Broadband Tech > Security > Scam and Phishbusters > DynDNS Hacked?

DynDNS Hacked?

How unique is the local part of the email address?
It's not uncommon for spammers to reuse the local part of an email address list by replacing the domain part with a different name.
e.g.,
a@msn.com becomes a@dyndns.com, a@gmail.com etc...
If your address was
1313$$998UUytIpRRtyeWWS@dyndns.com
it would get spammed if there an email address such as
1313$$998UUytIpRRtyeWWS@yahoo.com that had been scraped.
This isn't a guess to what occurred, just one alternative example of how it could have occurred.

Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)

reply to Snowy
Your theory would be a possible explanation if the address in question were the "from" part of the message, but as I read it the OP's alias would have to be the local part of the address and the domain would have to be for his mail server. Your scenario would send the spam to dyndns.com, not to the OP, if used for the "to" part of the envelope.

I suspect it's much more likely for DynDNS to have sold at least part of their list to a third party. Another possibility is a sniffer somewhere along the way, harvesting addresses at random...
--
Jim Kyle

reply to Snowy

reply to rebus9

reply to NormanS
I can confirm what rebus9 wrote. I'm also using unique email alias for every eshop or service provider registration.
Today early morning I have recieved spam to dyndns email alias.
Sender: "UPS Services"
Subject: "Delivery problem # Error ID3433"
Contains link: http___www_agstrong_hu_RXBOORXKQB_html
(I have intentionally invalidated the link here)
I don't know if there is a chance to defend. Of course, I will cancel the alias.

reply to rebus9
Hi -Yes, I had exactly the same problem this morning. I too use disposable addresses for each service I subscribe to, and I got the "UPS" mail you refer to. The local part of my address is very unusual, and I have several hundred such disposable addresses in use, only a handful of which have evr been compromised. It does seem that the DynDNS mailing list is "out there".

reply to koitsu

Now I got similar mails like KodloN...

I use MD5sums (MD5 of site and username) as local part my of email-addresses.
At the moment I have 5 of them because I have to manage 5 different dyndns-accounts for my customers

Today I got 4 mails (to 4 different for-dyndns-used-addresses) like this:

--- SNIP ---
Return-Path:
Received: from web25.webkontrol.doruk.net.tr (unknown [212.58.2.167])
by my-mailserver (Postfix) with ESMTP id 41D922A9BC
for ; Fri, 26 Oct 2012 13:09:55 +0200 (CEST)
Received: from WEB25 ([127.0.0.1]) by web25.webkontrol.doruk.net.tr with MailEnable ESMTP; Fri, 26 Oct 2012 14:09:36 +0300
Date: Fri, 26 Oct 2012 14:09:36 +0300
Subject: *SPAMVERDACHT*UPS delivery problem # Error ID21777
To: the@ddress
From: "UPS Support"
X-Mailer: MIME-tools5.503(Entity5.501)
Reply-To: "UPS Support"
Message-ID:
--- SNAP ---

or this

--- SNIP ---
Return-Path:
Received: from yumatrix.arvixededicated.com (unknown [65.98.83.154])
by mailserver (Postfix) with ESMTPS id 177162B34F
for ; Fri, 26 Oct 2012 02:24:50 +0200 (CEST)
Received: from yumatrix by yumatrix.arvixededicated.com with local (Exim 4.80)
(envelope-from )
id 1TRXPA-00070C-PU
for my2nd@ddress; Thu, 25 Oct 2012 20:04:04 -0400
To: my2nd@ddress
Subject: Error in the delivery address ID#66305
From: "UPS Information"
X-Mailer: CSMTPConnectionv1.3
Reply-To: "UPS Information"
Message-Id:
Date: Thu, 25 Oct 2012 20:04:04 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - yumatrix.arvixededicated.com
X-AntiAbuse: Original Domain - mydomain
X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
X-AntiAbuse: Sender Address Domain - yumatrix.arvixededicated.com
--- SNAP ---

That really looks like somebody hacked Dyndns!

Hi there,

just found the following phishing mail in my INBOX addressed to an unique email address only used for my dyndns account:

To:
Subject: My resume
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="__MESSAGE__ID__ABcSZaXcVzngFw"
 
--__MESSAGE__ID__ABcSZaXcVzngFw
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
 
Hello,
 
Thank you for getting back to me about the clerk position.
I really want to be a part of the company and the job sound great.
So I'm sending you all documents with the scan of my passport.
 
Looking forward to your reply.
Thank you.
--__MESSAGE__ID__ABcSZaXcVzngFw
Content-Type: application/x-msdownload; name="Resume_CV_Passport_Scans.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Resume_CV_Passport_Scans.zip"
 
...
 

Seems they are already aware of the situation:

»twitter.com/DynInc/status/261864026571677696

reply to KodloN

reply to jimkyle

reply to rebus9
I, too, can confirm with the rest. I use the same methods and got the same exact spam/phish.

(And if you haven't used it, let me give a free plug to sneakemail.com, which makes this method extremely simple and extremely effective.)

reply to rebus9
Well i have seen where i get an e-mail but i can not find my mailbox address in the header anywhere, but i still get the message. The name it was sent to, always starts with the same letter as my e-maill address but it is not my e-mail address. In these cases, the e-mail was sent to all users, like wildcards, r*@Dyn.com.

Not sure how this is done but they must have hacked either dyndns or the ISP mail servers, or found a bug in a, IM/send/reply to a dyndns user, at the dyndns web site.

I also have a Dnydns account but i did not get the spam.

reply to thermoman

reply to rebus9
Just like you, we run our own POP3 server. Therefore, we are able to give unique e-mail address for each contact. we have dyn@***.**.org e-mail address for Dyn. In contrast, we have not received anything from this e-mail address at all.

In fact, we are very alert of this type of issue. We were the first to report this type of issue at this site as you can see »[VOIPo.COM] Unique e-mail address for pre-launch sign-up got spa

Unfortunately, in spite of reporting every single spam received to SpamCop and KnujOn, we continue to receive spam at voipo@xx.xxx.xx e-mail address almost 3 years later now.

reply to mmainprize

X-Apparently-To: x*@yahoo.com via 98.138.212.28; Sun, 28 Oct 2012 11:32:21 -0700
To: <x*@sonic.net>
 

X-Apparently-To: x*@yahoo.com via 98.138.212.28; Sun, 28 Oct 2012 11:32:21 -0700
Return-Path: <x*@hotmail.com>
Received-SPF: pass (domain of hotmail.com designates 65.55.34.210 as permitted sender)
X-YMailISG: dRLZA0AWLDtGl.zHU8fx.YXp6S5XAEiuxH8UhT81DE.nTgSR
 5lQhzj12MbRYLrzmnqDEEWXk6HD6Tx82YH_U3P6Xif1lMWv3Vd87JE21LCEy
 mMz6ysfIU6SNmFwO29FNb45lqIjCPU42ipSJoaZn.x9WAc0nHaC_Z6pC7ki4
 THVYLMhluIJSFVzDpKdN2iWoXg5_HkpuguR8lFLNi7X4rQxCvoWPwtLjQ0ou
 lmleTSZ_PRSuDdrjjzlcIzHUB.ZwumT529FPYhZ7Y.SHYjTQS2m1mYsj87Uq
 aKB9ZYtZrK4EXsk_9.MAv.NPwW.1tWk34_xjNwLleqmqHhZwC.esY_.Vg7uR
 fYD_M8q_sKv5GHcm.akkFAW_r8Yeua_sy98TC1bHkpvwNIDtnZw7fPAJ_j3D
 zvbW3p4Uoem_Ys2h4e2ztFvxqSnElsBsfr0jjgp2jAsD4GejSbAp4g0BI.y9
 6JtLAhIBOXfp0gw0wUKX47QGYUavO2fldhmDZuJpymLthoW2OVh3avzQJ5vn
 h1yH1VRu.OWGbrT3WEltwDFbsWK5ckXgBwdEpOuFLrvxt6Qa2d1_OathiEyw
 HiRPeR5KFnA0XLrEgVCErJU7ivqhh4u6gmX31E.D_.Kf453qW0fPG_J1Hy20
 RTHdEONm4pCrcPvYcLZv6mFdAxJFBE2.6RJeuf4kj_HOgugZdVaSzBdEPIDF
 1emULzDWfmXrwdkDc7h_BO7tXAgBxxq10tU1j1l1Y9lA7mjWt7vziNcHAKAK
 JhRCTtDAN32VkDmPO0vYF6sUqCv.m8zotJ__Q9GEXOsujE81Lrddow.hcjL7
 dhSjmAOwn3rJBGe3DzZ6itSD.9XZug0Oo6INC8FoZ2zb0SW2IIANtCs2PrZh
 Igc8oncNAt8ygTQHkeLenZEIu0U4sUKLJ5KYrOrw.Z4rggncE22rQXLOxwiA
 kFSHG3ClU_vBcR53gcMdk3iJbBfX.nNn1.8.B0vSq4iywg_CNdHqdjw0Qsl2
 .ndvUIcyKsG0t5TsjhwkhCEs8WzNxYWAWOf9LPs6WvKPIzIOTBwC59P5qLR5
 LJGB3_BzLyNkUBoI06KHdP2enkWwT9wSer_y2g--
X-Originating-IP: [65.55.34.210]
Authentication-Results: mta1130.mail.mud.yahoo.com  from=hotmail.com; domainkeys=neutral (no sig);  from=hotmail.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO col0-omc4-s8.col0.hotmail.com) (65.55.34.210)
  by mta1130.mail.mud.yahoo.com with SMTP; Sun, 28 Oct 2012 11:32:21 -0700
Received: from COL103-DS13 ([65.55.34.200]) by col0-omc4-s8.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
 Sun, 28 Oct 2012 11:32:02 -0700
X-Originating-IP: [173.22x.xxx.xxx]
X-EIP: [28GTtiZXl1wq2gQE9eoAgJl+wwAiwTKG]
X-Originating-Email: [x*@hotmail.com]
Message-ID: <COL103-DS1314D5780149C4D08D6733E77C0@phx.gbl>
Return-Path: x*@hotmail.com
From: S* L* <x*@hotmail.com>
To: <x*@sonic.net>
Subject: [TEST] Will this work?
Date: Sun, 28 Oct 2012 11:32:00 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0010_01CDB4FF.D887C8D0"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
X-OriginalArrivalTime: 28 Oct 2012 18:32:02.0709 (UTC) FILETIME=[8627AC50:01CDB53A]
Content-Length: 628