1

I have been a victim of a fraud where my solicitor's email address was used to dupe me out of a house purchase deposit. How do I determine where the emails originated from - did the crooks use emails from my inbox (hotmail) that somehow got re-forwarded back to me. Or did these email originate from my solicitor's server.

The emails that i now know are fake show

SPF fail - dkim=pass (signature was verified) header.d=clinicaser.info

In genuine emails, the dkim pass shows a different signature:

dkim=pass (signature was verified) header.d=mysolicitor

(i have removed the actual name for privacy reason).

If I can prove the breach wasn't my end this may help me recoup some of the money I have lost. I just have no idea how I go about this. The banks/Action Fraud have done nothing to help me. My solicitors have said it must have been my end but could not provide any evidence when asked how they know this.

I have used a message header analyser this just shows the emails came from my solicitors email address sent via a PHP mailer to my hotmail - SPF fail /DKIM pass and DMARC none

I have identified from the message source on both a fake & genuine email that the X-MS-Exchange-CrossTenant-Id is the same - however not sure what that proves, if anything.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Claire
  • 11
  • 1
  • I'm very confused about the situation here or what you want. All you need to do is to show Action Fraud or the police the fraudulaent email and that you paid. You do not need to positively identify who sent it to you. – schroeder Mar 01 '21 at 13:42
  • "prove the breach wasn't my end " -- what does this mean? What do you need to prove and why? – schroeder Mar 01 '21 at 13:42
  • 2
    You probably want to get law enforcement involved. Either you or they can read the message headers from the bottom up, to find the mail server that the sender sent the message from. From there, law enforcement may be able to subpoena the operator of the mail server more more information leading to the actual sender. SPF=fail means that the sender used a mail server to send the message, which is not authorized for the domain that the message was sent from. DKIM=pass means that the sender had the private key for DKIM-signing messages sent from that domain. – mti2935 Mar 01 '21 at 13:43
  • From the few details you provide, it appears that the criminals breached the solicitor's emails and sent emails from a clinicaser.info server. But you need an expert to look over the details, not strangers on the internet. – schroeder Mar 01 '21 at 13:45

0 Answers0