On 7/15/19 10:20 AM, home user via users wrote:
are almost certainly malicious and should not be responded to or
forwarded, should not have links in them clicked or attachments to them
downloaded, perhaps should be reported to appropriate authorities, and
certainly should deleted. Those are not the messages that trouble me
most. It's other kinds of messages. The message that I started this
thread because of came from someone I've known for decades, but the
"From" was an address I had not seen before. But recent events have the
sender (and two other people) in a vulnerable position. I had to be
careful.
If you're not sure and it's important, then try contacting them to
verify it. Use an alternate method if possible.
I've heard that if a malicious person/group
- can access someone's address book
AND
- has the tools to do spoofing,
then he/they can spoof the e-mail addresses of everyone in the address
book *without* knowing the password of anyone in that address book. I
This is trivial to do and there is malware out there doing it.
think this happened to me a few years ago. I lost friends as a result
of this event. Changing passwords made no difference. I had to delete
Right, because the senders aren't actually using your email account,
just sending emails that appear to be from your email address.
all my e-mail accounts, create new ones, and do a lot of contact
information changing. 2-3 years after that, a friend got a message (an
Are you going to change your email accounts every time some spammer
starts using the address? My email address has been used by virii and
spam for at least 15 years. It was funny because when this started to
be a thing, I got a few emails from people telling me to stop sending
them a virus.
I realize there is no perfect solution or 100% safety. But for the
benefit of others as well as myself, I'm following up on this. When I
do as Tony and Tim suggest, what am I looking for that would be a red
flag the the message is (probably) bad, or would be a green flag that
the message is (probably) genuine and safe?
The content is usually the first easy clue. If you're not sure, then
then you could just phone them to check. Otherwise, check the headers,
since it's extremely difficult, if not impossible to fully spoof those
because you can't control the receiving email server.
For example from this email I'm replying to:
From: home user via users <users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: home user <mattison.computer@xxxxxxxxx>
Because of Yahoo's email policies, the mailing list has to mask your
From address, but I can still see it in the CC. In most cases, this
won't be an issue anyway. So the sender is claiming to be a Yahoo email
user.
Message-ID: <607fc195-8ffc-539a-2374-9a55d86df96e@xxxxxxxxx>
Could be spoofed, but not likely. Most spammers and phishers don't try
very hard, they're just looking for easy targets. Good indication that
it did come from Yahoo.
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org
[209.132.181.2])
by gw.sieb.net (Postfix) with ESMTPS id E07299011D5
for <samuel@xxxxxxxx>; Mon, 15 Jul 2019 10:22:12 -0700 (PDT)
Received: from mailman01.phx2.fedoraproject.org
(mailman01.phx2.fedoraproject.org [10.5.126.36])
by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id 3FD5C636AE3F;
Mon, 15 Jul 2019 17:21:35 +0000 (UTC)
Received: from mailman01.phx2.fedoraproject.org (localhost [IPv6:::1])
by mailman01.phx2.fedoraproject.org (Postfix) with ESMTP id 02BB558230940;
Mon, 15 Jul 2019 17:21:35 +0000 (UTC)
Received: by mailman01.phx2.fedoraproject.org (Postfix, from userid 991)
id 02EF1582303F1; Mon, 15 Jul 2019 17:20:47 +0000 (UTC)
Received: from smtp-mm-osuosl01.fedoraproject.org
(smtp-mm-osuosl01.vpn.fedoraproject.org [192.168.1.23])
by mailman01.phx2.fedoraproject.org (Postfix) with ESMTP id 759D8582303F1
for <users@xxxxxxxxxxxxxxxxxxxxxxx>; Mon, 15 Jul 2019 17:20:47 +0000 (UTC)
Received: from sonic303-24.consmr.mail.gq1.yahoo.com
(sonic303-24.consmr.mail.gq1.yahoo.com [98.137.64.205])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
Received: from sonic.gate.mail.ne1.yahoo.com by
sonic303.consmr.mail.gq1.yahoo.com with HTTP; Mon, 15 Jul 2019 17:20:45
+0000
Received: by smtp410.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with
ESMTPA ID 8e0e804dc1d033d6f53cc5944fce1b89;
Mon, 15 Jul 2019 17:20:43 +0000 (UTC)
This is the path that the mail took, the top line is the most recent.
The only ones that could be spoofed are at the bottom. Follow the trail
from the top and check that the times are reasonable. (Of course
someone's clock might be off.) My email server got it straight from the
Fedora mailman server. Before that it bounced around in the Fedora
infrastructure a few times, but eventually you see that they got it from
a Yahoo server. The Yahoo server doesn't say where it got it from, so
maybe it was webmail or else they hide the client IP address for
"security" reasons.
Here's an example from a phishing email that that could be scary if you
don't know or if you have been doing what it claims you've been doing.
I can't copy and paste the content of the email because it's only an
image of text. That's of course a huge red flag that's it's fake. The
message is that they've hacked my email account and my computer and have
been watching me use adult content sites. The From and To on my screen
show my full name and email address, scary! However, look a little
deeper. The reason my full name is showing is because my email client
got that from my contact info. (This actually had me wondering for
quite a while until I figured it out.) Check the headers.
From: <samuel@xxxxxxxx>
To: samuel@xxxxxxxx
Ok, but
Return-Path: <silviacarames@xxxxxxxxxxxxxxxxxxxxxxx>
They didn't even try very hard to hide their tracks.
Received: from ar78bis.xvserver.com (ar78bis.xvserver.com [200.85.158.117])
by gw.sieb.net (Postfix) with ESMTPS id 3A6479010E0
for <samuel@xxxxxxxx>; Sun, 31 Mar 2019 07:23:51 -0700 (PDT)
Received: from ([127.0.0.1]) with MailEnable ESMTPA; Sun, 31 Mar 2019
11:13:40 -0300
Message-ID:
<eou22i5u3ocnnd9qobvof9ltn.k5ef8nuy67.98155992898442.t7exji5xlo.w3zrnhyz@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
It came from some windows computer, maybe hacked, maybe not.
Spamassassin assassinated this one because it was so clearly spam, but
that's the idea of how to verify email.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx