Attack On Your IONOS Mailbox

J_B

Just had this but I'm a bit baffled - can anyone explain in laymen's terms please?

(I've run Malwarebytes and Superantispyware which haven't found anything - Spybot Search and Destroy is currently scanning)

Dear J B,

A few minutes ago, our security systems detected unusual e-mail activity on your mailbox "j----@b---------.co.uk".

To stop the sending of e-mails and prevent further misuse of your mailbox, we have blocked the delivery of e-mail for this contract. Your mailbox can still receive incoming e-mails, but  currently cannot send any.

Details about the incident:

- Sender: noreply@123-reg.co.uk
- Date sent: 2021-10-05 15:39:54 UTC
- Number of e-mails: 905
- Number of e-mails rejected by the receiver: 0
- Number of e-mails classified by IONOS as spam: 0
- Number of e-mails sent to non existing e-mail addresses: 320
- Number of incoming complaints concerning spam: 0
- Country of originating IP: 212.193.x.x (CZ)
- Name of the originating computer: [212.193.x.x]
- Recipient domain: covlink.co.uk, aero-vote.co.uk, afind.co.uk, camaj.co.uk, officeimage.co.uk, abpm.co.uk, lanegroup.co.uk, awc.co.uk, hbgc.co.uk, manforallseasons.co.uk

Please take the following steps to ensure that your contract is secure.

Were the e-mails sent without your knowledge? If yes, then:

1. Use a virus scanner to perform an intensive examination of your devices.
2. Ensure the software on your device is the latest version, then enable the automatic updates.
3. Use the firewall on you router, PC or on your Internet security software.
4. If a virus has been found and successfully removed, please change your passwords.

Did you send the e-mails intentionally? If yes, then:

1. Check whether the e-mail software you are using is correctly configured.
2. Check your mailing list and ensure that the recipient addresses are reachable.
3. Require a double opt-in for your email recipients to confirm their subscription to your mailing list
4. Implement an opt-out or unsubscribe link to your newsletter.
5. Ensure that e-mail recipients for whom you receive a bounced message are deleted from your address list.

How to reactivate the sending of e-mails

To enable the e-mail dispatch again, please change the password of your e-mail account "j----@b------.co.uk" in your IONOS Control Panel (https://my.ionos.co.uk/).

Further information:

https://www.ionos.co.uk/help/index.php?id=2327

The lock will be removed automatically.

Thank you for cooperating with us in ensuring the security of your IONOS contract.

Regards,

Hosting Security

--
1&1 IONOS Ltd.

spenderdave

I suspect that is a spam and never came from 1&1 Ionos in the first place. Why does it appear to be sent from 123-reg.co.uk? Is your mail box actually locked|?

J_B

It's not spam - it did come from 1&1 Ionos

The spam on my account mentions 123reg

Yes, the account is unlocked

debitcardmayhem

J_B said:

It's not spam - it did come from 1&1 Ionos

The spam on my account mentions 123reg

Yes, the account is unlocked

Have you reset your password?

[Deleted User]

J_B said:

can anyone explain in laymen's terms please?

Somebody is using your mail account to send spam. 

You need to secure your mail account and remove any malware that may be causing it.

As per above post, the first step is to change that password NOW.

If any other online accounts use the same password then change all of them as well.

J_B

I've been helping in a friend's office today and have used their BT internet on my own laptop to check emails.

I left there at 4.30pm

The first email came at 4.40 pm saying there had been unusual email activity -

I changed my password about 6pm when I got home after running MAB and Super Anti Spy and Spambot Search and Destroy

Then I tried logging into my 1&1 account only to be told it was locked and to phone to unlock

I was on the phone from about 6.30 and 7.30 pm - guy told me to wait about 20 minutes for unlock to complete.

At 8.30 pm I had another email saying

In the last few minutes, we have detected that your mailbox has sent to a high number of invalid email addresses

Strangely, MrsB@samedomain.co.uk is unaffected. (have changed her password too, just in case)

[Deleted User]

Reading the first email in your original post I can see that the emails are originating from another country. It says (CZ) but the 212.193.x.x range belongs to Russia. 

Somebody remotely has got into your email account so it probably isn't your computer that is sending the emails but you could have a keylogger or some other malware on your PC which is revealing the password.

Do you store passwords somewhere? Eg in your browser etc?

Best advice I can think of right now is set up 2FA (two factor authentication) on your webmail account to increase the security. 

Just to confirm, when you the virus scanners, you did select the options for a thorough scan, not just the default ones?

debitcardmayhem

Another question is do you check emails on a phone/tablet ?

J_B

Morning all - many thanks for everyone's input.

I've 'only' done the standard scan with MAB/SAS/SBS&D and BitdefenderFree

I also check my emails on my MotoG phone with the K9 Mail app (pop3)

Jenni_D

Has someone hacked your domain account and is using your web space and email facility as a spam hub? (i.e. it may be nothing at all to do with your local PC/tablet/phone - rather there's code running on your web space and using the email server from there. If so then changing your account password may have little benefit).

You could look at your web domain logs to see which part of your domain/website has been most-active recently?

J_B

My webpage is jb.co.uk with a gmail address in a photo as the only means of digital contact - there is no 'name@jb.co.uk' address

The problem is with my 'jb@myionosdomain.co.uk' address ... which doesn't have a webspace

I think I've finally unlocked the email account by several password changes so crossing fingers and hoping that it was just a random 'attack'

🤷‍♂️