Off Topic Spoof emails

[Ron]

Has anyone here received an email where the from address is your address. Obviously the email address has been spofed and, apparently, it's easy to do using PHP Mailer. The address has not been hacked as the message doesn't appear in the sent folder. You can't block them and can't reply to them (I was hoping to send a reply saying "**** off"). Apparently, somewhere in the source code it reveals the IP address of the sender. If any tech savies here know the best way to deal with these please post below.

Someone has to specifically replace the sent name; so not sure what sort of people do this nor why they do it and also wonder how they select their addresses

 

[SwanHills]

Ron, any email that I do not recognize, I do not open and delete straight away. Some are laughable. The first words e.g. "We have noticed a discrepancy in your bank............................." ****ing stroll on, bloody idiots. My security people do a damn good job in scrapping false emails/spam before they ever get to me, so I see little of them.

 

[Ste D]

I Won the Bono lotto last week apparently,still havnt collected my winnings though

 

[Ron]

Yea those stupid emails go in my junk mail and I just block them. It's the ones that have a "from" exactly = to your own email that I'm talking about. Haven't had one myself but my wife had one today. If you try to block them it says "can't block your own emails".

 

[SwanHills]

Ah, I see. I've never heard of that one.

 

[QuarterMoonII]

Ron, sorry to have to tell you but you are probably stuck between a rock and a hard place with the email. If there were some way that you could stop people getting your (or your wife’s) email addresses to use, that would be the easy solution. Are your email address and your wife’s both on the same domain (the bit of the email address after the @ symbol)? If not, get her to contact somebody else that she knows to see if they received the same sort of junk mail, as this may indicate that their mail server has been hacked and all the addresses in the address book were used by those involved. I am pretty certain that your wife’s email domain must have open relay disabled, otherwise it would likely to be blacklisted and her email would not work at all.

When the protocols were written for sending (SMTP) and receiving (POP3) email, the authors did not contemplate anybody wanting to abuse them, so they made them very simple. Back in those days, the WWW did not exist with access for everyone it was just a bunch of academics around the world. Ironically, the problems of spoof email and phishing have been well known since the 90s but the last time a proposal was made on an idea to resolve it, they could not get consensus on implementing what would be a massive change globally.

When you receive email from addresses that you do not want to recognise, it is easy enough to program the email client to filter them out as junk; hence the people sending this junk now put the recipient’s email address as the sender so it cannot be blocked. In order to get the email to you they have to bounce it off a legitimate mail server to which they have gained access.

A few years ago, I wrote a program that I used internally at the company where I was working. On the Monday morning, I could send emails to colleagues who were fans of Hull FC and KR that had the name of their team’s coach as the ‘From’ field, apologising for how badly they had played on Sunday. The Reply-Path address of the emails was set to my email address. I could do this because I could bounce the emails of the company’s internal email server using my company email access.

Most of the junk email that I get these days has the name of some legitimate organisation in the ‘To’ field when it arrives but if I click the Reply button in MS Outlook and actually examine the intended reply address in the new email it is a domain in Russia, one of the Baltic states or China.

Now, Ron, if you can send me your bank details, I am sure that my man in Nigeria can supply you with the pills that you need to make you six inches bigger and irresistible to every woman in France...

 

[Ron]

Thinking long term, I really don't want to have to increase my "coffin budget"

 

[Ron]

Most of the junk email that I get these days has the name of some legitimate organisation in the ‘To’ field when it arrives but if I click the Reply button in MS Outlook and actually examine the intended reply address in the new email it is a domain in Russia, one of the Baltic states or China.

I always check the actual email address (without having to initiate a reply). Problem these days is it's easy to change the "from" field so that it looks legitimate. Checking the source code reveals the actual ISP address of the sender but I'm not sure which part of the source code gives that info.

Email systems ought to be able to block the actual sender's IP address from your inbox if it is the same as one you have already blocked by the usual means. Is that too difficult?

 

[QuarterMoonII]

I wish I knew of some way of blocking IP addresses, but I do not think that anybody has such a facility in their email clients. MS Outlook will let me block email addresses, domains and even whole countries by their top-level domain suffixes (e.g. “.ru” = Russia).

Looking at the message source of any old email, it may contain the following sort of mark-up language entries:

X-Apparently-To: [email protected] via AAA.BBB.CCC.DDD: Mon, 26 Oct 2015 12:00:00
X-Originating-IP: [JJJ.KKK.LLL.MMM]
Received: from JJJ.KKK.LLL.MMM (HELO emailserver.com) (JJJ.KKK.LLL.MMM)
X-Env-Sender: [email protected]
From: “Originator Name Text” <[email protected]>
To: <[email protected]>
Reply-To: [email protected]

In your email client (for example MS Outlook), the message will display “From Originator Name Text” (and perhaps also the address [[email protected]]); however, if you reply to this message, your reply will be sent to [email protected]. The message came from IP address JJJ.KKK.LLL.MMM and there may be more than one Received entry showing the intervening gateways and servers that have routed the message to you.

Theoretically, it would be possible to examine the IP addresses in incoming messages and have bad ones automatically moved to a junk mail folder. Depending on how often you get email from new addresses, you could simply create an inbox rule that moves any email from somebody that is not in your address book to junk.

 

[Ron]

The message my wife received from her own email address was put in junk automatically so they must be detectable. As it can detect that it clearly wasn't sent by her it shouldn't be a major step to block them. But maybe I'm being over simplistic.

 

[Ron]

Very interesting

I have checked the message source on:

(a) the spoof email (the one that has my wife as the sender but email not in her sent box)

(b) a genuine email from her to herself

(c) a genuine email from her to me

Extract from (a)
Spoof

Received: from mvltda00.amvltda00.a7.internal.cloudapp.net ([104.40.177.72]) by BAY004-MC4F53.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Fri, 23 Oct 2015 14:22:24 -0700
Received: by mvltda00.amvltda00.a7.internal.cloudapp.net (Postfix, from userid 33)
id 132792147F; Fri, 23 Oct 2015 21:22:23 +0000 (UTC)

Whereas on (b) and (c) the "Received from" shows DUB004-OMCxxxxxxxxxxxxxxxxxx on both and both state "over TLS secured channel with Microsoft SMTPSVC(7.5.7601.xxxxx

Therefore it should be simple enough to check that any emails to self:
(i) starts with the correct Received from or
(ii) the words "over TLS secured channel with Microsoft SMTPSVC(7.5.7601.xxxxx" are present
and, if not, block it or better still (if possible) return as "Delivery failure"