We use cookies on our site to give you the best experience.
Accept
Reject
Manage your cookies
Skip to content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

email support

Ask us about your TalkTalk email account and Webmail.

Scam emails are showing my own email address as the sender

Amaise
Popular Poster
Private Message TalkTalk

on ‎29-03-2024 06:50 PM

Message 12 of 12

Hi, For a long time we were receiving scam emails to our talktalk address, eg. McAfee, Boots Oral B, etc. which we were reporting to TalkTalk and the Gov. They showed as being sent from odd and obviously scam addresses. These we blocked, forwarded and deleted. This stopped for a while. We realise blocking was no use as every email came from a different jumble of characters.
However, they have started coming through again, but this time it is very worrying that they show as being sent both to and FROM our email address and clicking on the sender at the top of the email brings up our contact details. This means that we cannot block them so we are just deleting them now, not opening them.
The email ‘preview’ always shows firstly a few words, eg McAfee, followed by a very long jumbled mix of letters and numbers as previously.
We would very much appreciate any advice you are able to provide.

Labels:
11 REPLIES 11

Amaise
Popular Poster
Private Message TalkTalk

on ‎05-04-2024 09:04 AM

Message 1 of 12

Thank you very much Gondola, we will wait and see then if they are able to do anything to help.

0 Likes

Gondola
Community Star
Private Message TalkTalk
In response to Amaise

on ‎05-04-2024 08:44 AM

Message 2 of 12

The line starting FROM: that includes your email address within chevron brackets would have us believe that the sending mailbox is yours. However, the whole line is fake and inserted by the spammer. That's my take on the spam.

 

I'm sure that both the UK Government's Cyber Security team and the TalkTalk Security team will be doing what they can. The spammer's sending address will no doubt keep changing to avoid being blocked.

GondolaCommunity Star 2017-2024

  Like below to appreciate my post . . . Mark as solved  Accept as Solution

Amaise
Popular Poster
Private Message TalkTalk

on ‎05-04-2024 07:58 AM

Message 3 of 12

Unfortunately I am still receiving these emails and even though I have forwarded many to TT Security and Report @ Gov, including screenshots of the view source and an explanation, nothing seems to have changed.

They all appear to include the following same line except the number 4 varies:

FROM: <my email@talktalk.net>, Admin4All@mx.tt.xion.oxcs.net

Any further thoughts please?

Gondola
Community Star
Private Message TalkTalk
In response to Amaise

on ‎30-03-2024 04:38 PM

Message 4 of 12

Thanks for forwarding to TalkTalk Security. The latest is more spam via Canada.

 

The mail should have been automatically rejected as the envelope is not SPF authenticated and there's no DMARC policy for the main or sub-domain so that's also something that TalkTalk needs to check.

GondolaCommunity Star 2017-2024

  Like below to appreciate my post . . . Mark as solved  Accept as Solution

Amaise
Popular Poster
Private Message TalkTalk
In response to Amaise

on ‎30-03-2024 01:15 PM

Message 5 of 12

Hi, I have forwarded the three received this morning to phishing@talkktalk as you requested.

Below I have pasted the first six lines of the latest which shows Return Path also as you requested.

Thanks


Return-Path: <support_09jbeob@biggerkfkd.nanomonkey.ca>

Delivered-To: 3@9508452

Received: from imap-director-5.dovecot.shared.ns.xion.oxcs.net ([10.93.19.5])

by imap-backend-23.dovecot.shared.ns.xion.oxcs.net with LMTP

id 6HnyBVvIB2ZXuDOAYPNmSw

(envelope-from <support_o9jbeob@biggerkfkd.nanomonkey.ca>)

for <3@9508452>; Sat, 30 Mar 2024 10:11:39 +0000

Received: from mx.tt.xion.oxcs.net ([10.93.2.3])

by imap-director-5.dovecot.shared.ns.xion.oxcs.net with LMTP

id 4PPaLULIB2ZbLwAACAI2XA:T47

(envelope-from <support_o9jbeob@biggerkfkd.nanomonkey.ca>)

0 Likes

Gondola
Community Star
Private Message TalkTalk
In response to Amaise

on ‎30-03-2024 12:33 PM

Message 6 of 12

OK, so that one suggests that spam is via Canada. I don't know at what point the unexpected FROM: line has been inserted.

 

Are there any other From: lines lower down? Is there a Return-Path: line (probably at or close to the top of the email header)

 

I'd like TalkTalk Security to take a look so ask if you would forward the email to phishing@talktalk.co.uk

 

GondolaCommunity Star 2017-2024

  Like below to appreciate my post . . . Mark as solved  Accept as Solution

0 Likes

Amaise
Popular Poster
Private Message TalkTalk

on ‎30-03-2024 12:02 PM

Message 7 of 12

Hi Gondola

As I am not sure how to send you a PM I have copied and pasted the four lines below from a screenshot of yet another email just received, having first replaced MY EMAIL ADDRESS.

I hope this is ok.

Thank you again for your assistance.


Received-SPF: None (protection.outlook.com: biggerkfkd.nanomonkey.ca does not designate permitted sender hosts)

FROM: <MY EMAIL ADDRESS.net>, AdminAll9@mx.tt.xion.oxcs.net

To: MY EMAIL ADDRESS

Content-type: multipart/alternative;

0 Likes

Gondola
Community Star
Private Message TalkTalk
In response to Amaise

on ‎30-03-2024 10:48 AM

Message 8 of 12

OK, the envelope-from entries do give the spammer's sending email address(es) and these are already on spam blacklists. So that's where the spam is originating from and not from your mailbox.

 

However, the line that would normally start From: is not what I expected to see.  Can you confirm the From: line please.

 

For example the notifications from Community are:

From: TalkTalk Help & Support Community <no-reply@community-notifications.talktalk.co.uk>

 

If you think this may contain personally identifiable data then Community Message me via PM's

GondolaCommunity Star 2017-2024

  Like below to appreciate my post . . . Mark as solved  Accept as Solution

0 Likes

Amaise
Popular Poster
Private Message TalkTalk

on ‎30-03-2024 08:57 AM

Message 9 of 12

Hi, 

I have received two this morning and have copied extracts from both.

Are these extracts the ones I should be looking for?
(envelope-from <hey_z90v106@chorusrelieve.cloudns.biz>

(envelope-from <hey_8wmbtob@admin.11thcircle.com>)

 

FROM: <our email address>, Admin4All@mx.tt.xion.oxcs.net

 

 

0 Likes

Amaise
Popular Poster
Private Message TalkTalk

on ‎29-03-2024 07:24 PM

Message 10 of 12

Hi Gondola

Thank you very much for your very prompt help.

I have already deleted the ones received so far, so at the moment I am unable to check the details you advise.

No doubt there will be more soon! As soon as they come through I will check and let you know.

 

Gondola
Community Star
Private Message TalkTalk

‎29-03-2024 07:01 PM - edited ‎29-03-2024 07:03 PM

Message 11 of 12

You're not the first to report this and it looks like this is a new wave of spam sent to and spoofing the recipient's email address.

 

Below is an explanation of 'Spoofing' versus a compromised mailbox for which the password has been discovered.

 

If you sign in to your TalkTalk mailbox via webmail and select the email and then from the More actions triple dots icon select the 'View source' menu item you'll see the normally hidden email header.  Scroll down to the line starting From: and you'll either see your email address or a jumble of characters followed by chevron brackets within which is the sender's <real email address>.

 

Let us know what that address is OR if you recognise the address.

 

Phishing emails & everything you need to know

Compromised or spoofed accounts

GondolaCommunity Star 2017-2024

  Like below to appreciate my post . . . Mark as solved  Accept as Solution

© TalkTalk 2024