1

I got a strange email and I just want to confirm my suspicions.

For background, I have my own email server which I set up using iRedMail on a VPS. I have an acquaintance who most likely has me on their address book, although I don't have them on mine.

I got a highly suspect email with "Urgent! <acquaintance's name>" as the subject, and a body that just said they need a favour. Looking at the headers of the email, I see that the Sender field is an unrelated university email address from another country, while the From field is my acquaintance's name and a different email address than the one I had communicated with them in the past.

My hypothesis is that their account got hacked, the hacker stole their address book and is sending a scam to all of their contacts.

My fear is that my own server got hacked, or something. My email setup did not complain about this email even though I have virus scanning, and I expect that the regular checks (DKIM, SPF etc.) were done.

Can anyone confirm my hypothesis?

FrontierPsycho
  • 113
  • 3
  • 1
    *"... and I expect that the regular checks (DKIM, SPF etc.) were done ..."* - you just expect it or did you actually check? Also, DKIM and SPF don't care about the from header, only DMARC does. And this requires to have a DMARC policy yourself and to also check for DMARC in your mail server - both is not that widely implemented. – Steffen Ullrich Jun 30 '20 at 07:25
  • Thanks, I'll check. I now remember I probably set the DMARC policy to something very permissive to not miss any emails. Perhaps I should look at that again. – FrontierPsycho Jun 30 '20 at 07:39
  • 1
    A while back I got an email from my sister's (real) email account, like, *"Hey, ` how's it going, `` and I are in Mexico...passports/tickets stolen; please send money"* It was VERY convincing (except that I'd be the *last* person my sister called for money) ... Presumably, it keylogged her email password, because the "personalized was part of an actual email I sent to her a couple years earlier. Similar emails were sent to several others she had recently contact...Scammers/spammers are getting smarter. It's scary - but I'm also surprised it took so long. – ashleedawg Jun 30 '20 at 09:13

2 Answers2

2

It is still easy to spoof mail, as explained for example here and here. Which means your question basically asks how the sender got the combination of sender and recipient address in the first place.

While you suspect that the spammer got this combination from a compromised client and hopefully not from compromising your server it is impossible for us to say just based on this information where the spammer got these addresses from. There is no kind of identifier in a address itself which provides this information and all what you have are these addresses. And apart from the possibilities you've mentioned it might also be possible that the addresses where collected from public mailing lists or forums.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

Just to add a bit more info, the onus of validating senders lies on the receiving side.

The standard is very simple (and very old) and there are no provisions to validate names or email addresses on the SMTP protocol itself. SPF and DKIM are optional features have been tacked on to help deal control the rampant spam industry. SPF and DKIM are meant to be assessed on the receiving MTA to help decide whether an email should be let through.

In order to pass SPF and DKIM checks on the receiving MTA, the sender domain and MTA must match the previously established DNS entries. The Sender field is also tested for spoofing (this being the real SMTP sender identification) but it is not required to test the Subject or the From headers.

Pedro
  • 3,911
  • 11
  • 25