Hello, I believe that this was a targeted malicious attack on my mailbox via an old email service, which I had stopped using in 2015. There are no MX records pointing at it, although the POP and SMTP server are still active. I believe that the attacker must also have had prior knowledge of my old email infrastructure.
Not sure how this email got onto the list or if everyone on the list got it. The list told me it was blocked and offered me the opportunity to cancel, which I did. I have heard there were four emails, so maybe only one got blocked (due to size). The recipient addresses where addresses on emails which were held on the old mail service. The old mail service I had was with Network Solutions, the emails entered Network Solutions via somewhere on Digital Ocean … > X-TCPREMOTEIP: 178.62.102.221 > X-Authenticated-UID: > [email protected]<mailto:[email protected]> > Received: from unknown (HELO localhost) > ([email protected]@178.62.102.221<mailto:[email protected]@178.62.102.221>) Network Solutions email service uses authenticated POP and SMTP and I believe there are no white lists configured, so it would appear that the attacker had prior knowledge of my password. So the attacker got access to my emails, and then used SMTP to send using my mailbox. I have asked Network Solutions for the SMTP logs and they told me that I have get a court order from a US court to access my logs. That sounded to me like a fob off, those logs are mine. Network Solutions are owned by web.com and I found their subject matter enquiry form, let’s see if that works. It is unlikely I can track down the attacker from a single source IP address. The next steps are to report to the Police. If anyone wants to weigh in on this, positive or negative, I would be happy to hear from you, better out than in. Particularly if you concur or not with my assessment that this was targeted, it is a lot of hoops to jump. Thanks John From: uknof <[email protected]> On Behalf Of Christian de Larrinaga Sent: 04 July 2018 12:51 To: Paul Mansfield <[email protected]> Cc: [email protected] Subject: Re: [uknof] virus in attachment from [email protected] I got that too! I shredded it back to 1s and 0s not necessarily in the same order. Christian Paul Mansfield wrote: I'm wondering how the unique email address I use for UKNOF got leaked. I received a reply to an email from [email protected]<mailto:[email protected]>, with the body being this: Hi, Please see attached, let me know if you have questions! Thanks John What makes this remarkable is that the message pretends to be a reply to an email I send in March 2015! The attachment is called "ETF_Inquiry.doc". Did anyone else get this? And did anyone analyse the attachment?
