Bebbi
- Joined
- Level2
- Points271
- Posts31
- Solutions0
@Black Mamba wrote:
You can find the address of the email recipient in the section “CC” -> “Carbon Copy” or “BCC” -> “Blind Carbon Copy”
What do you want to tell us???
BCC is only known on the sending side (normally - that’s the purpose of it).
CC comes out the same as To.
The sender informs the mail server via SMTP of its address via “MAIL FROM:” and the recipients via “RCPT TO:”. However, this information is no longer available on the receiving end.
In order to see where the email came from, you have to look at its complete header or, better yet, its complete source code.
For example, there is information about the path of the message under “Received:” (although the spammer could also pack such a text in his header and thus fake it, so the order depends on it - at the top the entry from the last server involved).
Only if the spam filter is capable of learning and recognizes the pattern. My Seamonkey (Thunderbird) detects the spam, but I don’t know exactly what criteria it uses.
Otherwise it is unnecessary labor of love as the senders are constantly changing.
@kaetho wrote:
Have you never subscribed to a newsletter? Never taken part in a competition where you provided your email address?No, not with the addresses that are entered as recipients in the spam emails (along with the many strangers).
@kaetho wrote:
And then there are all the illegal activities, with entire address databases ending up on the darknet. It should be clear by now why bluewin.ch, of all places, is repeatedly affected. The recurring waves of spam show that this is still a very lucrative goal. And apparently always crowned with success, otherwise it wouldn’t be worth it.
So it was hacked after all, possibly Bluewin itself (since addresses were affected that were never sent out), at most a long time ago?
Correct, but why are only Bluewin addresses affected as recipients?
Why does the spam analysis produce an “X-Bluewin spam score: 0.00”?
Where do the many apparently correct Bluewin addresses come from?
And can you explain to me why a normal spammer should go to the trouble of entering a different apparently correct Bluewin recipient in “To:” in every email and sending it en masse to mismatching Bluewin recipients using “RCPT TO:”?
Hopefully the statement that Bluewin has not been hacked is correct. Nevertheless, there is a need for explanation, after a wave that has lasted for more than a week.
Valid bluewin addresses are easy to come by.
How?
For example, do you know this site? Does one of your email addresses appear there? If so, you can also see where it might come from…
Yes, I know. I haven’t done it yet because I hardly received any spam and the residual risk of verified addresses being resold was too great for me. As a good deed, I had my Bluewin addresses checked there and they are all clean, as I expected.
It’s more likely that individual email accounts were hacked.
If the emails were sent via a normal Bluewin login, “X-Bluewin-AuthAs:” should be present. But missing.
If someone hacked my password and used my email account, the phenomenon would look different too.
He would hardly send spam to me himself, and hardly from so many different IPs (see “Received:” and “X-Originating-IP:”).
If spam had been sent from my email account to others, I would have received responses.
@gardist: Yesterday there were around 30 spam emails. You may be used to getting 10 a day. Not me, among other things because I handle my addresses carefully. It’s also about safety.
@hed: good for you if you don’t care at all whether Bluewin has been hacked and it’s almost a pastime for you to filter and delete spam by hand.
As a paying Swisscom customer, this is a no-go for me. It really annoys me to have tons of spam in my inbox (again yesterday!), especially on my cell phone (since it isn’t automatically removed by the email program like it is on a PC).
The extremely sparse communication doesn’t exactly promote trust either. I never had such phenomena with other providers, especially free ones (GMX, Google, Microsoft).
The official malfunction report is just:
Big wave of spam on Bluewin email addresses
Swisscom is currently affected by a strong wave of spam emails. Bluewin addresses receive a large amount of spam emails. For this reason, the spam filter is sometimes unable to block all unwanted emails. Please do not respond to unknown emails, do not click on attached links and delete the emails immediately.
What needs to be explained is why the spam filter sets its rating to “no spam” when the amount is large. Makes absolutely no sense!
You can sugarcoat your life with the naive “everything will be fine.” Yes, at some point in the next few days Swisscom will probably be able to stop spam, until next time. In the meantime, all of our emails may have already ended up on the dark web. Who knows, hardly anyone seems to care.
To everyone who thinks they have to trivialize the problem and defend Swisscom:
- It appears that someone has direct access to all bluewin email addresses.
- Only Bluewin addresses are affected
*The addresses all look pretty real - If these are all hits, the number is too large to be collected or generated addresses
- Only Bluewin addresses are affected
- It appears that the emails are distributed within Bluewin.
- Only at the end of a long path were the emails routed to my email addresses by Bluewin servers. It’s actually a misdelivery!
- The Bluewin spam filter should have recognized this long ago. It’s not difficult. The email program also recognized the spam without any problems. This suggests that there is some kind of whitelisting here, where the Bluewin spam filter trusts Bluewin or was otherwise outwitted within Bluewin.
- If (only) my account had been hacked, the picture would be different, for example my contacts would receive the spam emails (not me) and I would soon receive notices about it. But it’s not like that.
- Conclusion
- The point here is that the Bluewin server may have been hacked so that the security of all customers is no longer guaranteed.
In the worst case, regardless of whether individual accounts have a good password or not. - Anyone who confuses this with the usual bit of spam and thinks that everyone has to take care of it themselves is very naive.
- One way or another, Swisscom should provide well-founded information as quickly as possible.
- The point here is that the Bluewin server may have been hacked so that the security of all customers is no longer guaranteed.
Today 91 spam emails came in. It’s not just the sheer number that’s strange, but the path.
The spam ended up on two email addresses, one of which I never use, the other only as a collective address for other email accounts.
The emails were all redirected to my addresses on Bluewin servers.
The recipient addresses displayed for almost all emails are external Bluewin addresses.
The Bluewin spam filter gave the green light (spam score 0.00).
Example (@ replaced by *):
Return path: <srs0=hnwykh4x=o5=yahoo.com=knatpvnm*srs.bluewin.ch>
Received: from vimdzmsp-mxin03.bluewin.ch (195.186.120.151) by mbox11.it.bwns.ch (9.0.033)
id 61217B8902D5C587 for First_here_comes_my_address*bluewin.ch; Sat, 9 Oct 2021 18:01:48 +0000
Received: from vimdzmsp-mxin24.bluewin.ch ([195.186.227.161])
by vimdzmsp-mxin03.bluewin.ch Swisscom AG with ESMTP
id ZGdbmTe7jrBRRZGfMmH1k1; Sat, 09 Oct 2021 20:01:48 +0200
X-Bluewin-BP: 32768
X-Bluewin Spam Analysis: v=2.4 cv=RaPzt3hv c=1 sm=1 tr=0 ts=6161d90c
cx=a_idp_d a=WC+HXk97WdtFr742W1gXpA==:117 a=5a/gXnxb37DhGBJk2nX6sA==:17
a=ABA5dF-yOcAA:10 a=IkcTkHD0fZMA:10 a=8gfv0ekSlNoA:10 a=x7bEGLp0ZPQA:10
a=rLtHEbmpwLIA:10 a=qrJ_IxV1AAAA:8 a=FSVflQqTERSCeszD80IA:9 a=QEXdDO2ut3YA:10
a=lLESXXfDrkAA:10 a=PEZ_fm2-v1EA:10 a=v70yP0wSd-EA:10
a=KV5jcFFF2LR1Fm-NH8AZ:22
X-Bluewin spam score: 0.00
X-FXIT-IP: IPv4[195.186.227.161] Epoch[1633802508]
X Originating IP: 195.186.227.161
Received: from static-ip-1815103435.cable.net.co ([181.51.34.35])
by vimdzmsp-mxin24.bluewin.ch Swisscom AG with ESMTP
id ZGexmZhRDL5pPZGezm4AFw; Sat, 09 Oct 2021 20:01:47 +0200
To: andre.galli*bluewin.ch
From: “Greta Schneider” <knatpvnm*yahoo.com>So it gives the impression that the spam was distributed internally within Bluewin!
@Swisscom: please explain how this came about. Has Swisscom been hacked?
My email program recognized the spam immediately and pushed it away, but that’s not just annoying, it also raises massive doubts about Swisscom’s security.
Who can make well-founded statements here?
Emails forwarded by GMX are rejected by Bluewin
Hello everyone
I have emails from GMX accounts redirected to my Bluewin account.
Recently I have been receiving frequent error messages from Bluewin (which are redirected from GMX to Bluewin instead of the expected emails):
SMTP error from remote server for GREETING command, host: mxbw-bluewin-ch.hdb-cs04.ellb.ch (195.186.120.50) reason: 554 mxbw.bluewin.ch vimdzmsp-mxin15.bluewin.ch Swisscom AG sc206: Blocklis
ting in effect - http://www.nixspam.net/lookup.php?value=212.227.17.20Nixspam says:
“The IP address 212.227.17.20 has been in ix.dnsbl.manitu.net since 2021-09-14 22:45:27+0200 because spam is sent from there to the mail server spam.over.port25.me The entry is usually automatically removed 12 hours after the last spam was received.”
And:
"Below you can see when the IP address 212.227.17.20 was listed in the last few days and which mail servers received the emails classified as spam:
from to Causing email received from
2021-09-14 22:45:27 approx. 2021-09-15 10:45:27 spam.over.port25.me 2021-09-09 22:58:37 2021-09-10 10:58:37 spam.over.port25.me "
@Swisscom: What’s going on?
Best regards
Bebbi
- In Weird emails
@Anonymous:
Thanks for the quick reply.
If it wasn’t a hack:
- Why were complicated email addresses that were not used externally also affected?
- Why was only Swisscom affected?
Perhaps something went wrong with the spammers that the To fields were filled with third-party Bluewin accounts. Perhaps an unintentional loop over all Bluewin addresses into the To field within a loop over the Envelope To that led to the flood? However, it would also be quite strange.
@Anonymous:
If communication cannot or may not be carried out more precisely, trust suffers.
Has Bluewin (or a partner) been hacked?
If so (has not yet been denied and seems likely):What data went out?
Inventory access
- on email traffic,
- to saved emails,
- on passwords,
- perhaps even to complete Swisscom accounts?
- What explanation is there for the foreign Bluewin recipient addresses?
The most affected one has 10 characters, the main address (which I never used) has 12.
Everything points to a targeted attack on Bluewin accounts:
- The only affected provider is Bluewin (Google does not provide any other results for the email text, no news about other providers)
- All addresses entered in the To field (“To:”) are “@bluewin.ch” and look pretty real
- One of the recipient addresses was correctly mine, the others were strangers.
However, this doesn’t actually make any sense from a spammer’s point of view, because it creates suspicion and other spam filters will probably react to it. (Unfortunately, “Envelope-To” or “RCPT TO” is not visible to me) - The addresses were probably not guessed but were known to the spammers, as long, unusual and never used addresses were also affected.
This raises questions:
- Was there something wrong with the distribution within Bluewin, given the “To:” entries?
- Were the addresses specifically stolen from Bluewin?
- Were the addresses first sold by Swisscom and stolen somewhere else?
- Was the Bluewin mail system directly hacked?
- Was Swisscom blackmailed with this?
This absolutely needs to be clarified and the result communicated publicly. We can’t just cover this with a cloak of silence, otherwise it will happen again and again.
@tinumoosmann wrote:
Does the text for you also begin with “this is the chance of a lifetime”?Unfortunately for me the emails don’t even end up in the spam folder
Yes, exactly the same.
Swisscom should mention the text in the status message so that it is clear that these emails are involved.
I don’t understand why Swisscom doesn’t communicate this clear feature.
It’s worrying and embarrassing for Swisscom that only bluewin is affected, once again, and that the telephone support yesterday had no idea about it (or at least couldn’t classify it correctly).
I find the attack very special (see also [my post in the older thread](https://supportcommunity.swisscom.ch/t5/Diskussionsen-zum-Thema-E-Mail/Massenhaft-SPAM-s/m-p/512889/ highlight/true#M7718)😞
- Any plausible-sounding and possibly real bluewin addresses are entered as the recipient (To).
- I never gave my affected bluewin addresses to the outside world and are not in the HPI Leak database
- The emails end up in my mailbox in waves, something I’ve never had before
I expect a quick solution from Swisscom, a full explanation of how this could have happened and measures to prevent this from happening in the future. In order to perhaps regain trust, open communication must be carried out.