Email hack or spam?

unholyangel

grumpycrab wrote: »

Ahh - a Mail expert! Please attach an example message source and show me where to find the real email address of the ******* spammers.

Not an expert (it was on another board at the time remember) but not daft enough to post a real example from my personal mailbox.

Theres usually a return path or original sender details in the source code. Such as one I received pretending to be from apple when the domain it originated and return path is @ampunidosaku-007.com.

Bear in mind I'm not saying its going to tell you something that will enable you to track down the specific person who sent it. Just that its a way people can check if an email is genuine.

Tom99

With Thunderbird it is View + Message Source

onomatopoeia99

unholyangel wrote: »

If you go into message source, if it has been spoofed it will show you the real email address its been sent from in the coding.

This above is completely wrong, in case anyone finds this thread later and wonders.

AndyPix

^^ Not necessarily.


A lot of spammers these days dont go to the trouble of finding an open relay etc and simply put the from "name" as the intended spoof email address.


It still fools a lot of people and would be apparent in the source

debitcardmayhem

Most email providers tell you the ip address of the source sender, in their headers. Whois will find what the originating server is but generally that is just the relay it was sent via. Good luck trying to find the real source and if you do then buy a lottery ticket.

grumpycrab

Here's a spam email received. All email addresses changed (sender's email address was spoofed; well they told me they didn't send it!).

The sender is with BT, hence the references to btinternet and Yahoo I guess. Any clues here as to sender? All I can see is that it may have been created on an iphone but I guess even the X-Mailer can be spoofed?

wrote:

Delivered-To: 1@2
Received: by 10.223.176.176 with SMTP id i45csp2165586wra;
Sun, 5 Nov 2017 15:05:47 -0800 (PST)
X-Google-Smtp-Source: ABhQp+QtJoUJcolCcVuq+g3Gz3Drqw1GdfPxnJlgccOj7x4MlzFjuX+HUHEuGylEIHHyqjt1z3JU
X-Received: by 10.223.157.40 with SMTP id k40mr10163155wre.153.1509923147604;
Sun, 05 Nov 2017 15:05:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1509923147; cv=none;
d=google.com; s=arc-20160816;
b=YYbND+U1zAsqr5cZ4A1iMxaCKhdGdGSs/HQVTQ3vS7nY35HqGxvxqvSH0tAobS/8bC
h1w2gKcj1B4dj21g90EFxJ/1sw/+j0EQIU7rQqUhKviUxAtvCpuGbLJODIgn2Cogk0qP
dNh4mafKbI6TxULo6Xm3m98374l3FsWetD/3pdcDKSWcQuGNQUD1QF9q1jzmVWdH56zt
Es6aeBq27+6rioKiGXEsnHBasHWm4YoNlEww+iGtZAJC2n8GsRRTPb4U24C+WqZz3njH
eiBi9iRaszh4+YhdB6wX81CgMclpTlcdeGFZBt8KXZN7SbYxvUQolB1ZhOsYe5JdaWyj
GuWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=references:content-transfer-encoding:mime-version:subject
:message-id:to:from:date:dkim-signature:arc-authentication-results;
bh=/BO0J9SpHT0BhuC2hnc569iHO+pfcAWR/o9XxuVr+2I=;
b=qOsOX8FlR20Gt0LKO23AGS+U7EmiO4/tH+IVNJgooTQ1I1W2kVAY9RktHaZ75wzPo9
23ZHjnSK0LHKoRt93nhFZaWc3505OqXWr+5jVm0YDmF5h6qgG7sQ8bExTbdMYCb28S5m
n8oF/f2bcgn9a97EXlhVeiVrchoRanmbh/uzT2q/LQPbXWozVXsQOoH/L8a+TYS/4b0N
SY+ebSr/QjaBcnl9z8G6RZXN8uRWTcwb4BJOgHqzusoOd9KDo/kCIm3Vnyb7jy4Slnaj
IOuk1X7WPfTpaqNzZhQsebsN1bog0jTpNZ/N912252jmCZjc0fBpvgiqBhD4w4hPPMBF
ckOQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@btinternet.com header.s=s2048 header.b=JrWVGtM5;
spf=softfail (google.com: domain of transitioning 1@2 does not designate 212.18.250.208 as permitted sender) smtp.mailfrom=1@2;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=btinternet.com
Return-Path: <1@2>
Received: from relay.emailme.com (relay-5.bfn.uk.centralnic.net. [212.18.250.208])
by mx.google.com with ESMTP id z1si9625193wre.339.2017.11.05.15.05.47
for <1@2>;
Sun, 05 Nov 2017 15:05:47 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning 1@2 does not designate 212.18.250.208 as permitted sender) client-ip=212.18.250.208;
Authentication-Results: mx.google.com;
dkim=pass header.i=@btinternet.com header.s=s2048 header.b=JrWVGtM5;
spf=softfail (google.com: domain of transitioning 1@2 does not designate 212.18.250.208 as permitted sender) smtp.mailfrom=1@2;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=btinternet.com
Received: from sonic305-51.consmr.mail.ir2.yahoo.com (sonic305-51.consmr.mail.ir2.yahoo.com [77.238.177.113])
by relay.emailme.com (Postfix) with ESMTP id 4E86EDF281
for <1@2>; Sun, 5 Nov 2017 23:05:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=s2048; t=1509923146; bh=/BO0J9SpHT0BhuC2hnc569iHO+pfcAWR/o9XxuVr+2I=; h=Date:From:To:Subject:References:From:Subject; b=JrWVGtM5CfKxmeizXwsxyC2oAtp+vkYf2ENbdyffyq3ApysugMQ2WZUyaDA3V8n/ZHPGXjMkc6ph0PEIgiof9uGS7vIOq1IavjFZgZib9mr94fTETikK0+79/T6/bF/hkGoUnQKWVq+00xR46BCQyug9LkwOh6u2WufChk59iwOO08uM7q9KMdWxkwrFgXzN0dKlG3XpLzqBpfIHbYHbQOSI4Kxd9hx5y0YTu8a/nduowoQM3Zwp66seodRg8KtUERKjySJj0130J1zawW6+Zf78iDDtaTniH5gcMPXAgsBbra4OpLYwJ6+I+0WtwITA1poaFtvRQsXcbzDLTYLBug==
X-YMail-OSG: GkoHVwQVM1lPVpW607PDJMR2LjKBtAqycAue7Om8c9nmH6rYTw8oLeh_F1IuhAs
omGnSAfgZQ8JerBBuppORcGaas9Qfy6S9SMeanuPm_sscaru8ThsMPZbclHPnvJXQG3nQkaNxeSt
CLdLY8P8s3lwzgk6Q7_dTvTy9vKFjmKw3tNWhuugUH1.ciqPU8_w1wCebNnOzeDEGbIfdsUoDcOu
hw1_GSlg_8wamm9Ke7xlRHHWnkqmQqJknA1kbJGqyBGov7fyE3DtcM1_QYvDEX5SZzmCpJdPvhFK
zfmIfBtvkj0kLW9wBxgcPSxjE6sSboFmGN55nmbqNeAmzWVduUZeDOe1k2l9eSur7TUbWrX0Dt9u
PputuBeNvPR57ETwSjAzTFwz6jw7sn_ndJyxGf9v9DwxLMicSILA1MbE9q31RmmdsWcwH_E.oaNi
oNKgCm8eY3bK_bGnnRCDxFLFaMM.IfnOg.qHVPMoMBbdrdZGYmh47Z.ExLd0sE.vlzrt6FqHcSYE
hECcnChHPMfCBwKGd0LJ.R994EWmEUum0QoW3aUeMgLI51CL_q4_LR50cEr.RzTs-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ir2.yahoo.com with HTTP; Sun, 5 Nov 2017 23:05:46 +0000
Date: Sun, 5 Nov 2017 23:01:46 +0000 (UTC)
From: 1@2
To: <1@2>, <1@2>,
<1@2>, <1@2>,
<1@2>, <1@2>
Message-ID: <1254848322.4757859.1509922906092@mail.yahoo.com>
Subject: Re: Re: [8]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
References: <1254848322.4757859.1509922906092.ref@mail.yahoo.com>
X-Mailer: WebService/1.1.10849 YahooMailBasic Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1


link removed - redirected -many -times- to a weight reduction website

===============
inspiration of inventive genius: his whole motive and single aim had been

AndyPix

^^ No, that's been properly spoofed using an open relay

unholyangel

However the fact the return path is 1@2 would indicate it is indeed a spoof else the return path should have been the email address it was supposedly sent from (or at least from their official domain if its corporate company like apple, paypal etc).

For example a genuine email I received from PSN has the return path as: em-b32sq6yb11zt3gaumr6esb1zywckbw @m.email.sonyentertainmentnetwork.com (put a space in it as kept abbreviating the address)

In around 20 years of checking sender details, I have never seen one spoof that uses the legitimate domain as the original sender and/or return path. I've seen them use gmail address, yahoo, their own domain or even gobbledegook, but never the legitimate domain.

steviebuk

DavidMartin7819 wrote: »

I was checking through my emails and noticed a lot of emails that look like theyre from me, i.e. they have my email address in the to and from sections, basically they have a conversation were apparently I'm either asking for sex, drugs or paying for other things. I know its not me, I'm worried someone is using my account somehow or are they just pretend to try and get you to message? How can I tell as they have my email address in the sent parts of the conversation as if ive replied? Ive now changed my password just in case but as some of these go back months and I change my password monthly I'm worried something else is going on

They are probably just spoofed e-mails. If you look at the e-mail headers they should show the real address they are coming from.

neilmcl

steviebuk wrote: »

They are probably just spoofed e-mails. If you look at the e-mail headers they should show the real address they are coming from.

Have you looked at the date this thread was created