Another... Peculiar (spoofed) Email...

In this day and age I shouldn't find this surprising as the ingenuity of some users shows no bounds. If they could only put their resourcefulness to benevolent instead of malevolent efforts the world's problems would be solved in a month. Okay, six months, but I digress.

There hasn't been many, maybe four since the end of Summer but I receive emails that are no where close to my addy. In the accompanying attachment I changed my address to all capital X's with the provider in lower case x's, my address shows up three times in the original message.
The address this email was originally spoofed from is s....k33 at mail dot ru which is shorter by three characters and does not contain any corresponding characters except for the at and dot symbols.

I have checked the pwned site and yes my addy is listed but over the years I really don't receive a lot of spam maybe one a month. This one is the first since November.

• I have marked the email as phishing but couldn't block the sender because that action wasn't available probably another symptom of spoofing, how do you block an address that doesn't exist? I did send an abuse report to my email provider.
• Do I send an abuse report to admin at actonalumni dot org the sender? Maybe that doesn't exist as well.
• The rotrax dot websitewelcome dot com (the man in the middle) addy throws a 404 error and when you search for rotrax dot com it's for sale by HugeDomains dot com, now isn't that surprising!

Such a PITA!

@Infrasonic;'s reply in @FrankS's thread explains this well:

Infrasonic said:

If they put your address on a BCC spam distribution list (very likely) then the only address path visible in the headers would be the ' to' which is the senders, and that might well be a spoofed address anyway.

Another trick they use is to send you spam from your own address (spoofed) to get around the 'exclusive' inbox settings (which would otherwise route all non saved or whitelisted contact addresses to the spam folder automatically).
Make sure you have active content and graphics settings off for your inbox too, as that can confirm your address is live by 'phoning home', and then you automatically get added to a plethora of spam lists.

Check all your email addresses on here too...https://haveibeenpwned.com/
If you get a positive hit that would explain high spam levels.
I've got one ancient (1998) hotmail address that gets 3 hits on that site, and unsurprisingly gets a load of spam...

Most of the major webmail services now use DMARC authentication, so any emails from organisations that also use DMARC should be end to end validated and indicated in some way as from a known sender. In the message source headers you'll see DKIM, SPF and DMARC statuses mentioned.

If you need more do a search for spoofed emails. I just wanted to put my experience out here as another example.

Another Peculiar Email.txt

p.s. I marked my thread solved, but for now there really is no way to stop it.

Thanks, simrick.

I did a search on the email for EHLO but found what I was looking for under HELO:

Code:

Received: from grf178.internetdsl.tpnet.pl ([83.3.187.178]:39104 helo=uKHtvLyN)
	by rotrax.websitewelcome.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.91)
	(envelope-from <admin@actonalumni.org>)
	id 1gh5od-003MH9-OW; Tue, 08 Jan 2019 22:50:08 -0600

but there isn't an IP there so I used the Source-IP: 83.3.187.178 in the email abuse section and found the email came from Poland.

Using the MXToolbox and their blacklist check I also found 83.3.187.178 is on 15 out of 95 known lists. rotrax.websitewelcome.com truncates to websitewelcome.com and whois lists that as Whois Privacy Protection Service, Inc.

Hunting this stuff down is like ridin' a merry go round and missing the ring every time you pass it. Subway an spam? Subway does have some kosher franchises, but yes I knew what you meant, thanks for the clarification.

For any newcomers to email sleuthing it may seem counter-intuitive but the beginning of an original message starts at the bottom and goes up.

When you read an email header, the data is in reverse chronological order, meaning the info at the top is the most recent event. Therefor if you want to trace the email from sender to recipient, start at the bottom. Examining the headers of this email we can see several things.

What Can You Find in an Email Header?

Already have, if I hear anything back I'll post it.

If more providers and companies took advantage of DMARC, which relies on SPF and DKIM configuration, it would make mail spoofing a bit more difficult (not impossible)

Anak said:

Already have, if I hear anything back I'll post it.

Almost forgot, received canned replies from your two simrick and the one I sent to gmail, thanking me for alerting them and they will investigate.

Me to, I hope so.

To paraphrase: The only thing necessary for the triumph of evil is for good people to do nothing.
Attributed to multiple authors.

Have seen this yet? The 773 Million Record Collection #1 Data Breach Seems I may have opened a can of worms.