you as soon as I have an answer.
@Jen_A Thanks a lot for starting to look into this. I appreciate your help.
The only thing that springs to mind regarding to many authentication attempts is that when I changed my password following receipt of the original letter I did have some trouble following that. I successfully changed the password and was able to authenticate successfully but then it appeared the account was locked again. I then changed the password second time and was able to log in once more.
Just to point out as well that since then there still appears to be spam emails from my virginmedia account as noted in my previous post. I have changed my password several times at this point. I also changed my security question last night in case that helps. I was able to confirm from a friend that he received a spam email from my address around midday yesterday but the email was deleted so I am unable to get header details.
In terms of the delivery failed notifications I haven't received any since 03/11 which came from firstname.lastname@example.org.
Ahh yes I forgot to mention the spoofed mail. But that is or should be totally unrelated to the Spam Evidence letter as spoofed spam is unauthenticated and so shouldn't be confused with offnet authenticated spam alerts.
Checking the logs for 03-11-2016 I see only one failed authentication attempt (VM300) from an IP based in Russia. So your NDR's on that date would be related to spoofed spam.