Menu
Reply
Highlighted
  • 79
  • 0
  • 10
RobertIain
On our wavelength
223 Views
Message 1 of 2
Flag for a moderator

Tech advice sought on a scam attempt

Well this one was cleverer than usual....

Again a scam email, the usual 'claim to have video of me by hacking my webcam' and demanding bitcoin payment, had a few in the past and as it's a well known scam (and as I don't have a webcam!), they are annoying but not particularly worrying. Bitdefender, my security program, also picked it up as a spam message, hence the 'spam' comments in the header below. However this one is a little cleverer than usual.

Normally looking into the email header details gives away the source of the thing, even when they spoof your own address there is usually another email address in the header details that reveals where the message really came from, but this one was a bit smarter - I've replaced my genuine email address in the following copy of the message header, but consistently every time any email address was in there, it was indeed mine.

The 'giveaway' I found is the source ip address - X-SourceIP: 84.241.5.29 - which is actually an Iranian ISP, rather than Virgin/NTL. Also the other ip addresses in there, 178.125.39.243, is registered as being in Belarus, while 212.54.57.77 is Dutch.

I'm confident it's just a slightly smarter than usual scam attempt, but I'd be interested if someone can explain how they managed to get around the usual 'giveaway' of an actual source address being somewhere in the message header.

 


Return-Path: <my genuine email address at NTLWorld>
Delivered-To: my genuine email address at NTLWorld
Received: from md6.tb.ukmail.iss.local ([212.54.57.77])
by mc28.tb.ukmail.iss.local with LMTP id oIM6AebIP179TwAAmrifVg
for <my genuine email address at NTLWorld>; Sun, 09 Feb 2020 09:55:02 +0100
Received: from smtpclienthelo ([212.54.57.77])
by md6.tb.ukmail.iss.local with LMTP
id MHQPAebIP176AwAACKiK/Q
(envelope-from <my genuine email address at NTLWorld>)
for <my genuine email address at NTLWorld>; Sun, 09 Feb 2020 09:55:02 +0100
Authentication-Results: ukmail.iss.as9143.net;
spf=softfail (84.241.5.29;ntlworld.com);
dkim=none (nosigs);
dmarc=fail header.from=ntlworld.com (p=quarantine sp=quarantine dis=quarantine);
X-Spam-Reason: DMARC=quarantine
X-Spam: yes
X-Env-Mailfrom: my genuine email address at NTLWorld
X-Env-Rcptto: my genuine email address at NTLWorld
X-SourceIP: 84.241.5.29
X-Spam: yes
X-CNFS-Analysis: v=2.3 cv=ANXq8l50 c=1 sm=1 tr=0 cx=a_idp_d
p=7bK88nwzZ-dAGoCTraQA:9 p=sZ_BqhHe6SuXNCRT:21 p=J7WBOHCnQ8st5cdO:21
p=Oujc0_JYyFgA:10 a=xe5USHS8zUWXslYe1HLydw==:117
a=xe5USHS8zUWXslYe1HLydw==:17 a=IkcTkHD0fZMA:10 a=l697ptgUJYAA:10
a=a191-REoAAAA:8 a=GgNFeKMAAAAA:8 a=OmWwnWiVAAAA:8 a=QEXdDO2ut3YA:10
a=xlf3_Ge4gGaUCHawBV0d:22 a=tDhpugfKBat1P71jeA9G:22 a=Yg3Yybzy-0VEz4UerR1M:22
X-Spam-Reason: CMAE_SCORE=100.00
Received: from [84.241.5.29] ([84.241.5.29])
by mx10.tb.ukmail.iss.as9143.net with ESMTP
id 0iHqjM9A9wSOn0iHqjdO2o; Sun, 09 Feb 2020 09:49:57 +0100
Received: from binhetc ([178.125.39.243]) by 50404.com with MailEnable ESMTP; Sun, 9 Feb 2020 12:19:57 +0330
Received: (qmail 53123 invoked by uid 531); 9 Feb 2020 12:19:55 +0330
From: <my genuine email address at NTLWorld>
To: my genuine email address at NTLWorld
Subject: <SPAM> <SPAM> Video of you -
Date: Sun, 9 Feb 2020 12:19:57 +0330
Message-ID: <531230.531230@50404.com>
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8;
X-CMAE-Envelope: MS4wfHVhGzzZKJrEu1OlntvwWIqfD8b6qlZJBqbCsgOONqxfPkMBVbyZ4DPNrske3BHQ15EDRIpfNNEEA8MC1Wbw5yqeP0ZFQRwzm+nvXEVDfvn0qNQlVyno
2EqVIb9PPW4OjuB6j9WwiwxKWAAu18r8dbK8mzGGMwron1KdGTi9DL+ucx7IENfu0sBcRWcpGWxwVmoekX67hwjMz127uZrfTm8=

0 Kudos
Reply
Highlighted
  • 791
  • 124
  • 396
Very Insightful Person
Very Insightful Person
174 Views
Message 2 of 2
Flag for a moderator
Helpful Answer

Re: Tech advice sought on a scam attempt

When the original email protocols were drafted, it was a much more innocent time and the idea of spamming or pretending that email came from a fake address simply wasn’t thought of. Because of that, there is little or no checking done by systems and just take the addresses as presented in the message on face value. It would be almost impossible to add any fool-proof verification system in now without breaking all the existing email infrastructure.

In a typical email transaction between systems, the supposed sender and recipient addresses actually can appear many times, in the initial SMTP handshaking and session setup as well as in the DATA portion, the actual message itself - well the headers really. It’s not at all difficultly to change or spoof all of these addresses, it’s just that most spammers don’t bother and often only change the few that are displayed in email clients.

What you have is a case of a spammer taking a bit more care to change all of them - the IP addresses are the big giveaway though as you have found.