dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
7033
share rss forum feed


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to mmainprize

Re: DynDNS Hacked?

said by mmainprize:

That interesting, The only e-mails like those i get are in my Hotmail inbox (I get those in outlook, i don't use the web interface).
So did that e-mail you sent with a wild-card in the address work or was it rejected as invalid address.

I did not use a 'wildcard' in the send. TTBMK, the '*' is not a valid symbol for an SMTP transaction. Perhaps I sould just have used a line of dots? I just wanted to redact the complete user name to avoid some spammer scraping the email addresses. The two user names in the example share a common initial letter, but are otherwise different; as, 'xact', and, 'xtra'.

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.

Indeed, it is. The spammer has suppressed the list of recipients. Yahoo! Mail, and I believe the German service GMX Mail include the actual RCPT email addresses; most others do not.

But SMTP is very "literal"; if an email is delivered to your mailbox, the SMTP "RCPT TO:" command included that mailbox email address.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Archi

@superkabel.de
+1 on that. I am getting spam on my dyndns@mailhell.[...].[...] Mail Alias. The domain has a catch-all defined, but I only get spam on aliases I used online, so we can be close to 100% sure there was a breach of some kind. I noticed this just today as the USPS Spam made it pass SpamAssassin into my Inbox, but there might be more spam in my Junkbox since a week (e.g. since the first report here).

On a second thought maybe an attacker used an exploit on home routers and got our dyndns passwords from there. Those could be used to get the emailaddress.
But I think that's rather improbable - there are more lucrative things one can do when messing arround with routers than selling the emailaddresses for a few cents.

Sebastian


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit
reply to mmainprize
said by mmainprize:

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.

It is too late to edit my post, but add Google Mail to the list of very few providers including the "SMTP Envelope Recipient (RCPT TO:) email address in the headers.

Yahoo Mail:
X-Apparently-To: %me%@yahoo.com via 98.138.213.251; Thu, 01 Nov 2012 10:39:36 -0700
 

Google Mail:
Delivered-To: %me%@gmail.com
 

GMX Mail (.com is English, .net ist Deutsch; both have the same header stamp):
Delivered-To: GMX delivery to %me%@gmx.com
...
Delivered-To: GMX delivery to %me%@gmx.net
 

None of my other ESPs do this. If your ESP doesn't so stamp their email headers, you might request it. However, given the nature of SMTP, if it is in your mailbox, there was an SMTP "RCPT TO: <%your_email_address%>" command. SMTP servers don't "guess", they are as literal as any computer.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Seanster

join:2005-06-26
Beverly Hills, CA
reply to rebus9
I too can confirm receiving spam on an address only used by dyndns. They have definitely been hacked or someone sniffed their packets. Probably much more likely they were hacked. I'm sure they would know this by now and they should have sent out an email warning people at the very least. Very unprofessional.

I hope I used a unique password. I would run my own dyndns but I still have some stupid routers that won't let you use custom dyn services.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by Seanster:

I would run my own dyndns but I still have some stupid routers that won't let you use custom dyn services.

I still have one of their free third level domains. But my new ISP gives me a free static IP address, and they provide DNS service for my domain for less than DynDNS for the same service.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


krrrrrrr

@173.227.92.x
I just got the most elaborate phishing email, claiming my dyndns account was expiring, emailed to the (stolen, unique) email address I actually used to register there.

It is clearly a phishing email, given that the URLs appear to go to dyn dot com, but actually go to dynect dot net.

It's a better constructed email than most, and almost fooled me. Had I not already seen spam to the same unique email address, I would have clicked through.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
Interesting. "Dynect dot net" appears to be registered to:
 Dynamic Network Services, Inc.
 150 Dow St
 Manchester, NH 03101
 US
 
While "dyn dot com" is registered to ...
...
...
...
 Dynamic Network Services, Inc.
 150 Dow St
 Manchester, NH 03101
 US
 

Same address as on the dyndns.com web page.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 edit

1 recommendation

reply to krrrrrrr
said by krrrrrrr :

It is clearly a phishing email, given that the URLs appear to go to dyn dot com, but actually go to dynect dot net.

Why are you obfuscating the web addresses dyn.com & dynect.net?

edit to add: registered members can get the definitive answer to what is a suspected phish not to mention the hurt that phishers have come to expect when one of their phish get posted to the quiet but often fatal DSLR Phishtracker located at
dslreports dot com/phishtrack
or more commonly referred to as
»/phishtrack

danep

join:2008-06-10
Houston, TX
reply to rebus9
I'm also receiving phishing emails at my unique dyndns@example.com alias. If DynDns has really been hacked and personal information has been leaked, aren't they legally obligated to inform affected users? As a DNS provider, they hold much more personal information than just email addresses.

Incidentally, his is the third time in as many years that I've found out about a data breach using these aliases- in both of the previous cases, the companies had no idea until I called. But they were both mom-and-pop shops, so I wasn't very surprised that they were hacked. Dyndns is a horse of a different color...

rebus9

join:2002-03-26
Tampa Bay
Reviews:
·Verizon FiOS
·Bright House
reply to Seanster
After a short break, spam to the DynDNS address is rolling in again.

I think it's safe to say the address is making its rounds through the lowlife spam-scum circles and will get spam, forever more. Time to kill the dyndns@ address and replace it with something else unique (unique to my DynDNS account).

I have aliases created back in the 1990's which have not been used for more than 10 years. Some date all the way back to 1996 and have not been used since 1997-- a full 15 years.

But to this very day, those addresses still get spammed regularly. Once a spammer gets his filthy hands on it, he will sell and re-sell, and those he sold it to will sell and re-sell it, and forever into the future it will always be in the hands of spammers.

I keep those aliases alive solely for use as honeypots.