My spam folder is catching a couple hundred junk mail messages daily. Maybe half of these, or more, of the ones that are addressed to my business email account, are from the same sender:

hshel1@umbc.edu

It appears that either

• One of the folks at this fine institute of higher learning (University of Maryland, Baltimore County) is looking to pick up some money to help pay for that PhD, or
  
  
• some spammer has appropriated that email address to use as a "from" address on mass spam messages.

The spam covers a wide range of topics, things like confirmation needed for delivery of FedEx packages, confirmation like payments for a win in a lawsuit, etc.

Are any of y'all getting flooded with spam from hshel1@umbc.edu?

Thank God, no. I get enough from UMBC’s Alumni Association.

Go Retrievers!

-Rob (UMBC Class of ‘01)

You can report it to the University IT folks.

https://itsecurity.umbc.edu/report

I was expecting hotplate recipes.

I'm not 100% positive that I know how to read an expanded email header, but if I'm reading it correctly, it looks like the spam is originating in Ukraine and the umber.edu "sender's address" is spoofed.

Recipes will be posted later, for RichardC. I would send them directly, but there is no email address in his profile.

quote:

Originally posted by V-Tail:
I'm not 100% positive that I know how to read an expanded email header, but if I'm reading it correctly, it looks like the spam is originating in Ukraine and the umber.edu "sender's address" is spoofed.

What you're looking for, primarily, is "Received:" headers. They are in reverse-chronological order, with the topmost being the most recent.

Specifically: The "Received:" header that will tell the story, nine-times-out-of-ten, is the very first one your mail server adds. That's the one that tells you who delivered it to your mail server. The very first/oldest one that can be trusted, because it's the first/oldest one your mail server put there.

If that "Received:" header reads something like "from yadda-yadda-yadda (unknown[ip.add.re.ss])," rather than "from hostname.example.com (hostname.example.com[ip.add.re.ss])," that means the "yadda-yadda-yadda" identity is likely untrustworthy. Then you can maybe use whois to track-down whence it actually came.