email support

Ask us about your TalkTalk email account and Webmail.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Spam filter leaking

jbuchanangb
Philosopher
Message 8 of 8

Normally my Tiscali email inbox does not receive spam which is a great credit to TalkTalk's spam detection systems. Recently I have received a few unwanted items. I have extracted the Internet headers from the most recent, seemingly innocuous item

 

 

I have blocked the sender in my email client Outlook 365, but maybe it could be blocked at the network level somehow. Mail server vmi650226.contaboserver.net seems to be the culprit.

 

Edit: Incomplete headers removed. Complete headers posted further down the thread.

Now surfing from a Dell Inspiron 3881 running Windows 11 and a Qualcomm QCA9377 Wireless Network Adapter with Sagemcom FAST 5364 router.
0 Likes
7 REPLIES 7

Message 1 of 8

Thanks for forwarding this over to the team for investigation. 

 

Ady


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


jbuchanangb
Philosopher
Message 2 of 8

I found that when I marked it as Junk last Saturday Outlook had kindly kept it in its Spam folder. So I have now forwarded it to both suggested Phishing reporting addresses. I just used normal mail forwarding. I don't know enough about email to know whether the original headers go with it that way or whether I should have forwarded it as an attachment. Anyway in case either of the Phishing analysis teams want more details I will let it fester in the Spam folder for a while. Hopefully here is the complete header information, but still with my email address substituted.

Received: from mail-pj1-f50.google.com ([209.85.216.50])
	by mx.talktalk.net with SMTP
	id jRqamlj1SaLdMjRqbm5EPx; Sat, 06 Nov 2021 19:59:29 +0000
Received: from smtp-out-11.tiscali.co.uk (smtp-out-11.tiscali.co.uk [62.24.135.139])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx.tt.xion.oxcs.net (Postfix) with ESMTPS id 4Hmp9t0BwXz6wFtS
	for <username@tiscali.co.uk>; Sat,  6 Nov 2021 19:59:30 +0000 (UTC)
Received: from [66.94.121.136] (vmi650226.contaboserver.net. [66.94.121.136])
        by smtp.gmail.com with ESMTPSA id b22sm7826071pfv.36.2021.11.06.12.59.26
        for <username@tiscali.co.uk>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 06 Nov 2021 12:59:27 -0700 (PDT)
Received: by mail-pj1-f50.google.com with SMTP id o10-20020a17090a3d4a00b001a6555878a8so5737019pjf.1
        for <username@tiscali.co.uk>; Sat, 06 Nov 2021 12:59:29 -0700 (PDT)
Received: from mx.tt.xion.oxcs.net ([10.15.2.4])
	by imap-director-5.dovecot.tt.ham.xion.oxcs.net with LMTP
	id 0PIjBaLehmG7IQAApYRtmA
	(envelope-from <oaklynhorn@stmonicasprimaryhackney.uk>)
	for <3@1733643.contexts.internal.oxcs.net>; Sat, 06 Nov 2021 19:59:30 +0000
Received: from imap-director-5.dovecot.tt.ham.xion.oxcs.net ([10.15.5.5])
	by imap-backend-27.dovecot.tt.ham.xion.oxcs.net with LMTP
	id yLtdBaLehmEmIgAAiXVn5w
	(envelope-from <oaklynhorn@stmonicasprimaryhackney.uk>)
	for <3@1733643>; Sat, 06 Nov 2021 19:59:30 +0000
From: <oaklynhorn@stmonicasprimaryhackney.uk>
To: <username@tiscali.co.uk>
Subject: Looking for a serious guy for a relationship 
Date: Sat, 6 Nov 2021 19:59:27 -0000
Message-ID: <6186de9f.1c69fb81.77070.71f4@mx.google.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_002F_01D7D349.40A70540"
X-Mailer: Microsoft Outlook 16.0
X-Delivered-To: username@tiscali.co.uk
X-CMAE-Envelope: MS4wfPRN8zINRq/7bCdBJkFIYU9OxOSBRciZNcqri8YhZb6HTDin0q45+eaB9Zl4tnc64FU4eEiJrYTArZseA59d5J7UsURQVeCdOBmsguFDh6Ga1hFF2yTl
 mte3trX2hfufNvZxzB18D+5F/8zEKimeqNE51sjaryXdL3l5RD7JMZ+4Z4PuuIDlaMEUW0f4sBIebEAWi7mqs0dG5qdXKpTbk78=
Thread-Index: AQGSHgbACKxd37ANDjr9GBaC198g+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:from:subject:to;
        bh=vXhvQOcYYYb68vUWk+3MwhdSOMe5PGm1i8ZbQKRWXXc=;
        b=OFJeWApQvoE96mLKDD6dH5hilaXW9fv8H760zEfYw0rvBcsE3Q2UvQrNfAAZg5D8a8
         C3H4qHSFWrTAF2Q4RColyTY976G7NGOgyhGwlmTbUc1ajs8u3vmeLxa1iYtdkJe5PN3m
         Te9lna96IRzNGnRbuPhHWx2wyEWy2L18szSIJD7yzpqrXPYdy/BJ+/4ruGR+5L89Av/l
         8wpUSS9uOoTUNCRjTHJNVVn44npiO9W9ccQKfP8sixPDEozqfBKABYkKSbpjU9jIIPjX
         7yFY1s4iNdV0ULkJdeT0K0xBH7jbsNS+F+zUDbo1eYY64iqcUo5XosgyhYdP83+oh7r8
         U4Qg==
X-Gm-Message-State: AOAM530mnScsOfbl6BrlN9ydIniGtNdZy3kB9uuZJNQ9vKnZFAVVe1AB
	SNAmT/4wvRN4e2oppfSRLEEiuiLw/TxxuEnJ
X-Google-Smtp-Source: ABdhPJzn0WU7tF2T8CYzAVM6tI9WF8OHGpQHdiUog2N2mqrrCxp/vQqwG8UwNkLlJrC5PKl3WM4H4g==
X-Received: by 2002:a17:90a:7d11:: with SMTP id g17mr39752606pjl.19.1636228767807;
        Sat, 06 Nov 2021 12:59:27 -0700 (PDT)
X-Google-Original-From: OaklynHorn

 

Now surfing from a Dell Inspiron 3881 running Windows 11 and a Qualcomm QCA9377 Wireless Network Adapter with Sagemcom FAST 5364 router.
0 Likes

Message 3 of 8

Also worth reporting to the UK Government Suspicious Email Reporting Service (SERS). https://www.ncsc.gov.uk/information/report-suspicious-emails

 

I think SERS is better equipped to handle the fake primary school address situation. 

GondolaVolunteer 2017-2022

  Like below to appreciate my help . . . Mark as solved  Accept as Solution

jbuchanangb
Philosopher
Message 4 of 8

If I have the misfortune to receive another one I will forward it to them. 

Now surfing from a Dell Inspiron 3881 running Windows 11 and a Qualcomm QCA9377 Wireless Network Adapter with Sagemcom FAST 5364 router.
0 Likes

Message 5 of 8

I'm sure the security team would use header analysis software to make it easier to see the path that was used to get that unwanted mail to you. 

 

So, forwarding a complete and unredacted message is what the TalkTalk team need to see. 

GondolaVolunteer 2017-2022

  Like below to appreciate my help . . . Mark as solved  Accept as Solution

jbuchanangb
Philosopher
Message 6 of 8

Naturally I redacted my actual email address, blocked the sender in Outlook 365, and permanently deleted the email. This is about the third one which has made it through. I could unredact the headers as published here in the community and forward them to the TalkTalk phishing team.  Would that help? Or have I accidently missed a bit off the top when I cut & pasted from the email? Otherwise wait until another one comes through. 

Now surfing from a Dell Inspiron 3881 running Windows 11 and a Qualcomm QCA9377 Wireless Network Adapter with Sagemcom FAST 5364 router.
0 Likes

Gondola
Community Star
Message 7 of 8

Unfortunately the mail header isn't complete so header analysis doesn't analyse the send and receive paths as it should.

 

Sent from an USA West Coast porn website hosted by Contabo apparently to Gmail and thence via a fake UK school account via Gmail to your tiscali email address.  At least that's what it looks like from what you've posted.

 

The porn website has got your tiscali email address. But the normal advice to use TalkTalk Mail webmail to 'Mark as spam' might just block the Google servers sending to TalkTalk rather than block mail from the originating Contabo IP address.

 

Treat as you would a phishing email and forward to TalkTalk the unredacted header - just forward the email to phishing@talktalk.co.uk for the TalkTalk security team to take a look.

 

 Report a phishing or spam email

 

GondolaVolunteer 2017-2022

  Like below to appreciate my help . . . Mark as solved  Accept as Solution