email support

broke_again · ‎07-10-2025

My partner is getting a lot of scam/phishing emails to her talktalk email account, they are all "numbers and letters"@everymail.com. Looking up on t'web and I find talktalk are directing ex isp customers to this company, is there a connection? seems more than a coincidence all from same one.
I would also say more than half are referring to companies she uses the email for, again seems more than a coincidence fearing her account might be compromised I have changed her password (after much pain, installed firefox as couldn't get into email manager with chrome, not happy with the security, that worked ok, tried chrome now that works so I think it was probably this issue talktalk has been having).
Anybody else?

Mandisa-TT · ‎14-10-2025

Hi @broke_again the issue was escalated for the email team to look into it, it is good to hear that you have not received any emails in the last days. If anything changes do not hesitate to get back to us, Is there anything else we can assist you with?

broke_again · ‎14-10-2025

They seem to have stopped now, haven't had one for a couple of days, if it's through something you have done then many thanks.

Gliwmaeden2 · ‎07-10-2025

@winewine123, please return to the message board to start your own thread. You'll find a blue Start a Topic button near the top of the page.

Posting on another customer's help request doesn't give Talktalk a clearer sense of the number of customers affected.

Gliwmaeden2, a fellow customer.

winewine123 · ‎07-10-2025

I am suddenly getting loads of emails from everymail.com WHY?

Billx · ‎07-10-2025

So, it is: Return-Path: <yACaxijiG8aN2eDNyy1SYbUrYY6wll8k7@everymail.com>,

or 'yACaxijiG8aN2eDNyy1SYbUrYY6wll8k7@everymail.com'

So, the 3 email addresses are all different. the From: address, the Reply-To: address, and the Return-Path: address.

Just showing the lengths they are going, to scam.

I asked, because I am currently following a different series of spams/scams, which are all related. They all arise from a different gmail.com address each time, but they are all related.

The current bout is obviously a new one, but it seems all related to everymail.com

Thanks for your response.

broke_again · ‎07-10-2025

Return-Path: <yACaxijiG8aN2eDNyy1SYbUrYY6wll8k7@everymail.com>
Delivered-To: 3@9793818
Received: from imap-director-9.dovecot.shared.ham.xion.oxcs.net ([10.91.19.9])
	by imap-backend-10.dovecot.shared.ham.xion.oxcs.net with LMTP
	id CHPeI6/05GiofyYANub65A
	(envelope-from <yACaxijiG8aN2eDNyy1SYbUrYY6wll8k7@everymail.com>)
	for <3@9793818>; Tue, 07 Oct 2025 11:08:31 +0000
Received: from mx.everymail.xion.oxcs.net ([10.91.2.2])
	by imap-director-9.dovecot.shared.ham.xion.oxcs.net with LMTP
	id qPbGCKH05GhIAzUAeAfpjw:T36
	(envelope-from <yACaxijiG8aN2eDNyy1SYbUrYY6wll8k7@everymail.com>)
	for <xxxx@talktalk.net>; Tue, 07 Oct 2025 11:08:31 +0000
X-original-to: xxxxx@talktalk.net
Received: from estudiorosso.com.ar (unknown [151.244.72.163])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx.everymail.xion.oxcs.net (Postfix) with ESMTPS id 4cgtdt62l6z1Z7bp
	for <xxxxx@talktalk.net>; Tue,  7 Oct 2025 11:07:46 +0000 (UTC)
MIME-Version: 1.0
Message-Id: <ufBwwQi.81689.530.Wra@estudiorosso.com.ar>
From: Admiral Car Insurance <2ea6b3737b558f56c6@everymail.com>
Subject: Your Free Admiral Car Emergency Kit is Ready
Reply-To: reply_to@estudiorosso.com.ar
To: @xxxx@talktalk.net
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=UTF-8
Date: Tue, 07 Oct 2025 13:07:11 +0200

<center><a href="https://FgMEMEAdoWjpwQrYsi.tionlifeturkiye.info/g.php/cl/34825_md/1/1903264/463/171/49923"><font color="black"><b>ID:31194436</b></font></a><br>
<a class="button_li" href="https://FgMEMEAdoWjpwQrYsi.tionlifeturkiye.info/g.php/cl/34825_md/1/1903264/463/171/49923"> <center>
<img data-image-content class="image_content" 
width="480" src="https://amaz-01.s3.us-east-1.amazonaws.com/RIAOOSQ.png" alt="" >  </a> 
<a class="but_link" href="https://FgMEMEAdoWjpwQrYsi.tionlifeturkiye.info/g.php/un/34825_md/1/1903264/463/171/49923"> <center>
<img data-image-cfontent class="image_content" width="924" src="https://FgMEMEAdoWjpwQrYsi.tionlifeturkiye.info/4b59017adca4fd2.png" alt=

that is the admiral one, the talktalk security I am afraid I have deleted already

alphatrog · ‎07-10-2025

Hi Billix,

Viewing source on one of the everymail spam I received yield all this ( I changed my name to **** in the e.mail address).........................

Received: from imap-director-7.dovecot.shared.ham.xion.oxcs.net ([10.91.19.7]) by imap-backend-35.dovecot.shared.ham.xion.oxcs.net with LMTP id OLaaDbD/5GjC5h8A3ECTzA (envelope-from <uh9EpoDuTiRvwxkIfEocZUV5V881MFGzI@everymail.com>) for <3@9390739>; Tue, 07 Oct 2025 11:55:28 +0000 Received: from mx.everymail.xion.oxcs.net ([10.91.2.2]) by imap-director-7.dovecot.shared.ham.xion.oxcs.net with LMTP id cOI/HY//5GjWHDQAdG6cnA:T100 (envelope-from <uh9EpoDuTiRvwxkIfEocZUV5V881MFGzI@everymail.com>) for <****@talktalk.net>; Tue, 07 Oct 2025 11:55:28 +0000 Received: from ignorelist.com (unknown [150.241.230.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.everymail.xion.oxcs.net (Postfix) with ESMTPS id 4cgvdl4V5cz1Z47q for <****@talktalk.net>; Tue, 7 Oct 2025 11:52:43 +0000 (UTC) From: File Protection Notification <e1d5bb767985ad497c@everymail.com> To: "****@talktalk.net" <****@talktalk.net> Subject: Limited-Time Offer: 80% Discount to Safeguard Your Precious Files Thread-Topic: Limited-Time Offer: 80% Discount to Safeguard Your Precious Files Thread-Index: AUwxMDZtncTUdBpDqx2Nds7ouV1UlA== X-MS-Exchange-MessageSentRepresentingType: 1 Date: Tue, 7 Oct 2025 12:48:35 +0100 Message-ID: <BmGWmrb.67540.291.PYL@ignorelist.com> Reply-To: "reply_to@ignorelist.com" <reply_to@ignorelist.com> Content-Language: en-US X-MS-Has-Attach: X-MS-Exchange-Organization-SCL: -1 X-MS-TNEF-Correlator: X-MS-Exchange-Organization-RecordReviewCfmType: 0 Content-Type: multipart/alternative; boundary="_000_BmGWmrb67540291PYLignorelistcom_" MIME-Version: 1.0 --_000_BmGWmrb67540291PYLignorelistcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SUQ6NDU4OTE1MDM8aHR0cHM6Ly9YQ2VTc2ZhREFYbXJHTU1ycWMuYWxsaW5zdXJhcnZpY2VzbGxj LmZvcnVtL2cucGhwL2NsLzM0ODI5X21kLzMvMTgyNzc5NS80MzQvMTcwLzE0NjgxP0dCPg0KPGh0 dHBzOi8vWENlU3NmYURBWG1yR01NcnFjLmFsbGluc3VyYXJ2aWNlc2xsYy5mb3J1bS9nLnBocC9j bC8zNDgyOV9tZC8zLzE4Mjc3OTUvNDM0LzE3MC8xNDY4MT9HQj4NCltodHRwczovL1hDZVNzZmFE QVhtckdNTXJxYy5hbGxpbnN1cmFydmljZXNsbGMuZm9ydW0vNjNjODM4ZGEwMDY5YTVjLnBuZ10g PGh0dHBzOi8vWENlU3NmYURBWG1yR01NcnFjLmFsbGluc3VyYXJ2aWNlc2xsYy5mb3J1bS9nLnBo cC91bi8zNDgyOV9tZC8zLzE4Mjc3OTUvNDM0LzE3MC8xNDY4MT9HQj4NCltodHRwczovL1hDZVNz ZmFEQVhtckdNTXJxYy5hbGxpbnN1cmFydmljZXNsbGMuZm9ydW0vNGI1OTAxN2FkY2E0ZmQyLnBu Z10NCg== --_000_BmGWmrb67540291PYLignorelistcom_ Content-Type: text/html; charset="utf-8" Content-ID: <AEE1A89248CCF74BA3A7E9BF31991FE1@1> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5Pg0KPGNlbnRlcj48YSBo cmVmPSJodHRwczovL1hDZVNzZmFEQVhtckdNTXJxYy5hbGxpbnN1cmFydmljZXNsbGMuZm9ydW0v Zy5waHAvY2wvMzQ4MjlfbWQvMy8xODI3Nzk1LzQzNC8xNzAvMTQ2ODE/R0IiPjxmb250IGNvbG9y PSJibGFjayI+PGI+SUQ6NDU4OTE1MDM8L2I+PC9mb250PjwvYT48YnI+DQo8YSBjbGFzcz0iYnV0 dG9uX2xpIiBocmVmPSJodHRwczovL1hDZVNzZmFEQVhtckdNTXJxYy5hbGxpbnN1cmFydmljZXNs bGMuZm9ydW0vZy5waHAvY2wvMzQ4MjlfbWQvMy8xODI3Nzk1LzQzNC8xNzAvMTQ2ODE/R0IiPg0K PGNlbnRlcj48aW1nIGRhdGEtaW1hZ2UtY29udGVudD0iIiBjbGFzcz0iaW1hZ2VfY29udGVudCIg d2lkdGg9IjEwNTMiIHNyYz0iaHR0cHM6Ly9YQ2VTc2ZhREFYbXJHTU1ycWMuYWxsaW5zdXJhcnZp Y2VzbGxjLmZvcnVtLzYzYzgzOGRhMDA2OWE1Yy5wbmciIGFsdD0iIj4NCjwvYT48YSBjbGFzcz0i YnV0X2xpbmsiIGhyZWY9Imh0dHBzOi8vWENlU3NmYURBWG1yR01NcnFjLmFsbGluc3VyYXJ2aWNl c2xsYy5mb3J1bS9nLnBocC91bi8zNDgyOV9tZC8zLzE4Mjc3OTUvNDM0LzE3MC8xNDY4MT9HQiI+ DQo8Y2VudGVyPjxpbWcgZGF0YS1pbWFnZS1jZm9udGVudD0iIiBjbGFzcz0iaW1hZ2VfY29udGVu dCIgd2lkdGg9IjkyNCIgc3JjPSJodHRwczovL1hDZVNzZmFEQVhtckdNTXJxYy5hbGxpbnN1cmFy dmljZXNsbGMuZm9ydW0vNGI1OTAxN2FkY2E0ZmQyLnBuZyIgYWx0PSIiPg0KPC9hPjxpbWcgYWx0 PSIiIHNyYz0iZWZydCIgd2lkdGg9IjFweCIgaGVpZ2h0PSIxcHgiIHN0eWxlPSJ2aXNpYmlsaXR5 OmhpZGRlbiI+IDwvY2VudGVyPg0KPC9jZW50ZXI+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRt bD4NCg== --_000_BmGWmrb67540291PYLignorelistcom_--

Billx · ‎07-10-2025

Hi, @broke_again

I've checked the 2 Reply-To email addresses of the 2 above emails (at an email service I subscribe to.)

It reports for both email addresses: "Invalid email address: the mailbox for the email address does not exist."

At the 'More' button on the right --> 'View source' ---> What does it show as the 'Return-Path:' email address?

Philile-TT · ‎07-10-2025

@broke_again you are most welcome.

Phili

broke_again · ‎07-10-2025

Thanks 😊.

Philile-TT · ‎07-10-2025

@broke_again thank you for the screenshots.

Phili

broke_again · ‎07-10-2025

talktalk security scam email

Philile-TT · ‎07-10-2025

Yes, this definitely looks like a phishing email. I have flagged this, please refer to the below link with information on how to report phishing emails and also how to block.

Phishing emails - everything you need to know - TalkTalk Help & Support

Phili

broke_again · ‎07-10-2025

scam email screen shot

Philile-TT · ‎07-10-2025

@alphatrog that great thank you, I have flagged this also the team is currently looking into it. It seems like it an issue affecting a lot of customers. Thank you for sending it to the security team.

Phili

alphatrog · ‎07-10-2025

Ok, I will re post my comment as a separate topic. I just received another one as I typed this lol. by the way I sent a file of the scam TalkTalk mail to the Phishing department.

Philile-TT · ‎07-10-2025

@alphatrog Thank you for bringing this into our attention. Please start your own thread.

Phili

alphatrog · ‎07-10-2025

I still pay for my broadband to TalkTalk and have a TalkTalk.net e.mail address . Since yesterday I also have been flooded with phishing mail all coming from everymail.com addresses some of which even claim to be from TalkTalk security. I have never had junk mail with an everymail address before but I do not think it is a coincidence that TalkTalk has farmed out thousands of previous TalkTalk members who still have a TalkTalk e.mail address to everymail.com.

Philile-TT · ‎07-10-2025

Please send a screenshot of that email, try crop out or hide personal information. In the meantime, I would suggest that she changes her password and not click on any links attached on the mails.

Phili

broke_again · ‎07-10-2025

No we are still with Talktalk isp, all seems to be ok in that respect we haven't had any notices, her account is a sub one of the admin account.

email support

Scam/phishing emails from @everymail.com