Ask us about your TalkTalk email account and Webmail.
on 29-03-2024 06:50 PM
Hi, For a long time we were receiving scam emails to our talktalk address, eg. McAfee, Boots Oral B, etc. which we were reporting to TalkTalk and the Gov. They showed as being sent from odd and obviously scam addresses. These we blocked, forwarded and deleted. This stopped for a while. We realise blocking was no use as every email came from a different jumble of characters.
However, they have started coming through again, but this time it is very worrying that they show as being sent both to and FROM our email address and clicking on the sender at the top of the email brings up our contact details. This means that we cannot block them so we are just deleting them now, not opening them.
The email ‘preview’ always shows firstly a few words, eg McAfee, followed by a very long jumbled mix of letters and numbers as previously.
We would very much appreciate any advice you are able to provide.
on 05-04-2024 09:04 AM
Thank you very much Gondola, we will wait and see then if they are able to do anything to help.
on 05-04-2024 08:44 AM
The line starting FROM: that includes your email address within chevron brackets would have us believe that the sending mailbox is yours. However, the whole line is fake and inserted by the spammer. That's my take on the spam.
I'm sure that both the UK Government's Cyber Security team and the TalkTalk Security team will be doing what they can. The spammer's sending address will no doubt keep changing to avoid being blocked.
Gondola Community Star 2017-2024
Like below to appreciate my post . . . Mark as solved Accept as Solution
on 05-04-2024 07:58 AM
Unfortunately I am still receiving these emails and even though I have forwarded many to TT Security and Report @ Gov, including screenshots of the view source and an explanation, nothing seems to have changed.
They all appear to include the following same line except the number 4 varies:
FROM: <my email@talktalk.net>, Admin4All@mx.tt.xion.oxcs.net
Any further thoughts please?
on 30-03-2024 04:38 PM
Thanks for forwarding to TalkTalk Security. The latest is more spam via Canada.
The mail should have been automatically rejected as the envelope is not SPF authenticated and there's no DMARC policy for the main or sub-domain so that's also something that TalkTalk needs to check.
Gondola Community Star 2017-2024
Like below to appreciate my post . . . Mark as solved Accept as Solution
on 30-03-2024 01:15 PM
Hi, I have forwarded the three received this morning to phishing@talkktalk as you requested.
Below I have pasted the first six lines of the latest which shows Return Path also as you requested.
Thanks
Return-Path: <support_09jbeob@biggerkfkd.nanomonkey.ca>
Delivered-To: 3@9508452
Received: from imap-director-5.dovecot.shared.ns.xion.oxcs.net ([10.93.19.5])
by imap-backend-23.dovecot.shared.ns.xion.oxcs.net with LMTP
id 6HnyBVvIB2ZXuDOAYPNmSw
(envelope-from <support_o9jbeob@biggerkfkd.nanomonkey.ca>)
for <3@9508452>; Sat, 30 Mar 2024 10:11:39 +0000
Received: from mx.tt.xion.oxcs.net ([10.93.2.3])
by imap-director-5.dovecot.shared.ns.xion.oxcs.net with LMTP
id 4PPaLULIB2ZbLwAACAI2XA:T47
(envelope-from <support_o9jbeob@biggerkfkd.nanomonkey.ca>)
on 30-03-2024 12:33 PM
OK, so that one suggests that spam is via Canada. I don't know at what point the unexpected FROM: line has been inserted.
Are there any other From: lines lower down? Is there a Return-Path: line (probably at or close to the top of the email header)
I'd like TalkTalk Security to take a look so ask if you would forward the email to phishing@talktalk.co.uk
Gondola Community Star 2017-2024
Like below to appreciate my post . . . Mark as solved Accept as Solution
on 30-03-2024 12:02 PM
Hi Gondola
As I am not sure how to send you a PM I have copied and pasted the four lines below from a screenshot of yet another email just received, having first replaced MY EMAIL ADDRESS.
I hope this is ok.
Thank you again for your assistance.
Received-SPF: None (protection.outlook.com: biggerkfkd.nanomonkey.ca does not designate permitted sender hosts)
FROM: <MY EMAIL ADDRESS.net>, AdminAll9@mx.tt.xion.oxcs.net
To: MY EMAIL ADDRESS
Content-type: multipart/alternative;
on 30-03-2024 10:48 AM
OK, the envelope-from entries do give the spammer's sending email address(es) and these are already on spam blacklists. So that's where the spam is originating from and not from your mailbox.
However, the line that would normally start From: is not what I expected to see. Can you confirm the From: line please.
For example the notifications from Community are:
From: TalkTalk Help & Support Community <no-reply@community-notifications.talktalk.co.uk>
If you think this may contain personally identifiable data then Community Message me via PM's
Gondola Community Star 2017-2024
Like below to appreciate my post . . . Mark as solved Accept as Solution
on 30-03-2024 08:57 AM
Hi,
I have received two this morning and have copied extracts from both.
Are these extracts the ones I should be looking for?
(envelope-from <hey_z90v106@chorusrelieve.cloudns.biz>
(envelope-from <hey_8wmbtob@admin.11thcircle.com>)
FROM: <our email address>, Admin4All@mx.tt.xion.oxcs.net
on 29-03-2024 07:24 PM
Hi Gondola
Thank you very much for your very prompt help.
I have already deleted the ones received so far, so at the moment I am unable to check the details you advise.
No doubt there will be more soon! As soon as they come through I will check and let you know.
29-03-2024 07:01 PM - edited 29-03-2024 07:03 PM
You're not the first to report this and it looks like this is a new wave of spam sent to and spoofing the recipient's email address.
Below is an explanation of 'Spoofing' versus a compromised mailbox for which the password has been discovered.
If you sign in to your TalkTalk mailbox via webmail and select the email and then from the More actions triple dots icon select the 'View source' menu item you'll see the normally hidden email header. Scroll down to the line starting From: and you'll either see your email address or a jumble of characters followed by chevron brackets within which is the sender's <real email address>.
Let us know what that address is OR if you recognise the address.
Phishing emails & everything you need to know
Compromised or spoofed accounts
Gondola Community Star 2017-2024
Like below to appreciate my post . . . Mark as solved Accept as Solution