I've gotten a couple of the "we saw what you surf and we tapped your webcam" emails recently. It's a well-known scam ("send us some bitcoin and we'll make it go away, otherwise we email it to all your contacts"). I haven't done the things they claim and I don't have a webcam, but the thing that bugs me is that the messages come from my own address. I've changed my email password a couple of times very recently, and this still comes through.

How does this happen? And of course, how do I defeat it?

You don't have dual personalities do you? No expert, but would guess someone simply harvested your email and send out the spam.

Delete it and ignore any more such emails.

yep delete and ignore.

I'm also constantly getting texts that my cellphone bill is paid and here's a reward. Block and delete those too.

quote:

Originally posted by vthoky:

How does this happen? And of course, how do I defeat it?

It's not your email address. They simply name their email address the same as yours to make it look yours. Get the actual DETAILS of the address and you'll see what the real email address is.

quote:

Originally posted by Balzé Halzé:
It's not your email address. They simply name their email address the same as yours to make it look yours. Get the actual DETAILS of the address and you'll see what the real email address is.

That's what I want to learn next -- how do I figure out these details?

I get these all the time. Delete and ignore as stated. I actually got two yesterday. I love watching some of the YouTube videos of “good guy hackers” calling up the Amazon and eBay scammers and totally screwing with them by capturing all their info and deleting their files.

quote:

Originally posted by vthoky:
That's what I want to learn next -- how do I figure out these details?

The exact steps depend on your email client, in Thunderbird you would do View -> Message Source and then examine the headers of the message (the lines of text before the message content begins). Even then you are seeing only what the sender offers, the reality of their identity is not guaranteed.

Everything about how e-mail works is available at no cost on the 'net, but it is a deep and convoluted rabbit hole, and one must be very motivated to reach a high level of understanding.

Spoofing the From: address is a common attempt to bypass various anti-spam and other filters. This is as old as e-mail and means nothing WRT any "compromise" of your system. In fact, scammers will use this as "evidence" of a "security breach," it is not, and means nothing.

quote:

Originally posted by vthoky:
... but the thing that bugs me is that the messages come from my own address. I've changed my email password a couple of times very recently, and this still comes through.

That's because it's not really coming from your email address. They're just spoofing the "From:" address in the email headers.

I could easily send you or anybody else email appearing to come from you or anybody else, anytime I liked. It's not unlike caller I.d. spoofing.

Unlike CID-spoofing: If you could examine full headers you could easily see from where it's really coming.

quote:

Originally posted by vthoky:
And of course, how do I defeat it?

By ignoring it.

quote:

Originally posted by architect:
in Thunderbird you would do View -> Message Source and then examine the headers of the message (the lines of text before the message content begins). Even then you are seeing only what the sender offers, the reality of their identity is not guaranteed.

This might be my rabbit hole for the afternoon....
The header starts with "Received: from 10.215.181.125" A quick search brings me a map image showing some location in Italy.

Maybe I'm doing this wrong.
Or maybe I'm wasting my time....


- - - - -
Edit: removed image.

This message has been edited. Last edited by: vthoky,

quote:

Originally posted by vthoky:
This might be my rabbit hole for the afternoon....
The header starts with "Received: from 10.215.181.125"

That's somebody's own private network. 10.215.181.125 is an RFC1918 IP address. RFC1918 specifies the IP addresses reserved for local area networks. RFC1918 addresses are not routable on the Internet. They are

10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
192.168.0.0/16 (192.168.0.0 – 192.168.255.255)

quote:

Originally posted by vthoky:
Maybe I'm doing this wrong.
Or maybe I'm wasting my time....

Well, you are doing it wrong, but you're not necessarily wasting your time

The Received: headers are in reverse-chronological order, with the most recent hand-off at the top. To find out from where it really came you find the first Received: header, starting at the top, that was stamped by your email system.

So, if your email is via gmail, you want to look at the first Received: header Google added.

You may see things like:

Received: from google by google
Received: from blurfl by google <--- this is the one of interest
Received: from blurfl by blurfl
Recieved: from random.ip.add.ress by blurfl

The difficulty of average end-users determining where email really originated is one reason I keep pushing people to use tagged (aka: "plussed") email addresses whenever they can.

E.g.: If you use a tagged address with PayPal, you receive an email that claims to be from PayPal that wasn't sent to the tagged email address you gave PayPal, you can be pretty darn sure it didn't really come from PayPal.

I've received scam calls that appear to be from my own number.
They seem to have technical skills I don't have but they're still just scammers.

quote:

Originally posted by ensigmatic:

The difficulty of average end-users determining where email really originated is one reason I keep pushing people to use tagged (aka: "plussed") email addresses whenever they can.

Hmm... okay, more learning for me to do....

quote:

Originally posted by vthoky:

quote:

Originally posted by ensigmatic:

The difficulty of average end-users determining where email really originated is one reason I keep pushing people to use tagged (aka: "plussed") email addresses whenever they can.

Hmm... okay, more learning for me to do....

Not at all complicated.

Example: Your email address might be MyName@foo.com. The Acme company wants your email address, so you give them MyName+Acme@foo.com -- the "+Acme" part could be "+anything."

Having done this, if you ever receive email addressed as MyName+Acme@foo.com, and this mail comes from a source other than Acme, you can conclude that either Acme sold your email address, or Acme was hacked and your email address was picked up that way. Either way, you have learned something about Acme.

Most, but not all, places will handle the tagged ("plussed") convention. USPS does not accept this, but UPS and FedEx do, so if I am tracking a package that I am expecting, say maybe some ammunition (fat chance!), the email address that I supply to UPS or FedEx for tracking this, might be VTail+ammunition@gmail.com, assuming that my "normal" email address is VTail@gmail.com.

This lets me glance at any tracking information that I receive from UPS or FedEx and know what it's about, rather than wonder which of the expected incoming shipments is the subject of this tracking email.

You could also use the filtering rules of your email client to sort incoming mail into appropriate folders, based on the tag. Very handy thing, many uses.

quote:

How does this happen? And of course, how do I defeat it?

Like said before the address is spoofed to appear it is from you.
Just like caller-id phone numbers.

You can't stop it.

Ignore it.

If you have a SPAM filtering service then it can be contained much more.
Unfortunately, you need to have your own domain to effective filter.
I haven't found any SPAM service to work well on a single email address.
I know some or many ISP's have some filtering to some degree but not extremely effective.
YMMV

quote:

Originally posted by V-Tail:

quote:

Originally posted by vthoky:

quote:

Originally posted by ensigmatic:
The difficulty of average end-users determining where email really originated is one reason I keep pushing people to use tagged (aka: "plussed") email addresses whenever they can.

Hmm... okay, more learning for me to do....

Not at all complicated.

Example: Your email address might be MyName@foo.com. The Acme company wants your email address, so you give them MyName+Acme@foo.com -- the "+Acme" part could be "+anything."

V-Tail: You should not use "foo.com" for examples. That's actually a valid domain name.

For all examples involving domain names, use one of:

• example.com
  
• example.org
  
• example.net
  

Those are reserved by IANA (Internet Assigned Number Authority) for, tah dah!, example purposes

quote:

Originally posted by V-Tail:
Most, but not all, places will handle the tagged ("plussed") convention.

Furthermore: Some mail server systems do not properly handle tagged email addresses. Gmail does. Apple (iCloud) email does. Last time I checked, Microsoft (Outlook, etc) did not. (That may have changed.) I don't think Exchange Server does?

vthoky: I'm going to send you an email to a tagged email address. I'll let you know if it bounces. You can let us know if you receive it.

ETA: Your email provider rejected it, so you can't use tagged email addresses. Given what I saw of the email headers you sent me, I am not surprised.

quote:

Originally posted by ensigmatic:
ETA: Your email provider rejected it, so you can't use tagged email addresses. Given what I saw of the email headers you sent me, I am not surprised.

Interesting! Thank you for giving that a shot, and for your previous email. I've got a LOT more learning to do.

Thank you, too, V-Tail, for the explanation of tagged addresses.

quote:

Originally posted by ensigmatic:
The difficulty of average end-users determining where email really originated is one reason I keep pushing people to use tagged (aka: "plussed") email addresses whenever they can.

The "whenever they can" part is the reason I stopped using tagged email addresses. Almost all smtp servers are fine with it, but I kept finding fill in your email forms on web pages where the brain dead web developer has disallowed the "+" as an "invalid character", which of course it is not.