In the past few days, a trend has emerged on one of my websites. There has been a stream of subscriptions to e-mail updates from Polish e-mail addresses which are obviously fake. They’re using names which seem to be randomly picked from an American phone book. I can’t tell you what they are hoping to achieve by mass-subscribing to mail updates for my blog. However, there is a clear pattern that is shared by all the domain names.

  • Compromised domains all belong to Polish cities: Kalisz, Scczecin, Zgora, Opole and other city related domains are all compromised.
  • All mail addresses are using subdomains.
  • All domains are using DNS.pl DNS servers.
  • All domains have been updated on the 13th of May 2020 which was when their “subscriptions” have started. I believe this is the day that the subdomain used for the mailboxes has been created.
  • The subdomain points to a different server / hosting provider than the main domain name.

It appears that someone has gotten access to these city-owned domain names and has managed to point new records to his spam mail server. When mailed to complain, DNS.pl said that the domain names were “regionally owned” and “not theirs”. They didn’t seem to be interested in doing anything about investigating the problem.

I don’t speak Polish and have wasted enough time on finding out what is happening. But if you live in the area and have IT expertise, you might want to contact the responsible person for the following cities and tell them their domain name has been compromised: Kalisz, Szczecin and Zgora (and a few others, whose names I didn’t write down).