Re: quick (I hope) e-mail security question. [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 7/15/19 10:20 AM, home user via users wrote:
are almost certainly malicious and should not be responded to or forwarded, should not have links in them clicked or attachments to them downloaded, perhaps should be reported to appropriate authorities, and certainly should deleted.  Those are not the messages that trouble me most.  It's other kinds of messages.  The message that I started this thread because of came from someone I've known for decades, but the "From" was an address I had not seen before.  But recent events have the sender (and two other people) in a vulnerable position.  I had to be careful.
If you're not sure and it's important, then try contacting them to verify it. Use an alternate method if possible. 


I've heard that if a malicious person/group
- can access someone's address book
AND
- has the tools to do spoofing,
then he/they can spoof the e-mail addresses of everyone in the address book *without* knowing the password of anyone in that address book.  I 

This is trivial to do and there is malware out there doing it.
think this happened to me a few years ago.  I lost friends as a result of this event.  Changing passwords made no difference.  I had to delete
Right, because the senders aren't actually using your email account, just sending emails that appear to be from your email address.
all my e-mail accounts, create new ones, and do a lot of contact information changing.  2-3 years after that, a friend got a message (an
Are you going to change your email accounts every time some spammer starts using the address? My email address has been used by virii and spam for at least 15 years. It was funny because when this started to be a thing, I got a few emails from people telling me to stop sending them a virus.
I realize there is no perfect solution or 100% safety.  But for the benefit of others as well as myself, I'm following up on this.  When I do as Tony and Tim suggest, what am I looking for that would be a red flag the the message is (probably) bad, or would be a green flag that the message is (probably) genuine and safe?
The content is usually the first easy clue. If you're not sure, then then you could just phone them to check. Otherwise, check the headers, since it's extremely difficult, if not impossible to fully spoof those because you can't control the receiving email server. 

For example from this email I'm replying to:
From: home user via users <users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: home user <mattison.computer@xxxxxxxxx>
Because of Yahoo's email policies, the mailing list has to mask your From address, but I can still see it in the CC. In most cases, this won't be an issue anyway. So the sender is claiming to be a Yahoo email user. 

Message-ID: <607fc195-8ffc-539a-2374-9a55d86df96e@xxxxxxxxx>
Could be spoofed, but not likely. Most spammers and phishers don't try very hard, they're just looking for easy targets. Good indication that it did come from Yahoo.
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2]) 
	by gw.sieb.net (Postfix) with ESMTPS id E07299011D5
	for <samuel@xxxxxxxx>; Mon, 15 Jul 2019 10:22:12 -0700 (PDT)
Received: from mailman01.phx2.fedoraproject.org (mailman01.phx2.fedoraproject.org [10.5.126.36]) 
	by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id 3FD5C636AE3F;
	Mon, 15 Jul 2019 17:21:35 +0000 (UTC)
Received: from mailman01.phx2.fedoraproject.org (localhost [IPv6:::1])
	by mailman01.phx2.fedoraproject.org (Postfix) with ESMTP id 02BB558230940;
	Mon, 15 Jul 2019 17:21:35 +0000 (UTC)
Received: by mailman01.phx2.fedoraproject.org (Postfix, from userid 991)
	id 02EF1582303F1; Mon, 15 Jul 2019 17:20:47 +0000 (UTC)
Received: from smtp-mm-osuosl01.fedoraproject.org (smtp-mm-osuosl01.vpn.fedoraproject.org [192.168.1.23]) 
	by mailman01.phx2.fedoraproject.org (Postfix) with ESMTP id 759D8582303F1
	for <users@xxxxxxxxxxxxxxxxxxxxxxx>; Mon, 15 Jul 2019 17:20:47 +0000 (UTC)
Received: from sonic303-24.consmr.mail.gq1.yahoo.com (sonic303-24.consmr.mail.gq1.yahoo.com [98.137.64.205]) 
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.gq1.yahoo.com with HTTP; Mon, 15 Jul 2019 17:20:45 +0000 Received: by smtp410.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 8e0e804dc1d033d6f53cc5944fce1b89; 
          Mon, 15 Jul 2019 17:20:43 +0000 (UTC)
This is the path that the mail took, the top line is the most recent. The only ones that could be spoofed are at the bottom. Follow the trail from the top and check that the times are reasonable. (Of course someone's clock might be off.) My email server got it straight from the Fedora mailman server. Before that it bounced around in the Fedora infrastructure a few times, but eventually you see that they got it from a Yahoo server. The Yahoo server doesn't say where it got it from, so maybe it was webmail or else they hide the client IP address for "security" reasons.
Here's an example from a phishing email that that could be scary if you don't know or if you have been doing what it claims you've been doing. I can't copy and paste the content of the email because it's only an image of text. That's of course a huge red flag that's it's fake. The message is that they've hacked my email account and my computer and have been watching me use adult content sites. The From and To on my screen show my full name and email address, scary! However, look a little deeper. The reason my full name is showing is because my email client got that from my contact info. (This actually had me wondering for quite a while until I figured it out.) Check the headers. 

From: <samuel@xxxxxxxx>
To: samuel@xxxxxxxx

Ok, but

Return-Path: <silviacarames@xxxxxxxxxxxxxxxxxxxxxxx>

They didn't even try very hard to hide their tracks.

Received: from ar78bis.xvserver.com (ar78bis.xvserver.com [200.85.158.117])
	by gw.sieb.net (Postfix) with ESMTPS id 3A6479010E0
	for <samuel@xxxxxxxx>; Sun, 31 Mar 2019 07:23:51 -0700 (PDT)
Received: from ([127.0.0.1]) with MailEnable ESMTPA; Sun, 31 Mar 2019 11:13:40 -0300 Message-ID: <eou22i5u3ocnnd9qobvof9ltn.k5ef8nuy67.98155992898442.t7exji5xlo.w3zrnhyz@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
It came from some windows computer, maybe hacked, maybe not. Spamassassin assassinated this one because it was so clearly spam, but that's the idea of how to verify email. 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux