Again a scam email, the usual 'claim to have video of me by hacking my webcam' and demanding bitcoin payment, had a few in the past and as it's a well known scam (and as I don't have a webcam!), they are annoying but not particularly worrying. Bitdefender, my security program, also picked it up as a spam message, hence the 'spam' comments in the header below. However this one is a little cleverer than usual.
Normally looking into the email header details gives away the source of the thing, even when they spoof your own address there is usually another email address in the header details that reveals where the message really came from, but this one was a bit smarter - I've replaced my genuine email address in the following copy of the message header, but consistently every time any email address was in there, it was indeed mine.
The 'giveaway' I found is the source ip address - X-SourceIP: 184.108.40.206 - which is actually an Iranian ISP, rather than Virgin/NTL. Also the other ip addresses in there, 220.127.116.11, is registered as being in Belarus, while 18.104.22.168 is Dutch.
I'm confident it's just a slightly smarter than usual scam attempt, but I'd be interested if someone can explain how they managed to get around the usual 'giveaway' of an actual source address being somewhere in the message header.
Return-Path: <my genuine email address at NTLWorld> Delivered-To: my genuine email address at NTLWorld Received: from md6.tb.ukmail.iss.local ([22.214.171.124]) by mc28.tb.ukmail.iss.local with LMTP id oIM6AebIP179TwAAmrifVg for <my genuine email address at NTLWorld>; Sun, 09 Feb 2020 09:55:02 +0100 Received: from smtpclienthelo ([126.96.36.199]) by md6.tb.ukmail.iss.local with LMTP id MHQPAebIP176AwAACKiK/Q (envelope-from <my genuine email address at NTLWorld>) for <my genuine email address at NTLWorld>; Sun, 09 Feb 2020 09:55:02 +0100 Authentication-Results: ukmail.iss.as9143.net; spf=softfail (188.8.131.52;ntlworld.com); dkim=none (nosigs); dmarc=fail header.from=ntlworld.com (p=quarantine sp=quarantine dis=quarantine); X-Spam-Reason: DMARC=quarantine X-Spam: yes X-Env-Mailfrom: my genuine email address at NTLWorld X-Env-Rcptto: my genuine email address at NTLWorld X-SourceIP: 184.108.40.206 X-Spam: yes X-CNFS-Analysis: v=2.3 cv=ANXq8l50 c=1 sm=1 tr=0 cx=a_idp_d p=7bK88nwzZ-dAGoCTraQA:9 p=sZ_BqhHe6SuXNCRT:21 p=J7WBOHCnQ8st5cdO:21 p=Oujc0_JYyFgA:10 a=xe5USHS8zUWXslYe1HLydw==:117 a=xe5USHS8zUWXslYe1HLydw==:17 a=IkcTkHD0fZMA:10 a=l697ptgUJYAA:10 a=a191-REoAAAA:8 a=GgNFeKMAAAAA:8 a=OmWwnWiVAAAA:8 a=QEXdDO2ut3YA:10 a=xlf3_Ge4gGaUCHawBV0d:22 a=tDhpugfKBat1P71jeA9G:22 a=Yg3Yybzy-0VEz4UerR1M:22 X-Spam-Reason: CMAE_SCORE=100.00 Received: from [220.127.116.11] ([18.104.22.168]) by mx10.tb.ukmail.iss.as9143.net with ESMTP id 0iHqjM9A9wSOn0iHqjdO2o; Sun, 09 Feb 2020 09:49:57 +0100 Received: from binhetc ([22.214.171.124]) by 50404.com with MailEnable ESMTP; Sun, 9 Feb 2020 12:19:57 +0330 Received: (qmail 53123 invoked by uid 531); 9 Feb 2020 12:19:55 +0330 From: <my genuine email address at NTLWorld> To: my genuine email address at NTLWorld Subject: <SPAM> <SPAM> Video of you - Date: Sun, 9 Feb 2020 12:19:57 +0330 Message-ID: <firstname.lastname@example.org> Mime-Version: 1.0 Content-type: text/plain; charset=utf-8; X-CMAE-Envelope: MS4wfHVhGzzZKJrEu1OlntvwWIqfD8b6qlZJBqbCsgOONqxfPkMBVbyZ4DPNrske3BHQ15EDRIpfNNEEA8MC1Wbw5yqeP0ZFQRwzm+nvXEVDfvn0qNQlVyno 2EqVIb9PPW4OjuB6j9WwiwxKWAAu18r8dbK8mzGGMwron1KdGTi9DL+ucx7IENfu0sBcRWcpGWxwVmoekX67hwjMz127uZrfTm8=
When the original email protocols were drafted, it was a much more innocent time and the idea of spamming or pretending that email came from a fake address simply wasn’t thought of. Because of that, there is little or no checking done by systems and just take the addresses as presented in the message on face value. It would be almost impossible to add any fool-proof verification system in now without breaking all the existing email infrastructure.
In a typical email transaction between systems, the supposed sender and recipient addresses actually can appear many times, in the initial SMTP handshaking and session setup as well as in the DATA portion, the actual message itself - well the headers really. It’s not at all difficultly to change or spoof all of these addresses, it’s just that most spammers don’t bother and often only change the few that are displayed in email clients.
What you have is a case of a spammer taking a bit more care to change all of them - the IP addresses are the big giveaway though as you have found.