Forum Discussion

MarkJFine's avatar
MarkJFine
Professor
8 years ago

Scary Email Scams...

Just got a beaut...   Email claims to have captured me in a compromising video by hacking my webcam and will send it to everyone in my addressbook unless I send $1900 to his bitcoin account. Includ...
GabeU's avatar
GabeU
Distinguished Professor IV
8 years ago
MarkJFine wrote:

 

But, if you have the headers you can look at the first "received from" line, reverse lookup the IP and figure out what the last server was used to send it to you (anything past that in the headers is likely forged). You might want to forward to their abuse/legal team and hint at possibly prosecuting the illicit activity. That's what I did with Microsoft - they'll sit up and take notice of that.

 

My advice is to send it to the abuse/legal team of the server that sent it last as well as possibly the FBI via the link that's earlier in the thread. I would also definitely change any passwords - especially the one stated in the email. 

The only thing I could figure out to do in order to see anything more than the sender email address is to "View Message Source", and it shows a huge amount of info, all of which is foreign to me.  I don't know what it is I'm supposed to be looking for or seeing.  

maratsade's avatar
maratsade
Distinguished Professor IV
8 years ago

There's all kinds of info in the message source, but one thing you see (I haven't looked at a message source in a long time, but I imagine they haven't changed much) is where the email comes from (gmail, for instance).  Sometimes there are IP addresses there too.  Most of the rest makes no sense to me, but I'll be happy to send it to the Feds. 

 

GabeU wrote:

 

The only thing I could figure out to do in order to see anything more than the sender email address is to "View Message Source", and it shows a huge amount of info, all of which is foreign to me.  I don't know what it is I'm supposed to be looking for or seeing.  

 

  • MarkJFine's avatar
    MarkJFine
    Professor
    8 years ago

    The trick is to always look for the first "Received From" then there will be an IP in square brakets. That is the IP of the server that HELO'd your email server before it sent it. Everything else can be forged, including the servername that's supposed to be associated with the IP. Not likely the IP itself was was forged during a HELO handshake.

     

    Edit: Looks like this:
    Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sg2apc01hn0245.outbound.protection.outlook.com [104.47.125.245])

    • GabeU's avatar
      GabeU
      Distinguished Professor IV
      8 years ago

      MarkJFine

      maratsade

       

      I sent PMs to you two that included a picture of the info I think I'm supposed to be looking at.  I didn't want to post it in public for the reason given in the PMs.  

    • maratsade's avatar
      maratsade
      Distinguished Professor IV
      8 years ago

      That part's missing from Gmail emails, right?  I thought Gmail didn't include the sender's IP in the header.

       

      MarkJFine wrote:

      The trick is to always look for the first "Received From" then there will be an IP in square brakets. That is the IP of the server that HELO'd your email server before it sent it.

       

      • MarkJFine's avatar
        MarkJFine
        Professor
        8 years ago
        maratsade wrote:

        That part's missing from Gmail emails, right?  I thought Gmail didn't include the sender's IP in the header.

        Hmmm. Haven't noticed, tbh.