dslreports logo
    All Forums Hot Topics Gallery
Search Topic:
share rss forum feed


Tampa Bay
·Verizon FiOS
·Bright House
reply to koitsu

Re: DynDNS Hacked?

said by koitsu:

said by rebus9:

Anything is possible, but over the years I've accumulated a little over 200 unique aliases. Only the DynDNS alias received spam, and there are far easier aliases to guess. (think of big name merchants, etc)

As someone who adopted this methodology of trying to prevent spam and "track the source who distributed the Email address", I can assure you with absolute certainty that in the long term / grand scheme of things it doesn't work.

We'll agree to disagree. I've been doing this since I registered my first domain way back in 1996. It has worked spectacularly well for 16 years, and continues to do so. Within the past year or so, the same thing happened to a small nutritional supplement vendor. They had no clue their user data had been compromised until I phoned them after receiving a phish email to that alias.

It also comes in handy for detecting which websites prostitute their users out to 3rd parties. I had a couple of aliases that received floods of unsolicited messages (calling them that, instead of spam, because it was focused/targeted content and not random). There was absoltely no doubt who'd sold their lists to 3rd parties who sold products that correlated with the orignal vendor's genre.

Sure, I'll name the worst offender-- active.com. I used them to sign up for a few races, and within a couple of months I was flooded with advertising emails from many different vendors of running shoes, running clothing, accessories (gps trainers, heartrate monitors, etc). And before you ask-- I always make sure I've un-checked any boxes that ask for permission to give my address to partners and 3rd parties, or asking if I want to receive periodic emails, etc.


Now I got similar mails like KodloN...

I use MD5sums (MD5 of site and username) as local part my of email-addresses.
At the moment I have 5 of them because I have to manage 5 different dyndns-accounts for my customers

Today I got 4 mails (to 4 different for-dyndns-used-addresses) like this:

--- SNIP ---
Received: from web25.webkontrol.doruk.net.tr (unknown [])
by my-mailserver (Postfix) with ESMTP id 41D922A9BC
for ; Fri, 26 Oct 2012 13:09:55 +0200 (CEST)
Received: from WEB25 ([]) by web25.webkontrol.doruk.net.tr with MailEnable ESMTP; Fri, 26 Oct 2012 14:09:36 +0300
Date: Fri, 26 Oct 2012 14:09:36 +0300
Subject: *SPAMVERDACHT*UPS delivery problem # Error ID21777
To: the@ddress
From: "UPS Support"
X-Mailer: MIME-tools5.503(Entity5.501)
Reply-To: "UPS Support"
--- SNAP ---

or this

--- SNIP ---
Received: from yumatrix.arvixededicated.com (unknown [])
by mailserver (Postfix) with ESMTPS id 177162B34F
for ; Fri, 26 Oct 2012 02:24:50 +0200 (CEST)
Received: from yumatrix by yumatrix.arvixededicated.com with local (Exim 4.80)
(envelope-from )
id 1TRXPA-00070C-PU
for my2nd@ddress; Thu, 25 Oct 2012 20:04:04 -0400
To: my2nd@ddress
Subject: Error in the delivery address ID#66305
From: "UPS Information"
X-Mailer: CSMTPConnectionv1.3
Reply-To: "UPS Information"
Date: Thu, 25 Oct 2012 20:04:04 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - yumatrix.arvixededicated.com
X-AntiAbuse: Original Domain - mydomain
X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
X-AntiAbuse: Sender Address Domain - yumatrix.arvixededicated.com
--- SNAP ---

That really looks like somebody hacked Dyndns!


Hi there,

just found the following phishing mail in my INBOX addressed to an unique email address only used for my dyndns account:

Subject: My resume
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="__MESSAGE__ID__ABcSZaXcVzngFw"
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Thank you for getting back to me about the clerk position.
I really want to be a part of the company and the job sound great.
So I'm sending you all documents with the scan of my passport.
Looking forward to your reply.
Thank you.
Content-Type: application/x-msdownload; name="Resume_CV_Passport_Scans.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Resume_CV_Passport_Scans.zip"

Googled "dyndns hacked" just after reading this mail and found this board.


Seems they are already aware of the situation:



Tampa Bay
·Verizon FiOS
·Bright House
said by thermoman :

Seems they are already aware of the situation:


I emailed them directly around the time I made the original post here, and got a response from Dyn asking for the spam/scam message and full headers. (which I sent) Seeing that other users are also getting the same spam kind of confirms my suspicion that the Dyn email list is "out there".

Now the question is how it got there-- either via 3rd party, or system compromise.