Topic 'Re: DynDNS Hacked?' in forum 'Scam and Phishbusters' - dslreports.com

Re: DynDNS Hacked?

Wed, 30 Jan 2013 12:27:52 EDT

rebus9 posted : After a short break, spam to the DynDNS address is rolling in again.

I think it's safe to say the address is making its rounds through the lowlife spam-scum circles and will get spam, forever more. Time to kill the dyndns@ address and replace it with something else unique (unique to my DynDNS account).

I have aliases created back in the 1990's which have not been used for more than 10 years. Some date all the way back to 1996 and have not been used since 1997-- a full 15 years.

But to this very day, those addresses still get spammed regularly. Once a spammer gets his filthy hands on it, he will sell and re-sell, and those he sold it to will sell and re-sell it, and forever into the future it will always be in the hands of spammers.

I keep those aliases alive solely for use as honeypots.

Re: DynDNS Hacked?

Wed, 30 Jan 2013 10:10:11 EDT

danep posted : I'm also receiving phishing emails at my unique dyndns@example.com alias. If DynDns has really been hacked and personal information has been leaked, aren't they legally obligated to inform affected users? As a DNS provider, they hold much more personal information than just email addresses.

Incidentally, his is the third time in as many years that I've found out about a data breach using these aliases- in both of the previous cases, the companies had no idea until I called. But they were both mom-and-pop shops, so I wasn't very surprised that they were hacked. Dyndns is a horse of a different color...

Re: DynDNS Hacked?

Tue, 13 Nov 2012 23:02:34 EDT

Snowy posted :

said by krrrrrrr :

It is clearly a phishing email, given that the URLs appear to go to dyn dot com, but actually go to dynect dot net.

Why are you obfuscating the web addresses dyn.com & dynect.net?

edit to add: registered members can get the definitive answer to what is a suspected phish not to mention the hurt that phishers have come to expect when one of their phish get posted to the quiet but often fatal DSLR Phishtracker located at
dslreports dot com/phishtrack
or more commonly referred to as
»/phishtrack
:)

Re: DynDNS Hacked?

Tue, 13 Nov 2012 12:11:01 EDT

NormanS posted : Interesting. "Dynect dot net" appears to be registered to:

 Dynamic Network Services, Inc. 150 Dow St Manchester, NH 03101 US

While "dyn dot com" is registered to ...
...
...
...

 Dynamic Network Services, Inc. 150 Dow St Manchester, NH 03101 US

Same address as on the dyndns.com web page.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Tue, 13 Nov 2012 10:59:46 EDT

anon posted : I just got the most elaborate phishing email, claiming my dyndns account was expiring, emailed to the (stolen, unique) email address I actually used to register there.

It is clearly a phishing email, given that the URLs appear to go to dyn dot com, but actually go to dynect dot net.

It's a better constructed email than most, and almost fooled me. Had I not already seen spam to the same unique email address, I would have clicked through.

Re: DynDNS Hacked?

Fri, 09 Nov 2012 05:30:23 EDT

NormanS posted :

said by Seanster:

I would run my own dyndns but I still have some stupid routers that won't let you use custom dyn services.

I still have one of their free third level domains. But my new ISP gives me a free static IP address, and they provide DNS service for my domain for less than DynDNS for the same service.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Thu, 08 Nov 2012 10:04:02 EDT

Seanster posted : I too can confirm receiving spam on an address only used by dyndns. They have definitely been hacked or someone sniffed their packets. Probably much more likely they were hacked. I'm sure they would know this by now and they should have sent out an email warning people at the very least. Very unprofessional.

I hope I used a unique password. I would run my own dyndns but I still have some stupid routers that won't let you use custom dyn services.

Re: DynDNS Hacked?

Mon, 05 Nov 2012 16:31:48 EDT

NormanS posted :

said by mmainprize:

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.

It is too late to edit my post, but add Google Mail to the list of very few providers including the "SMTP Envelope Recipient (RCPT TO:) email address in the headers.

Yahoo Mail:

X-Apparently-To: %me%@yahoo.com via 98.138.213.251; Thu, 01 Nov 2012 10:39:36 -0700

Google Mail:

Delivered-To: %me%@gmail.com

GMX Mail (.com is English, .net ist Deutsch; both have the same header stamp):

Delivered-To: GMX delivery to %me%@gmx.com...Delivered-To: GMX delivery to %me%@gmx.net

None of my other ESPs do this. If your ESP doesn't so stamp their email headers, you might request it. However, given the nature of SMTP, if it is in your mailbox, there was an SMTP "RCPT TO: <%your_email_address%>" command. SMTP servers don't "guess", they are as literal as any computer.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Mon, 05 Nov 2012 14:31:27 EDT

anon posted : +1 on that. I am getting spam on my dyndns@mailhell.[...].[...] Mail Alias. The domain has a catch-all defined, but I only get spam on aliases I used online, so we can be close to 100% sure there was a breach of some kind. I noticed this just today as the USPS Spam made it pass SpamAssassin into my Inbox, but there might be more spam in my Junkbox since a week (e.g. since the first report here).

On a second thought maybe an attacker used an exploit on home routers and got our dyndns passwords from there. Those could be used to get the emailaddress.
But I think that's rather improbable - there are more lucrative things one can do when messing arround with routers than selling the emailaddresses for a few cents.

Sebastian

Re: DynDNS Hacked?

Sun, 28 Oct 2012 17:02:53 EDT

NormanS posted :

said by mmainprize:

I did not use a 'wildcard' in the send. TTBMK, the '*' is not a valid symbol for an SMTP transaction. Perhaps I sould just have used a line of dots? I just wanted to redact the complete user name to avoid some spammer scraping the email addresses. The two user names in the example share a common initial letter, but are otherwise different; as, 'xact', and, 'xtra'.

Indeed, it is. The spammer has suppressed the list of recipients. Yahoo! Mail, and I believe the German service GMX Mail include the actual RCPT email addresses; most others do not.

But SMTP is very "literal"; if an email is delivered to your mailbox, the SMTP "RCPT TO:" command included that mailbox email address.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Sun, 28 Oct 2012 15:40:29 EDT

mmainprize posted :

NormanS
SMTP doesn't require the "Receipt-To:" email address to be stamped in the headers. Most email services do not, but some do. Yahoo! Mail is one which does. From a test:

Once the email has been placed in the mailbox, the "Receipt-To" data is no longer needed, so it is normally discarded.

That interesting, The only e-mails like those i get are in my Hotmail inbox (I get those in outlook, i don't use the web interface).
So did that e-mail you sent with a wild-card in the address work or was it rejected as invalid address.

I do not know how they do it but i get e-mails with one or more addresses in the To: line but it is not my address listed. Like you stated it don't have to be there or was removed, and maybe it is a blind copy of some sort.

Re: DynDNS Hacked?

Sun, 28 Oct 2012 15:08:10 EDT

NormanS posted :

said by mmainprize:

Well i have seen where i get an e-mail but i can not find my mailbox address in the header anywhere, but i still get the message. The name it was sent to, always starts with the same letter as my e-maill address but it is not my e-mail address.

SMTP doesn't require the "Receipt-To:" email address to be stamped in the headers. Most email services do not, but some do. Yahoo! Mail is one which does. From a test:

X-Apparently-To: x*@yahoo.com via 98.138.212.28; Sun, 28 Oct 2012 11:32:21 -0700To:

In full:

X-Apparently-To: x*@yahoo.com via 98.138.212.28; Sun, 28 Oct 2012 11:32:21 -0700Return-Path: Received-SPF: pass (domain of hotmail.com designates 65.55.34.210 as permitted sender)X-YMailISG: dRLZA0AWLDtGl.zHU8fx.YXp6S5XAEiuxH8UhT81DE.nTgSR 5lQhzj12MbRYLrzmnqDEEWXk6HD6Tx82YH_U3P6Xif1lMWv3Vd87JE21LCEy mMz6ysfIU6SNmFwO29FNb45lqIjCPU42ipSJoaZn.x9WAc0nHaC_Z6pC7ki4 THVYLMhluIJSFVzDpKdN2iWoXg5_HkpuguR8lFLNi7X4rQxCvoWPwtLjQ0ou lmleTSZ_PRSuDdrjjzlcIzHUB.ZwumT529FPYhZ7Y.SHYjTQS2m1mYsj87Uq aKB9ZYtZrK4EXsk_9.MAv.NPwW.1tWk34_xjNwLleqmqHhZwC.esY_.Vg7uR fYD_M8q_sKv5GHcm.akkFAW_r8Yeua_sy98TC1bHkpvwNIDtnZw7fPAJ_j3D zvbW3p4Uoem_Ys2h4e2ztFvxqSnElsBsfr0jjgp2jAsD4GejSbAp4g0BI.y9 6JtLAhIBOXfp0gw0wUKX47QGYUavO2fldhmDZuJpymLthoW2OVh3avzQJ5vn h1yH1VRu.OWGbrT3WEltwDFbsWK5ckXgBwdEpOuFLrvxt6Qa2d1_OathiEyw HiRPeR5KFnA0XLrEgVCErJU7ivqhh4u6gmX31E.D_.Kf453qW0fPG_J1Hy20 RTHdEONm4pCrcPvYcLZv6mFdAxJFBE2.6RJeuf4kj_HOgugZdVaSzBdEPIDF 1emULzDWfmXrwdkDc7h_BO7tXAgBxxq10tU1j1l1Y9lA7mjWt7vziNcHAKAK JhRCTtDAN32VkDmPO0vYF6sUqCv.m8zotJ__Q9GEXOsujE81Lrddow.hcjL7 dhSjmAOwn3rJBGe3DzZ6itSD.9XZug0Oo6INC8FoZ2zb0SW2IIANtCs2PrZh Igc8oncNAt8ygTQHkeLenZEIu0U4sUKLJ5KYrOrw.Z4rggncE22rQXLOxwiA kFSHG3ClU_vBcR53gcMdk3iJbBfX.nNn1.8.B0vSq4iywg_CNdHqdjw0Qsl2 .ndvUIcyKsG0t5TsjhwkhCEs8WzNxYWAWOf9LPs6WvKPIzIOTBwC59P5qLR5 LJGB3_BzLyNkUBoI06KHdP2enkWwT9wSer_y2g--X-Originating-IP: [65.55.34.210]Authentication-Results: mta1130.mail.mud.yahoo.com  from=hotmail.com; domainkeys=neutral (no sig);  from=hotmail.com; dkim=neutral (no sig)Received: from 127.0.0.1  (EHLO col0-omc4-s8.col0.hotmail.com) (65.55.34.210)  by mta1130.mail.mud.yahoo.com with SMTP; Sun, 28 Oct 2012 11:32:21 -0700Received: from COL103-DS13 ([65.55.34.200]) by col0-omc4-s8.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 28 Oct 2012 11:32:02 -0700X-Originating-IP: [173.22x.xxx.xxx]X-EIP: [28GTtiZXl1wq2gQE9eoAgJl+wwAiwTKG]X-Originating-Email: [x*@hotmail.com]Message-ID: Return-Path: x*@hotmail.comFrom: S* L* To: Subject: [TEST] Will this work?Date: Sun, 28 Oct 2012 11:32:00 -0700MIME-Version: 1.0Content-Type: multipart/alternative;boundary="----=_NextPart_000_0010_01CDB4FF.D887C8D0"X-Priority: 3X-MSMail-Priority: NormalImportance: NormalX-Mailer: Microsoft Windows Live Mail 16.4.3505.912X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912X-OriginalArrivalTime: 28 Oct 2012 18:32:02.0709 (UTC) FILETIME=[8627AC50:01CDB53A]Content-Length: 628

Once the email has been placed in the mailbox, the "Receipt-To" data is no longer needed, so it is normally discarded.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Sun, 28 Oct 2012 13:52:29 EDT

hszeto posted : Just like you, we run our own POP3 server. Therefore, we are able to give unique e-mail address for each contact. we have dyn@***.**.org e-mail address for Dyn. In contrast, we have not received anything from this e-mail address at all.

In fact, we are very alert of this type of issue. We were the first to report this type of issue at this site as you can see »[VOIPo.COM] Unique e-mail address for pre-launch sign-up got spa

Unfortunately, in spite of reporting every single spam received to SpamCop and KnujOn, we continue to receive spam at voipo@xx.xxx.xx e-mail address almost 3 years later now. :(

Re: DynDNS Hacked?

Sat, 27 Oct 2012 22:19:43 EDT

rebus9 posted :

said by thermoman :

Seems they are already aware of the situation:

»twitter.com/DynInc/status/261864026571677696

I emailed them directly around the time I made the original post here, and got a response from Dyn asking for the spam/scam message and full headers. (which I sent) Seeing that other users are also getting the same spam kind of confirms my suspicion that the Dyn email list is "out there".

Now the question is how it got there-- either via 3rd party, or system compromise.

Re: DynDNS Hacked?

Sat, 27 Oct 2012 21:55:11 EDT

mmainprize posted : Well i have seen where i get an e-mail but i can not find my mailbox address in the header anywhere, but i still get the message. The name it was sent to, always starts with the same letter as my e-maill address but it is not my e-mail address. In these cases, the e-mail was sent to all users, like wildcards, r*@Dyn.com.

Not sure how this is done but they must have hacked either dyndns or the ISP mail servers, or found a bug in a, IM/send/reply to a dyndns user, at the dyndns web site.

I also have a Dnydns account but i did not get the spam.

Re: DynDNS Hacked?

Fri, 26 Oct 2012 19:36:55 EDT

anon posted : I, too, can confirm with the rest. I use the same methods and got the same exact spam/phish.

(And if you haven't used it, let me give a free plug to sneakemail.com, which makes this method extremely simple and extremely effective.)

Re: DynDNS Hacked?

Fri, 26 Oct 2012 16:21:08 EDT

Snowy posted :

said by jimkyle:

Your theory would be a possible explanation if the address in question were the "from" part of the message,

Yes, you're absolutely correct.
Thank you to all who helped clear up any confusion my post created. :)

Re: DynDNS Hacked?

Fri, 26 Oct 2012 14:19:58 EDT

NormanS posted :

said by KodloN :

I can confirm what rebus9 wrote. I'm also using unique email alias for every eshop or service provider registration.
Today early morning I have recieved spam to dyndns email alias.

I have been watching my 'base-ddns@yahoo.com' email alias (the actual account is, 'user@pacbell.net'). But, as with the very nasty Yahoo! leak, I seem to be unaffected. In the case with the Yahoo! leak, victims had to have used a particular, newly purchased (by Yahoo!) service; I had not signed up for it. In this case, I am wondering if spammers have figured out that the 'base-uid@yahoo.com' is akin to a spamtrap; to be avoided.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Fri, 26 Oct 2012 12:43:47 EDT

anon posted : Seems they are already aware of the situation:

»twitter.com/DynInc/status/261864026571677696

Re: DynDNS Hacked?

Fri, 26 Oct 2012 12:32:58 EDT

anon posted : Hi there,

just found the following phishing mail in my INBOX addressed to an unique email address only used for my dyndns account:

To:Subject: My resumeMIME-Version: 1.0Content-Type: multipart/mixed; boundary="__MESSAGE__ID__ABcSZaXcVzngFw" --__MESSAGE__ID__ABcSZaXcVzngFwContent-type: text/html; charset=utf-8Content-Transfer-Encoding: 7bit Hello, Thank you for getting back to me about the clerk position.I really want to be a part of the company and the job sound great.So I'm sending you all documents with the scan of my passport. Looking forward to your reply.Thank you.--__MESSAGE__ID__ABcSZaXcVzngFwContent-Type: application/x-msdownload; name="Resume_CV_Passport_Scans.zip"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="Resume_CV_Passport_Scans.zip" ...

Googled "dyndns hacked" just after reading this mail and found this board.

Re: DynDNS Hacked?

Fri, 26 Oct 2012 10:02:42 EDT

anon posted : Now I got similar mails like KodloN...

I use MD5sums (MD5 of site and username) as local part my of email-addresses.
At the moment I have 5 of them because I have to manage 5 different dyndns-accounts for my customers

Today I got 4 mails (to 4 different for-dyndns-used-addresses) like this:

--- SNIP ---
Return-Path:
Received: from web25.webkontrol.doruk.net.tr (unknown [212.58.2.167])
by my-mailserver (Postfix) with ESMTP id 41D922A9BC
for ; Fri, 26 Oct 2012 13:09:55 +0200 (CEST)
Received: from WEB25 ([127.0.0.1]) by web25.webkontrol.doruk.net.tr with MailEnable ESMTP; Fri, 26 Oct 2012 14:09:36 +0300
Date: Fri, 26 Oct 2012 14:09:36 +0300
Subject: *SPAMVERDACHT*UPS delivery problem # Error ID21777
To: the@ddress
From: "UPS Support"
X-Mailer: MIME-tools5.503(Entity5.501)
Reply-To: "UPS Support"
Message-ID:
--- SNAP ---

or this

--- SNIP ---
Return-Path:
Received: from yumatrix.arvixededicated.com (unknown [65.98.83.154])
by mailserver (Postfix) with ESMTPS id 177162B34F
for ; Fri, 26 Oct 2012 02:24:50 +0200 (CEST)
Received: from yumatrix by yumatrix.arvixededicated.com with local (Exim 4.80)
(envelope-from )
id 1TRXPA-00070C-PU
for my2nd@ddress; Thu, 25 Oct 2012 20:04:04 -0400
To: my2nd@ddress
Subject: Error in the delivery address ID#66305
From: "UPS Information"
X-Mailer: CSMTPConnectionv1.3
Reply-To: "UPS Information"
Message-Id:
Date: Thu, 25 Oct 2012 20:04:04 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - yumatrix.arvixededicated.com
X-AntiAbuse: Original Domain - mydomain
X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
X-AntiAbuse: Sender Address Domain - yumatrix.arvixededicated.com
--- SNAP ---

That really looks like somebody hacked Dyndns!

Re: DynDNS Hacked?

Fri, 26 Oct 2012 09:04:47 EDT

rebus9 posted :

said by koitsu:

said by rebus9:

Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)

We'll agree to disagree. I've been doing this since I registered my first domain way back in 1996. It has worked spectacularly well for 16 years, and continues to do so. Within the past year or so, the same thing happened to a small nutritional supplement vendor. They had no clue their user data had been compromised until I phoned them after receiving a phish email to that alias.

It also comes in handy for detecting which websites prostitute their users out to 3rd parties. I had a couple of aliases that received floods of unsolicited messages (calling them that, instead of spam, because it was focused/targeted content and not random). There was absoltely no doubt who'd sold their lists to 3rd parties who sold products that correlated with the orignal vendor's genre.

Sure, I'll name the worst offender-- active.com. I used them to sign up for a few races, and within a couple of months I was flooded with advertising emails from many different vendors of running shoes, running clothing, accessories (gps trainers, heartrate monitors, etc). And before you ask-- I always make sure I've un-checked any boxes that ask for permission to give my address to partners and 3rd parties, or asking if I want to receive periodic emails, etc.

Re: DynDNS Hacked?

Fri, 26 Oct 2012 07:37:40 EDT

anon posted : Hi -Yes, I had exactly the same problem this morning. I too use disposable addresses for each service I subscribe to, and I got the "UPS" mail you refer to. The local part of my address is very unusual, and I have several hundred such disposable addresses in use, only a handful of which have evr been compromised. It does seem that the DynDNS mailing list is "out there".

Re: DynDNS Hacked?

Fri, 26 Oct 2012 07:34:15 EDT

anon posted : I can confirm what rebus9 wrote. I'm also using unique email alias for every eshop or service provider registration.
Today early morning I have recieved spam to dyndns email alias.
Sender: "UPS Services"
Subject: "Delivery problem # Error ID3433"
Contains link: http___www_agstrong_hu_RXBOORXKQB_html
(I have intentionally invalidated the link here)
I don't know if there is a chance to defend. Of course, I will cancel the alias.

Re: DynDNS Hacked?

Fri, 26 Oct 2012 07:24:14 EDT

koitsu posted :

said by rebus9:

As someone who adopted this methodology of trying to prevent spam and "track the source who distributed the Email address", I can assure you with absolute certainty that in the long term / grand scheme of things it doesn't work.

For example, my method was to use things like dyndns@subdomain.domain.com. Sure, it worked wonderfully, until spammers began changing their methods/models. They don't care about bouncebacks or SMTP rejections (no such user) any more -- they quite literally just guess whatever as the username, send the mail out as best they can, and discard the results. They take words out of dictionaries, make their own permutations, take common names of services/companies/etc., and use them as the username portion as as the domain portion and just "hope for the best".

So in my case, what's the chance of them ""guessing"" dyndns@subdomain.domain.com, despite it never being mentioned anywhere or used anywhere but with DynDNS? Answer: extremely high. In fact, it's even higher than the likelihood of DynDNS selling my Email address.

Obviously if you used something like jds3i2jke00_34hskj@domain.com where the username portion was totally random and very long (we're talking 12+ characters minimum), the chance of this happening is very low, but it's still possible. Remember: spammers will figure it out, even if just by chance.

A colleague of mine has been using a clever-but-different version of the above model with pretty good results -- specifically, username@{year}.hisdomain.com. When the year rolls, he nukes the A/MX records for the previous year, and adds ones for the current. The downside to this method is that he has to "train" human beings to remember to specify the correct year when Emailing him (e.g. address books have to be updated once a year). But overall it works.

That's all I have to say on the matter.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

Re: DynDNS Hacked?

Fri, 26 Oct 2012 03:13:14 EDT

NormanS posted :

said by Snowy:

How unique is the local part of the email address?
It's not uncommon for spammers to reuse the local part of an email address list by replacing the domain part with a different name.
e.g.,
a@msn.com becomes a@dyndns.com, a@gmail.com etc...

Assumes that OP has an '@dyndns.com' email account; but I don't see any such service at their site. OTOH, I have long had a paid DNS service from them, and opted to receive regular notices from them to an old Pacbell account, using Yahoo! Mail Addressguard.
My address is in the form, 'base-uniqueuser@yahoo.com'. In my case, Yahoo! has had insecurities, such that, 'user@yahoo.com' for any given Yahoo! Mail (or partner ISP) account might have been leaked.

In the OP's case, I assume he is familiar with the security of his ESP's servers, so it would br reasonable to consider a problem with the DynDNS subscriber mailing list.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: DynDNS Hacked?

Thu, 25 Oct 2012 23:58:37 EDT

jimkyle posted : Your theory would be a possible explanation if the address in question were the "from" part of the message, but as I read it the OP's alias would have to be the local part of the address and the domain would have to be for his mail server. Your scenario would send the spam to dyndns.com, not to the OP, if used for the "to" part of the envelope.

I suspect it's much more likely for DynDNS to have sold at least part of their list to a third party. Another possibility is a sniffer somewhere along the way, harvesting addresses at random...
--
Jim Kyle

Re: DynDNS Hacked?

Thu, 25 Oct 2012 22:55:29 EDT

rebus9 posted : Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)

Re: DynDNS Hacked?

Thu, 25 Oct 2012 21:50:28 EDT

Snowy posted : How unique is the local part of the email address?
It's not uncommon for spammers to reuse the local part of an email address list by replacing the domain part with a different name.
e.g.,
a@msn.com becomes a@dyndns.com, a@gmail.com etc...
If your address was
1313$$998UUytIpRRtyeWWS@dyndns.com
it would get spammed if there an email address such as
1313$$998UUytIpRRtyeWWS@yahoo.com that had been scraped.
This isn't a guess to what occurred, just one alternative example of how it could have occurred.

DynDNS Hacked?

Thu, 25 Oct 2012 21:02:56 EDT

rebus9 posted : I create unique email aliases for every vendor I do business with. More importantly, I use each unique alias only with that specific vendor and noone else. That way if I get spam to a particular alias, I know the source of the leak.

Tonight I received a scam spam impersonating UPS (the parcel delivery service) which links to a Hungarian URL. It was sent to the email alias used for DynDNS.

Our mail server has very aggressive protection against dictionary-style harvesting attacks. And since it's an alias and not a mailbox, it's not configured on any PC or mail reader. It only exists on the mail server as a forwarding rule.

So it would appear that either DynDNS had its subscriber email info hacked, or they've sold their email lists to some 3rd party who's either leaked it or is abusing it.

Maybe Dyn was hacked-- maybe not. Either way, heads up if you're a DynDNS subscriber.