Another... Peculiar (spoofed) Email... Solved

  1. Anak's Avatar
    Posts : 490
    10 Home Premium 64-bit | v1803 | Build -17134.523
       1 Week Ago #1

    Another... Peculiar (spoofed) Email...


    In this day and age I shouldn't find this surprising as the ingenuity of some users shows no bounds. If they could only put their resourcefulness to benevolent instead of malevolent efforts the world's problems would be solved in a month. Okay, six months, but I digress.

    There hasn't been many, maybe four since the end of Summer but I receive emails that are no where close to my addy. In the accompanying attachment I changed my address to all capital X's with the provider in lower case x's, my address shows up three times in the original message.
    The address this email was originally spoofed from is s....k33 at mail dot ru which is shorter by three characters and does not contain any corresponding characters except for the at and dot symbols.

    I have checked the pwned site and yes my addy is listed but over the years I really don't receive a lot of spam maybe one a month. This one is the first since November.
    • I have marked the email as phishing but couldn't block the sender because that action wasn't available probably another symptom of spoofing, how do you block an address that doesn't exist? I did send an abuse report to my email provider.
    • Do I send an abuse report to admin at actonalumni dot org the sender? Maybe that doesn't exist as well.
    • The rotrax dot websitewelcome dot com (the man in the middle) addy throws a 404 error and when you search for rotrax dot com it's for sale by HugeDomains dot com, now isn't that surprising!

    Such a PITA!

    @Infrasonic;'s reply in @FrankS's thread explains this well:
    Infrasonic said: View Post
    If they put your address on a BCC spam distribution list (very likely) then the only address path visible in the headers would be the ' to' which is the senders, and that might well be a spoofed address anyway.

    Another trick they use is to send you spam from your own address (spoofed) to get around the 'exclusive' inbox settings (which would otherwise route all non saved or whitelisted contact addresses to the spam folder automatically).
    Make sure you have active content and graphics settings off for your inbox too, as that can confirm your address is live by 'phoning home', and then you automatically get added to a plethora of spam lists.

    Check all your email addresses on here too...https://haveibeenpwned.com/
    If you get a positive hit that would explain high spam levels.
    I've got one ancient (1998) hotmail address that gets 3 hits on that site, and unsurprisingly gets a load of spam...

    Most of the major webmail services now use DMARC authentication, so any emails from organisations that also use DMARC should be end to end validated and indicated in some way as from a known sender. In the message source headers you'll see DKIM, SPF and DMARC statuses mentioned.
    If you need more do a search for spoofed emails. I just wanted to put my experience out here as another example.

    Another Peculiar Email.txt

    p.s. I marked my thread solved, but for now there really is no way to stop it.
      My ComputersSystem Spec

  2.    5 Days Ago #2

    Sometimes I go through the effort to do this:

    View the header of the message.
    Find the line in the header with "Received: from" and either EHLO or HELO, example:
    Code:
    Received: from 127.0.0.1  (EHLO r229.subs.subway.com) (66.117.17.229)
    Run a whois on that domain, or go to spamcop.net and parse that domain IP address for the abuse contact info (Trace IP).
    Send the entire email, including the raw header information to the abuse address.
    Sometimes you get a bit of relief.
    Note: Not saying subway is spam, just used it as an example.
      My ComputerSystem Spec

  3. Anak's Avatar
    Posts : 490
    10 Home Premium 64-bit | v1803 | Build -17134.523
    Thread Starter
       5 Days Ago #3

    Thanks, simrick.

    I did a search on the email for EHLO but found what I was looking for under HELO:
    Code:
    Received: from grf178.internetdsl.tpnet.pl ([83.3.187.178]:39104 helo=uKHtvLyN)
    	by rotrax.websitewelcome.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    	(Exim 4.91)
    	(envelope-from <admin@actonalumni.org>)
    	id 1gh5od-003MH9-OW; Tue, 08 Jan 2019 22:50:08 -0600
    but there isn't an IP there so I used the Source-IP: 83.3.187.178 in the email abuse section and found the email came from Poland.

    Using the MXToolbox and their blacklist check I also found 83.3.187.178 is on 15 out of 95 known lists. rotrax.websitewelcome.com truncates to websitewelcome.com and whois lists that as Whois Privacy Protection Service, Inc.

    Hunting this stuff down is like ridin' a merry go round and missing the ring every time you pass it. Subway an spam? Subway does have some kosher franchises, but yes I knew what you meant, thanks for the clarification.

    For any newcomers to email sleuthing it may seem counter-intuitive but the beginning of an original message starts at the bottom and goes up.
    When you read an email header, the data is in reverse chronological order, meaning the info at the top is the most recent event. Therefor if you want to trace the email from sender to recipient, start at the bottom. Examining the headers of this email we can see several things.

    What Can You Find in an Email Header?
      My ComputersSystem Spec

  4.    5 Days Ago #4

    Anak said: View Post
    Thanks, simrick.

    I did a search on the email for EHLO but found what I was looking for under HELO:
    Code:
    Received: from grf178.internetdsl.tpnet.pl ([83.3.187.178]:39104 helo=uKHtvLyN)
        by rotrax.websitewelcome.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
        (Exim 4.91)
        (envelope-from <admin@actonalumni.org>)
        id 1gh5od-003MH9-OW; Tue, 08 Jan 2019 22:50:08 -0600
    but there isn't an IP there so I used the Source-IP: 83.3.187.178 in the email abuse section and found the email came from Poland.

    Using the MXToolbox and their blacklist check I also found 83.3.187.178 is on 15 out of 95 known lists. rotrax.websitewelcome.com truncates to websitewelcome.com and whois lists that as Whois Privacy Protection Service, Inc.

    Hunting this stuff down is like ridin' a merry go round and missing the ring every time you pass it. Subway an spam? Subway does have some kosher franchises, but yes I knew what you meant, thanks for the clarification.

    For any newcomers to email sleuthing it may seem counter-intuitive but the beginning of an original message starts at the bottom and goes up.
    I hear ya. It has gotten ridiculous...
    FYI: You could report the email to these addresses, and they may be able to do something:
    Parsing input: 83.3.187.178
    More Information.
    Reporting addresses:
    cert.opl@orange.com
    abuse@tpnet.pl
      My ComputerSystem Spec

  5. Anak's Avatar
    Posts : 490
    10 Home Premium 64-bit | v1803 | Build -17134.523
    Thread Starter
       5 Days Ago #5

    Already have, if I hear anything back I'll post it.
      My ComputersSystem Spec

  6.    5 Days Ago #6

    If more providers and companies took advantage of DMARC, which relies on SPF and DKIM configuration, it would make mail spoofing a bit more difficult (not impossible)
      My ComputerSystem Spec

  7. Anak's Avatar
    Posts : 490
    10 Home Premium 64-bit | v1803 | Build -17134.523
    Thread Starter
       7 Hours Ago #7

    Anak said: View Post
    Already have, if I hear anything back I'll post it.
    Almost forgot, received canned replies from your two simrick and the one I sent to gmail, thanking me for alerting them and they will investigate.
      My ComputersSystem Spec


 

Related Threads
Solved Peculiar email in Browsers and Email
Hi I've received an email to my live mail account that is from an unknown person to the same person. The body of the email states: IS THIS YOUR PERSONAL OR WORK EMAIL? I've checked the message source details & there's no mention of my live email...
Solved Peculiar and perplexing in Graphic Cards
On initial start,Device manager shows the display adapter has been stopped,error code 43.When restart selected,the operation is normal and the display adapter,nvidea GeForce gt610,works without a problem, This situation happens every time,without...
Ok not really sure what to title this or how to explain this so knowing where to post for best reply is also limited...anyways here goes. I have windows 10, and had it on the rig I am using at this time to make this post, and all has worked...
unlike Win 7, it does not open my browser, open my YAHOO email link, then PASTE the email address in that link in the COMPOSE box. ONE STEP, IT DOES ALL THE WORK. Win 10 ANOTHER MATTER: IT starts some window/PAGE/APP labeled as "INBOX YAHOO"...
I didn't notice this before today. I'm running the 64 bit version of Windows 10 Pro, fully up to date, as well as the latest version of Windows Live Mail. I have a bunch of storage folders that I've created for email, so my actual inboxes are pretty...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 07:33.
Find Us