Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Chunkers]

Quick question

Security not one of my strong points, I got a scam email today, nothing unusual there tbh, it was actually one of these

What I don't really understand is that appeared to be from and to an email address of mine(my own domain hosted by names), how did they do that?  I checked all my devices and they are clean, logged into my email host provider and it was not sent from a device of mine that I can see. I changed all my passwords as a precaution. I ran malwarebytes on my pc and its clean.

Slight concern that my email provider (names.co.uk) might be compromised in some way, although it appears their filter successfully flagged it as spam and carrying a virus.

Here are the email headers - I have replaced my email address with me@myemail.com

Return-Path: <me@myemail.com>
Delivery-date: Fri, 02 Feb 2024 17:48:52 +0000
Authentication-Results: mx1.ukservers.net;
    iprev=fail smtp.remote-ip=147.235.220.112;
    spf=permerror smtp.mailfrom=myemail.com;
    dmarc=none header.from=myemail.com;
    arc=none
Received: from [147.235.220.112]
    by mx1.ukservers.net with esmtp (Exim)
    (envelope-from <me@myemail.com>)
    id 1rVxem-000000005DO-CvbI
    for me@myemail.com;
    Fri, 02 Feb 2024 17:48:52 +0000
Message-ID: <693B4941341B333C6E1C14614E66693B@S5YYV8W1>
From: <me@myemail.com>
To: <me@myemail.com>
Date: 2 Feb 2024 20:28:51 +0100
MIME-Version: 1.0
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912
X-Virus: yes; detected as Sanesecurity.Phishing.Fake.Coin.30282.UNOFFICIAL
X-Spam-Flag: YES
X-Spam-Report: Flagged internally by mail system
X-Actual-Recipient: me@myemail.com
X-Original-To: me@myemail.com
Subject: A new payment schedule has been approved. (Contains malware Sanesecurity.Phishing.Fake.Coin.30282.UNOFFICIAL)
Message Body
Hello pervert,

Does this actually tell me anything

Hate this stuff, makes me paranoid.

C

[g3uiss]

Simply spoof your email address. No breach I suspect I get these on several accounts regularly.

[Chunkers]

Simply spoof your email address. No breach I suspect I get these on several accounts regularly.

Thank you, a relief, i didn't understand that was possible.  So easy to see why people get caught out with this stuff.

[kitz]

Its quite easy to spoof email addresses, we used to do it for a laugh or joke or April Fool from Bill Gates or some pop star.   It was all innocent fun with no malice or fraud aspect.  You only needed a DOS window to open telnet and then manually type in the relevant fields and MAIL FROM could be anything you like.

iirc it was about 2003-2005 that you started seeing it done for more nefarious reasons and on a larger scale.  It seemed to coincide with adsl broadband being available.   Its not hard to write a script to automate the process and then bots feeding the mail recipients with harvested email addresses.

DKIM and SPF have helped a little, they help email client software check if email comes from the correct server.  I have set up DKIM and SPF records which state that any mail from the site domain will always come from my server IP address.   Not all mail clients do anything though.  gmail may something mark any spoofed mail using this domain as spam.

There's also something called DMARC but unfortunately it can be difficult for the average person to implement.  Theres only something like 15% of people with their own hosted mail....  and only about 40% of the large organisations.   Banks and financial institutions being the main organisations using DMARC,  but it still doesnt stop spoofed spam if they say change a letter.  So you get spoofers getting round that by say using mymai1address.com or my_mailaddress.com instead of mymailaddress.com.