Menu
Reply
Highlighted
  • 26
  • 0
  • 0
On our wavelength
1,039 Views
Message 1 of 18
Flag for a moderator

Message delivery failure email contains my new password in plain text!

Hi - looking for some education here,

Had loads of problems recently relating to my ntlworld (now virgin owned) email address, with several accounts using the ntlworld address as a user name or contact email having been hacked and I've had to regain control of them with varying degrees of difficulty. I swear someone reads my virgin mail after I've reset the Virgin Media password because some accounts have been hacked multiple times.

Today I've received a "message delivery failure" email (one of many) from Virgin's mailer daemon today suggesting I have malware - here is the text (redacted in some areas).

NOTE: I'd changed my email password 40 minutes before I got this email and my new password was displayed in the message in plain text!? How does that happen? Should it be happening? I can't see why there would be any need to send the user's password with this type of message anyway?

Start email
 
Subject: Message Delivery Failure
 

      This is an automatically generated Delivery Status Notification.     

Delivery to the following recipients failed permanently:

   * mr.asdoo@yahoo.com

Reason: This is the mail system at host know-smtprelay-11-imp.

I am sorry to have to inform you that your message, "smtp.ntlworld.com:465(SSL) xxxxxx.xxx@ntlworld.com XXXXXXXX [my new password!]", could not be delivered to mr.asdoo@yahoo.com.

Messages from your IP have been determined to be suspicious as a device on your current network may have malware. Please refer to the spamhaus listing below for further infomation;

https://www.spamhaus.org/query/ip/105.104.254.154


Please be aware that if you are not sending mail from your own broadband connection that the listing may have been caused by a previous user The remote server returned the below error when attempting delivery:

end email

 

I'm using Malwarebytes Premium on my PC, tablet and mobile phone. On my PC I'm also using Windows Security. I use my own router on my home network, this is a new Synology model with it's own security software monitoring network traffic. The synology software has picked up some traffic that it's blocked (for phishing) as has Malwarebytes but otherwise everything is saying my system is clean as far as trojans / viruses / spyware etc., are concerned.

I understand the emails supposedly coming from me are probably spoofed from somewhere else but I'm really surprised that the mailer daemon is sending out user's passwords in plain text? Thinking about it, I'd assumed this message came from within Virgin's infrastructure but the message states "This is the mail system at host know-smtprelay-11-imp" is that Virgin's?

 

Thanks for reading,

 

Stuart

0 Kudos
Reply
Highlighted
  • 18.22K
  • 1.03K
  • 7.8K
Very Insightful Person
Very Insightful Person
1,016 Views
Message 2 of 18
Flag for a moderator
Helpful Answer

Re: Message delivery failure email contains my new password in plain text!

First thing I note is the mail is indeed being sent via Virgin Media's SMTP relays

Next thing to note is the sending email address

105.104.254.154

Are you in Algeria at the moment?  Because that is where the failed email was apparently sent from?

Note: The failed mail is normally attached to the NDR - have you checked it?

Tim

Edit Malwarebytes on it's own merely checks for Spyware, have you run a full Virus scan as well?

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

Highlighted
  • 26
  • 0
  • 0
On our wavelength
986 Views
Message 3 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

Hi ravenstar68, thanks for taking a look at my query.

I'm somewhere hotter than Algeria...Essex!

So, if it's sent from Algeria someone there is somehow spoofing my email address? I obviously don't see any of the outgoing messages in my outbox.

I've not checked the attachment as I wasn't sure how safe that would be to do!

I've downloaded Bitdefender A/V (free edition for the moment) and I've run a full scan on my PC. I've also run Bitdefender scans on my Android phone and tablet as both have access to my virgin (ntlworld) email account. All 3 came up clean. As far as my PC goes, Bitdefender, Malwarebytes and Windows Security all seem to play together nicely. Same with Bitdefender and Malwarebytes on the Android devices.

 

Cheers,

Stuart

 

PS: Just thought of this, do you mean the original email was sent from Algeria or the actual message delivery failure email?

0 Kudos
Reply
Highlighted
  • 18.22K
  • 1.03K
  • 7.8K
Very Insightful Person
Very Insightful Person
976 Views
Message 4 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

The original email was sent from an Algerian IP address, using Virginmedia's SMTP server.

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 18.22K
  • 1.03K
  • 7.8K
Very Insightful Person
Very Insightful Person
945 Views
Message 5 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

@StuartR1953 

To answer your questions, given the information you've provided I would say that the mail was sent from your account.  However as stated you can check the attached email by dowloading it and opening it up in notepad or any other text editor.

An email is simply a text file, which an email program interprets in to give you the output.  So opening the file in notepad has no risk and still lets you read the headers.

If you look in the headers of the attached mail you should see the following lines

X-Originating-IP: [86.153.xxx.xxx]
X-Authenticated-User: username@blueyonder.co.uk

The bottom line tells you what email address was used to authenticate the email send.  This cannot be spoofed.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

Highlighted
  • 26
  • 0
  • 0
On our wavelength
925 Views
Message 6 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

2nd attempt, internet connection had failed when I pressed send 😕

Hi Tim, thanks for persevering with this thread

I downloaded the 3 attachments on the original email, opened them in notepad and then pasted the contents below. I replaced my email name with xxxxxxxxxx and password with PPPPPPPP

I found the two lines you said to look for:

X-Originating-IP: [105.104.254.154]
X-Authenticated-User: xxxxxxxxxxx@ntlworld.com (my address)

I couldn't find any reference to my IP address anywhere (assumed to be 86.xxx.xxx.xxx as my IP would normally start with 86)

I've now run the full (paid) version of bitdefender but nothing found, so if the mails are being routed via my PC then bitdefender, malwarebytes and Windows Security can't spot the culprit!

Cheers

 

Stuart

 

attachment 1

Received: from ADMIN ([105.104.254.154])
by cmsmtp with ESMTPA
id psrGhxZkqXaJRpsrHh6lmo; Tue, 23 Jul 2019 12:21:27 +0100
X-Originating-IP: [105.104.254.154]
X-Authenticated-User: xxxxxxxxxxx@ntlworld.com
X-Spam: 0
X-Authority: v=2.3 cv=IZIzplia c=1 sm=1 tr=0 a=Gl8dBerBVP0jn6XhC6A/GQ==:117
a=Gl8dBerBVP0jn6XhC6A/GQ==:17 a=NLZqzBF-AAAA:8 a=HpEJnUlJZJkA:10
a=DBwwDor5xuMA:10 a=5w3qjT_Z7h0A:10 a=x7bEGLp0ZPQA:10 a=InCYFxAF7NMA:10
a=oSF4ZGATLIEK6H44rIAA:9 a=wW_WBVUImv98JQXhvVPZ:22 a=p-dnK0njbqwfn1k4-x12:22
a=w-psBPLDDiCXbaeKGOsM:22
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ntlworld.com;
s=meg.feb2017; t=1563880887;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
h=From:To:Reply-To:Subject;
b=oxkKGmtbaKl2HYLovzmdNgzgaNvPRrNh92jfwutH5ke1pQRT35fqnlCmxjcyxJDcN
foDkMkl4jWFD3rAq1mNW89dcyQYvjn93JMEleEnPf7WFNL5zmHX6v4HcQrqBAQG7lc
l66QAso4MybDgCq9YoTEwLBWeqKaCMOU4fVowWML4wNYDyuflskuK5j1wSMd5408n0
XM8ofYaIjyrwk8fj4oKJdaWNvB1W1mQDUyWWSFEYgumQwNlGW/XfTUgifwMvWUBE/k
b7KgY29UOH8eXBlLVcLauRtxsysTbTzfOzP94nfTsfErwhdqSL4DxDHYmhUFe7pA4z
vgIb0lVDMWlJQ==
From: <xxxxxxxxxxx@ntlworld.com>
To: mr.asdoo@yahoo.com
Reply-To: mr.asdoo@yahoo.com
Subject: smtp.ntlworld.com:465(SSL) xxxxxxxxxx@ntlworld.com PPPPPPPP
Content-Transfer-encoding: 8bit
Return-Path: xxxxxxxxxx@ntlworld.com
X-Priority: 1
X-MSmail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
HEllo
X-CMAE-Envelope: MS4wfFT3KQ81xuf2kJuDVsnBYcLKffAOqO6As491476/4BHAGiyZfBkLGLTK3PRnocCC3EzVm/R8/o3dBj86VhLmgMbc5ZFPFMPZhgnsNPu5Ja72t1hHBTYJ
5GqXvmme5sfXNYo/sKagFYrYGN/FdQdnX+bVe8HzvjEpWwSPfus6n88s


attachment 2

Reporting-MTA: dns; know-smtprelay-11-imp [62.252.172.22]
Received-From-MTA: dns; ADMIN [105.104.254.154]
Arrival-Date: Tue, 23 Jul 2019 12:21:27 +0100


Final-recipient: rfc822; mr.asdoo@yahoo.com
Diagnostic-Code: smtp; 554 Message not allowed - [299]

Last-attempt-Date: Tue, 23 Jul 2019 12:21:29 +0100


attachment 3


Received: from ADMIN ([105.104.254.154])
by cmsmtp with ESMTPA
id psrGhxZkqXaJRpsrHh6lmo; Tue, 23 Jul 2019 12:21:27 +0100
X-Originating-IP: [105.104.254.154]
X-Authenticated-User: xxxxxxxxxx@ntlworld.com
X-Spam: 0
X-Authority: v=2.3 cv=IZIzplia c=1 sm=1 tr=0 a=Gl8dBerBVP0jn6XhC6A/GQ==:117
a=Gl8dBerBVP0jn6XhC6A/GQ==:17 a=NLZqzBF-AAAA:8 a=HpEJnUlJZJkA:10
a=DBwwDor5xuMA:10 a=5w3qjT_Z7h0A:10 a=x7bEGLp0ZPQA:10 a=InCYFxAF7NMA:10
a=oSF4ZGATLIEK6H44rIAA:9 a=wW_WBVUImv98JQXhvVPZ:22 a=p-dnK0njbqwfn1k4-x12:22
a=w-psBPLDDiCXbaeKGOsM:22
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ntlworld.com;
s=meg.feb2017; t=1563880887;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
h=From:To:Reply-To:Subject;
b=oxkKGmtbaKl2HYLovzmdNgzgaNvPRrNh92jfwutH5ke1pQRT35fqnlCmxjcyxJDcN
foDkMkl4jWFD3rAq1mNW89dcyQYvjn93JMEleEnPf7WFNL5zmHX6v4HcQrqBAQG7lc
l66QAso4MybDgCq9YoTEwLBWeqKaCMOU4fVowWML4wNYDyuflskuK5j1wSMd5408n0
XM8ofYaIjyrwk8fj4oKJdaWNvB1W1mQDUyWWSFEYgumQwNlGW/XfTUgifwMvWUBE/k
b7KgY29UOH8eXBlLVcLauRtxsysTbTzfOzP94nfTsfErwhdqSL4DxDHYmhUFe7pA4z
vgIb0lVDMWlJQ==
From: <xxxxxxxxxx@ntlworld.com>
To: mr.asdoo@yahoo.com
Reply-To: mr.asdoo@yahoo.com
Subject: smtp.ntlworld.com:465(SSL) xxxxxxxxxx@ntlworld.com PPPPPPPP
MIME-Version: 1.0
Content-Transfer-encoding: 8bit
Return-Path: xxxxxxxxxx@ntlworld.com
X-Priority: 1
X-MSmail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
HEllo
X-CMAE-Envelope: MS4wfFT3KQ81xuf2kJuDVsnBYcLKffAOqO6As491476/4BHAGiyZfBkLGLTK3PRnocCC3EzVm/R8/o3dBj86VhLmgMbc5ZFPFMPZhgnsNPu5Ja72t1hHBTYJ
5GqXvmme5sfXNYo/sKagFYrYGN/FdQdnX+bVe8HzvjEpWwSPfus6n88s

 

 

END

0 Kudos
Reply
Highlighted
  • 18.22K
  • 1.03K
  • 7.8K
Very Insightful Person
Very Insightful Person
919 Views
Message 7 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

I couldn't find any reference to my IP address anywhere (assumed to be 86.xxx.xxx.xxx as my IP would normally start with 86)

I've now run the full (paid) version of bitdefender but nothing found, so if the mails are being routed via my PC then bitdefender, malwarebytes and Windows Security can't spot the culprit!

Cheers

They're not routing the emails via your PC - What they are doing is sending the emails via either smtp.ntlworld.com or smtp.virginmedia.com.  However in order to do so they have to provide a valid username and password in order to authenticate before the send is allowed.

the X-Authenticated-User: xxxxxxxxxxx@ntlworld.com (my address) - indicates the email address used to authenticate.  Unlike the senders address - this cannot be spoofed.  So somehow the hackers have gotten hold of your password.

Tim

 

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 26
  • 0
  • 0
On our wavelength
915 Views
Message 8 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

Hi, thanks for the reply. 

OK, think I'm with you now. 

So the real questions are

1: How are they getting my password - which I've been forced, by Virgin locking my account, to change every month for the last year or so?

2: How did the get the last one in just 40 minutes?

3: What are the chances that the passwords are being obtained from Virgin's infrastructure rather than from my PC or tablet or phone? I could and have used all 3 devices to change my password.

I suppose they could have my security answers used when changing my password... Wonder if I can change those...

 

Cheers

Stuart 

0 Kudos
Reply
Highlighted
  • 18.22K
  • 1.03K
  • 7.8K
Very Insightful Person
Very Insightful Person
893 Views
Message 9 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

Having your security answers wouldn't give them your current password.  It only gives them the ability to change your password.

@PaulMoore - I'd be interested to know your thoughts on this.  My gut tells me that it's not a hack of Virgin Media but something else.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 221
  • 8
  • 79
Superfast
888 Views
Message 10 of 18
Flag for a moderator

Re: Message delivery failure email contains my new password in plain text!

Hi Tim. Thanks for tagging me.

I'm with you; it's unlikely to be an issue at VM.  If you've had multiple accounts breached multiple times, there's clearly something else going on.  Depending on if/how your machine is compromised, it may be that results from basic software like MalwareBytes and AV apps are being altered to make it appear as if everything is fine.

It could also be something as simple as DNS poisoning, meaning your credentials are being sent to someone other than VM.  If the machine isn't compromised, the router or a local device may well be.

There are basic checks you can perform, but again... the results may be skewed by malware et al.  If you use email for anything important (password revocation, banking etc), I'd advise you to seek professional help.