17

My dad got this scammy E-Mail today...
The strange thing was, the sender and recipient were the same address, but I'll get back to that.
Unfortunately, I can't show it to you, but it said something like this:
"As you can see, I wrote this E-Mail from *YOUR* address. I have hacked your Account. Please pay me 300$ in bitcoin to this address: (address here) ..."
You get the point.
Now... my dad was pretty worried about the Account actually beeing hacked. One of his coworkers also got the same E-Mail. I told him that it's easy to fake the 'From' Header of an E-Mail, at least with the mail command on Linux. So I ssh'd into one of my Servers and sent him an E-Mail from lol@lol.de. Obviously, he didn't expect it to be that easy. Now he believes me that this is a scam and will tell his coworkers tomorrow.

From what I read in that E-Mail there was no part about recipient specific stuff, so I guess someone just wrote one text and made a simple bash Script for that... as you can see, people really do fall for this shit.

Now one question: is there a way to track down the Servers the E-Mail went through? Or is there anything one can do, apart from ignoring it?

Comments
  • 1
    I think it would have some info of the sender in the header
  • 3
    Yup, the mail has headers with origin but it's most likely hijacked so don't dos it smth (tons and tons of insecured stuff available)... Just report it to the provider and maybe spamhaus or equivalent.
  • 2
    Well, it depends...
    Every server the mail passes writes a line to the message header. The Problem is: which of these lines can you trust to be authentic?
    When using a fake "From" address, nothing would stop me from also appending additional fake header lines, in order to support the senders' plausibility or make tracing difficult.
    You can likely trust the receiving server's notes, but everything before that server gets complicated. (And If you can't trust the server which ist receiving and storing your mails, you've got a whole class of more pressing problems than the Origin of a fake extortion Mail...)
  • 3
    And of course @karasube ist right, even If you find the origin IP for that mail, it will likely be a highjacked server
  • 1
    Worry about it when it contains the password.

    I’ve had 1 with that, instant change of password - luckily it was only used a couple of times, and disable of in/outbound mail for a while.
  • 3
    Being a former admin of a mail server, this kinda thing annoys me. SPF exists for a reason and is actually relatively simple to setup, I'd suggest your dad change email providers. :)
  • 1
    I had one of these that knew the simple password I've used for a bunch of non-sensitive sites.

    Should they be blocked by SPF/DKIM?
  • 3
    This is the same that has been going around for Month.

    SPF solves it.
  • 1
    The Received: headers can tell you the way that the email took, but they can be faked as well (the last hop is basically the only one you can trust, because you can easily verify it). Note: They're backwards.

    Still, except contacting abuse for these servers, you won't be able to do much. Probably sent by a botnet or a hijacked server.

    Good thing he asked you instead of paying.

    And one more point for widespread security awareness training. Do you mind if I use that incident as an example? I'd anonymize it of course...
  • 1
    @ilPinguino sure you can use it!

    Thank you all!
Add Comment