Menu
Reply
Corey_C
  • 4.78K
  • 243
  • 398
Forum Team
Forum Team
740 Views
Message 11 of 32
Flag for a moderator
Helpful Answer

Re: virignmediabusiness

Cheers for updating us, ALF28,

 

If you do get any more emails from other domains, please do forward them to us at phishing@virginmedia.com. As stated on our previous post, you will get a rejected response if it from an email or domain already reported. As an added measure, once you have reported the email address to us, then please filter, block or blacklist these emails, for more information on how to do this, please follow this link.

 

Thanks,

Corey C

ALF28
  • 1.08K
  • 20
  • 114
Knows their stuff
720 Views
Message 12 of 32
Flag for a moderator

Re: virignmediabusiness

Thanks for the advice I am using blacklisting, however the virginmedia business spam gets through by changing the first part of the address.

Three in a row from tsb bank last one today  18.02 saying my  tsb account is suspended, the fake virgin emails often have a reference eml which may be a method of distributing emails in a certain format. As far as I am aware I have no connection with tsb bank.

I understand the virginmediabusiness  is controlled from the Philippines call centres. 

No one else has replied to say they get virginmedia business spam so I may be unique ?

In light of recent data incident virgin should find out how and why the endless stream of spam is let through virgin servers, somone is accessing the system for spam distribution on a massive scale, I get approx 3000 spams per year, as you advise I fully use filters and blacklisting to best effect.

Some emails have scripts so I am careful not to handle them, also I note some emails can actually morph and display differently each time viewed or even change momentary as you view them with sender address suddenly changing from one name to another as you view the email,  happened today, perhaps a trick to bypass spam filter/blacklist

0 Kudos
Reply
ALF28
  • 1.08K
  • 20
  • 114
Knows their stuff
697 Views
Message 13 of 32
Flag for a moderator

Re: virignmediabusiness

possible explanation for emails that can change content- 

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

This trick that could allow an attacker to turn a seemingly benign email into a malicious one after it has already been delivered to your email inbox.

Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky)

A successful exploitation of the Ropemaker attack could allow an attacker to remotely modify the content of an email sent by the attacker itself, for example swapping a URL with the malicious one.

This can be done even after the email has already been delivered to the recipient and made it through all the necessary spam and security filters, without requiring direct access to the recipient's computer or email application, exposing email client users to malicious attacks.

I have also had in recent  spam emails what appears to be emoji in the text version emails which are in colour such as a "red heart", this is diffferent to the use of symbols often found also. 

The people responsible for spam are very capable and experts at email code etc, they are proffessionals. This shows that a determined hasker/spammer can fool most people with what looks like a genuine email, so good protection is required. Got to go now as my computer has a stange browser extension to investigate found by the firewall which could be a fake. The latest emails appear to be from netflix not sure if genuine.

0 Kudos
Reply
Sololobo
  • 4.69K
  • 316
  • 1.6K
Superstar
686 Views
Message 14 of 32
Flag for a moderator
Helpful Answer

Re: virignmediabusiness

https://www.theregister.co.uk/2017/08/23/ropemaker_exploit/

https://www.virusbulletin.com/blog/2017/08/ropemaker-email-exploit-limited-practical-use/

A typical email is 'scanned' twice on the recipient's side: first at delivery time by an email security product, which looks for various kinds of spammy and/or malicious behaviour, and then again by the human user when they open the email and they make a decision as to whether or not to trust its content.

Spam filters scanning emails don't load any external sources and only look at the raw content, thus ignoring the visual appearance of the email; from their point of view there is no difference between hidden and visible links.

As for the human user, the appearance of the email only matters when it is opened; whatever the email looked like when it was delivered doesn't make a difference to them.

That doesn't mean that there won't be (limited) cases in which it does matter that an email's appearance changes as it sits in someone's mailbox, and Mimecast's paper serves as an important warning that this is indeed possible. This is one of many reasons why having mail clients load content from external sources is a bad idea, and this option should be turned off for all but a limited set of trusted senders. Thankfully, having the option turned off is the default for most mail clients; indeed, I had to explicitly enable downloading of remote content for my test email before the ROPEMAKER exploit worked in Thunderbird.

https://www.bleepingcomputer.com/news/security/ropemaker-lets-attackers-change-your-emails-after-del...

ROPEMAKER is more hype than danger

While the attack looks scary, in reality, users have very little to fear. This is because most email clients are in the habit of stripping out header tags for emails in HTML format, including any tags calling for remote CSS files.

This practice of header stripping is why most tutorials for writing HTML emails encourage web developers to use only inline CSS and avoid embedded or remote CSS.

Mimecast, who tested ROPEMAKER against various email clients, says that browser-based email interfaces are not affected by the ROPEMAKER attack. Not surprisingly, these interfaces are known to strip header tags as a precautionary measure not to interfere with the page's normal headers.

Furthermore, as one Reddit user points out, "this attack as described would be extremely easy to filter," as sysadmins could just block the loading of remote CSS resources when requested by email clients.

All in all, ROPEMAKER is a clever attack technique but is not that useful in real-world scenarios.

 




It's What I Do.
I Drink and I
Remember Things.

Only mark a post as helpful if your issue has been resolved.
MissPasko
  • 1.83K
  • 221
  • 971
Super solver
658 Views
Message 15 of 32
Flag for a moderator
Helpful Answer

Re: virignmediabusiness

Hi ALF28

If these spam emails are arriving in your inbox (VM is not blocking them or placing in your spam folder), then you could also take the step of reporting using spamcop.net.  These emails are using SOMEONE's server and spamcop relays the information to the relevant parties, which gets the spammers shut out from sending more spam.  Obviously they move on to exploit other servers, but it is one more tiny step in stopping them before the spam goes out.  And it encourages those server owners to be more vigilant with security.

I believe information is also passed to spam filter information providers so that it eventually feeds back to block spam.

But if you are getting so much spam, you are on some lists and you can do nothing to get off it.  Get a new email address and migrate all your important connections to that address.  Choose one that is non-ISP linked, has better security, better support and better spam filtering.  Gradually stop using the VM address and forget how much spam it is getting.

goslow
  • 2.08K
  • 332
  • 714
Problem sorter
644 Views
Message 16 of 32
Flag for a moderator
Helpful Answer

Re: virignmediabusiness

For the info of the OP, I have had two of these emails to an old ntlworld.com email address starting from mid February.

Both were from the same "named person's" account at virginmediabusiness.co.uk and both contained .htm attachments. Both the attachment file names claimed to be to do with financial services (TSB Online and MBNA). Both emails showed passes for SPF checks and weren't marked as spam.

I forwarded both to phishing@virginmedia.com and received no bounce-back replies so presumably they went through to be recorded in some way.

Lee_R
  • 3.89K
  • 186
  • 392
Forum Team
Forum Team
634 Views
Message 17 of 32
Flag for a moderator

Re: virignmediabusiness

Thanks goslow for your fantastic support in this matter and I also thank @ALF28 for bringing this to our attention.

Regards


Lee_R

0 Kudos
Reply
Lee_R
  • 3.89K
  • 186
  • 392
Forum Team
Forum Team
632 Views
Message 18 of 32
Flag for a moderator
Helpful Answer

Re: virignmediabusiness

Hi ALF28

I would ask you to follow the advice given by @goslow

Regards


Lee_R

0 Kudos
Reply
ALF28
  • 1.08K
  • 20
  • 114
Knows their stuff
599 Views
Message 19 of 32
Flag for a moderator

Re: virignmediabusiness

update- I followed the advice thanks to forward the spam emails connected with virgin media to phising@virginmedia.com however 8 sent failed delivery due to spam content  and five were delivered with auto reply so unsure which ones got through. BUT NONE OF THE VIRGINMEDIABUSINESS EMAILS GOT THROUGH INDICATING SPAM CONTENT, so unfortunately by virginmedia blocking these it means they can not be investigated. I use web mail, the only other way to try would be to use a third party client to avoid blocking but it is a lot of trouble as I ditched thunderbird as it would not work properly with folders and wrong time stamps all the time. I have seen other post about the blocking of spam emails sent  to phising, perhaps virgin are protecting themselves from spam but what is the point of the phishing@virignmedia.com service if one can not send spam email to it, it defeats the object !!??  catch22

should I alter settings so emails are not marked as spam in spam setting and allow to inbox?

should I remove blacklist as this may be forcing emails to be tagged spam and just use filters?

or is the spam content part of the email so settings will not affect being able to forward to virgin?

please give me best setting to enable emails to be forwarded to phishing

Perhaps you can give me an answer regarding the problems of reporting spam to virgin, one suggestion was to report to spamcop,

I looked into that  in the past and they require full html content  which I consider too dangerous to handle with cutting and pasting etc.

Also if a email is reported as spam the company involved can take legal action if they get blacklisted so it is a minefield if you read the term from samcop.

if nothing else the exercise has proved the virginmediabusiness.co.uk emails contain spam and probably fake.

I will continue to try to forward them regardless, but hope for feedback.

however I do agree with the comment saying just ditch the old virgin email and use one not connected to isp, already done that and good advice thanks.

my main reason for the post was that this spam appeared to be from virginmedia itself or someone spoofing so though they needed to know about it.

very interesting that another person got similar emails in February and sent to phishing but did they get them?, perhaps not as they are still coming.

some are tagged spam and some are not. will close now enough time spent on this, difficult to resolve.

ALF28
  • 1.08K
  • 20
  • 114
Knows their stuff
571 Views
Message 20 of 32
Flag for a moderator

Re: virignmediabusiness

one got through TSB (came through delayed), so at least they have one to investigate from from virginmediabusiness.co.uk.

so it may have been worth the effort after all. I doubt they will reply though from past experience. 

0 Kudos
Reply