cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
liebls
Aspiring Contributor
793 Views
Message 1 of 12

Re: Spoofed email address

Is it true that there is no way of preventing an email being spoofed?

I have just had the identical scam again purportedly from an eldery neighbour. Again, he and I are both @btinternet.com.

Surely for this specific case (to/from BT), it should be possible to verify that the sending server was indeed BT's?

 

0 Ratings
Reply
11 REPLIES 11
licquorice
Distinguished Sage
Distinguished Sage
784 Views
Message 2 of 12

Re: Spoofed email address

BT Emails can be sent from any SMTP server it doesn't have to be sent from BT's servers.

0 Ratings
Reply
jimafblack59
Beginner
767 Views
Message 3 of 12

Re: Spoofed email address

There are two ways this could happen. Either your friend's device has malware that is sending the emails to their address book contacts or the emails account itself has been compromised.  She should run something like the free version of Malwarebytes and change her password. 

Spoofing an email address is different, and is trivial to do. That means I replace the from email address with the from email address I want to be displayed in the email client in the header of the email. The only way to spot that typically is to look at the source/raw text of the email. Some email filtering services try to detect this type of phasing emails, but they are a bit hit or miss. 

0 Ratings
Reply
gg30340
Distinguished Sage
Distinguished Sage
744 Views
Message 4 of 12

Re: Spoofed email address

If there was an easy fix email providers would have implement it.

Have a look at this link about spoofing email addresses and if you do an Internet search about spoofing you will find more information.

Email spoofing - Wikipedia

What is Spam, Phishing and “spoofing"? | BT Help

 

0 Ratings
Reply
jac_95
Guru
Guru
721 Views
Message 5 of 12

Re: Spoofed email address

@liebls It's best to check the email headers as the email may not of actually been spoofed but the text name of the email address and reply to address used to make it look similar.

Email spoofing is harder to perform these days with SPF, DKIM signatures and DMARC policies.

The btinternet.com domain does indeed have these implemented so it can be easier to tell and providers to reject and quarantine emails from the domain if they are do not pass these checks.

This should also be noted that genuine btinternet.com SMTP servers must now be used to send emails from  @btinternet.com domain otherwise they will fail the checks and emails rejected.

Example, look for authentication results, dkim, spf and dmarc headers along with return-path. BT's SMTP servers also add custom headers to help identify what authenticated account sent the email and the client IP address.

 

 

Return-Path: <<redacted>@btinternet.com>
Received: from sa-prd-fep-041.btinternet.com (mailomta19-sa.btinternet.com. [213.120.69.25])
        by mx.google.com with ESMTPS id e19si23268993wre.845.2021.11.30.02.17.01
        for <jac_95@<redacted>.dev>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 30 Nov 2021 02:17:02 -0800 (PST)
Received-SPF: pass (google.com: domain of <redacted>@btinternet.com designates 213.120.69.25 as permitted sender) client-ip=213.120.69.25;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@btinternet.com header.s=<redacted> header.b=<redacted>;
       spf=pass (google.com: domain of <redacted>@btinternet.com designates 213.120.69.25 as permitted sender) smtp.mailfrom=<redacted>@btinternet.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com
Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4])
          by sa-prd-fep-041.btinternet.com with ESMTP
          id <20211130101701.CJKH30965.sa-prd-fep-041.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>
          for <jac_95@<redacted>.dev>; Tue, 30 Nov 2021 10:17:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638267421;
         bh=<redacted>;
        h=From:Mime-Version:Date:Subject:Message-Id:References:To:X-Mailer;
        b=<redacted>
Authentication-Results: btinternet.com;
    auth=pass (PLAIN) smtp.auth=<redacted>@btinternet.com;
    bimi=skipped
X-SNCR-Rigid: <redacted>
X-Originating-IP: [<redacted>]
X-OWM-Source-IP: <redacted> (GB)
X-OWM-Env-Sender: <redacted>@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 

 

 

 

You can also use https://toolbox.googleapps.com/apps/messageheader/analyzeheader to help analyse and quickly see the bits of info that would be helpful from the received email headers.



0 Ratings
Reply
licquorice
Distinguished Sage
Distinguished Sage
684 Views
Message 6 of 12

Re: Spoofed email address


@jac_95 wrote:

This should also be noted that genuine btinternet.com SMTP servers must now be used to send emails from  @btinternet.com domain otherwise they will fail the checks and emails rejected.

 


Hmm, interesting. I've just created a test account in MS Outlook with a xxx@btinternet.com email address using IONOS's SMTP server authenticated with my own domain email address.

The automated mails generated by Microsoft to validate the settings worked fine, mail sent and received. A mail sent to a xxxx@btinternet address was sent but not received and no bounce back message. A mail sent to a Gmail address was sent and a bounce back received.

0 Ratings
Reply
licquorice
Distinguished Sage
Distinguished Sage
674 Views
Message 7 of 12

Re: Spoofed email address


@licquorice wrote:

@jac_95 wrote:

This should also be noted that genuine btinternet.com SMTP servers must now be used to send emails from  @btinternet.com domain otherwise they will fail the checks and emails rejected.

 


Hmm, interesting. I've just created a test account in MS Outlook with a xxx@btinternet.com email address using IONOS's SMTP server authenticated with my own domain email address.

The automated mails generated by Microsoft to validate the settings worked fine, mail sent and received. A mail sent to a xxxx@btinternet address was sent but not received and no bounce back message. A mail sent to a Gmail address was sent and a bounce back received.


Too impatient, just received the message sent to xxxx@btinternet.com a further test message also received.

0 Ratings
Reply
jac_95
Guru
Guru
667 Views
Message 8 of 12

Re: Spoofed email address

If you check the headers what do you see for SPF, DKIM and DMARC checks?

It could be that on the btinternet.com email server side when receiving emails even though they do these checks they aren't actually rejecting or putting the email into quarantine even though they failed them.

Also check if you have the domain or email in the safe senders list as that may override these checks. There's a header that can help identify that too. Can't remember what it's called though.

0 Ratings
Reply
licquorice
Distinguished Sage
Distinguished Sage
659 Views
Message 9 of 12

Re: Spoofed email address

The Gmail bounce was due to failing DMARC checks.

The received btinternet  mail header shows DMARC failed but still delivered it.

Authentication-Results: btinternet.com;
dmarc=fail header.from=btinternet.com;
dkim=none;
dkim=error;
spf=none smtp.helo=mout.kundenserver.de;
spf=softfail smtp.mailfrom=btinternet.com;
bimi=skipped

Neither the domain or sender address is in my safe senders list

 

0 Ratings
Reply
jac_95
Guru
Guru
654 Views
Message 10 of 12

Re: Spoofed email address

OK so yeah Gmail did the right thing whereas for some reason BT' btinternet.com mail service marked the email as failing the DMARC policy and as to the published SPF record for the domain a softfail (~all) but didn't reject the email as per the btinternet.com DMARC policy:

v=DMARC1; p=reject; sp=reject; pct=100; fo=1; rua=mailto:dmarcagg@btinternet.com; ruf=mailto:dmarcf@btinternet.com;

 

This basically says to recipient email servers to reject emails that fail the DMARC policy and is applied to 100% of emails sent. The other bits are for reporting

0 Ratings
Reply