Possible Odd Incoming EMail.

[STEVIEBOY1]

Has anyone had an email come into their in box recently, supposedly from ADMIN SERVICE, saying that there is a problem sending or receiving 18 emails and your devices are not synchronised? I have had this 3 times this week in one of my BT Accounts. I think it may be questionable, as all seems fine with emails that I have been sending and receiving, so I just deleted it. I think if it was from BT, then that would appear somewhere in the title or email. I also ran virus and malware checks which did not pick anything up.

 

[3rd rail land]

Yes, I had one of these emails. I assumed it was a scam or phishing attack as it had a ink in it, which of course I am staying as far away from as it is humanely possible to do so. I have had no issues sending or receiving email. I use a btinternet email address.

 

[Peter C]

I've not had one of these emails but it sounds dodgy. Good idea to just delete the email - a general rule for scam emails. That and don't click links in emails unless you can be absolutely sure of its legitimacy and you know where/who it came from.

-Peter

 

[Peter Mugridge]

Forward it - and any other dodgy e-mails - as an attachment ( NOT as a straight forwarding ) to [email protected] who will analyse the headers and track down the source.

 

[Cheshire Scot]

One way to spot at least some of the many scam e-mails is to check the sending address - it may well include 'BT' but will probably include some random characters and be from a non UK domain.

 

[najaB]

I think if it was from BT, then that would appear somewhere in the title or email.

It wouldn't necessarily as if it was a valid email it may have been generated by a service outside of BT.

Forward it - and any other dodgy e-mails - as an attachment ( NOT as a straight forwarding ) to [email protected] who will analyse the headers and track down the source.

This is very important. If you just hit forward on the email then none of the headers will be attached, without which it is impossible to do any diagnostics on the message. I've lost track of the number of times we get customers requesting that we figure out why a dodgy email was delivered but then give us nothing to work with.

One way to spot at least some of the many scam e-mails is to check the sending address - it may well include 'BT' but will probably include some random characters and be from a non UK domain.

No. This is completely incorrect. Without looking at the headers there is no way for anyone to determine if an email message has been spoofed.

 

[Peter Mugridge]

This is very important. If you just hit forward on the email then none of the headers will be attached, without which it is impossible to do any diagnostics on the message. I've lost track of the number of times we get customers requesting that we figure out why a dodgy email was delivered but then give us nothing to work with.

Also... if it's forwarded as a straight forwarding, the National Cyber Crime people will analyse your own headers ( it's an automated collation system ) which carries the risk that you might find your own e-address being blocked...

 

[3rd rail land]

I've now had multiple of these emails. I need to login to my email on my desktop PC rather than the app on my phone to see the sender email but it'll be interesting to see if the same address is being used or multiple are being used.

 

[py_megapixel]

I've now had multiple of these emails. I need to login to my email on my desktop PC rather than the app on my phone to see the sender email but it'll be interesting to see if the same address is being used or multiple are being used.

I would strongly advise you, if you regularly check your mail on your phone, not to use an app which isn't capable of displaying the sender address...

 

[Cheshire Scot]

No. This is completely incorrect. Without looking at the headers there is no way for anyone to determine if an email message has been spoofed.

Sorry, I cannot agree, the header is what the scammer is hoping will hook the would be victim as it often reads as if it has come from your supplier whilst as previously stated the originating e-mail address may well give clues that it is not genuine.

 

[87 027]

Sorry, I cannot agree, the header is what the scammer is hoping will hook the would be victim as it often reads as if it has come from your supplier whilst as previously stated the originating e-mail address may well give clues that it is not genuine.

Are you possibly mixing up the header (detailed technical information about the mail servers the message has passed through) with the “From” display address (which the sender can set to anything they like)?

 

[Cheshire Scot]

Are you possibly mixing up the header (detailed technical information about the mail servers the message has passed through) with the “From” display address (which the sender can set to anything they like)?

Perhaps but I cannot see anything other than the heading and who sent it. Therefore the sending address is my only clue other than it looks / reads as if it may be dodgy. Maybe others who are more IT savvy can work it out more easily.

 

[py_megapixel]

Sorry, I cannot agree, the header is what the scammer is hoping will hook the would be victim as it often reads as if it has come from your supplier whilst as previously stated the originating e-mail address may well give clues that it is not genuine.

I think you might be talking at cross purposes with @najaB slightly.

The 'headers' of an email are information which is contained in the email but which usually isn't displayed to the user via an email client. They contain things like the domain name or IP address of the servers it was sent from, as well as other details of the transmission, metadata added by other software such as the sender's email client, and also various other information which is needed in some cases but completely pointless to the average user. You can't read it, but it's there.

The body of the email might also contain a header in the sense of a title at the top of something, but that's different, and not what would usually let you know that it's a scam.

The sender's email address that you see in your email client is one piece of information that is transmitted in the headers, but it relies on the sender to report it correctly.

There are several reasons that this isn't a perfect analogy, but you can think of it as follows: if you lived in Glasgow but wanted to pretend to somebody you were in Manchester, you could send them a letter and write on a sender's address in Manchester. However, if the person receiving the letter wanted to check that you really were in Manchester, they could look closely at the postmark, and they would be able to see that it was actually sent from Glasgow. In this case, the sender's address that you wrote on is the equivalent of the sender's address on the email (most people will declare it correctly, but there's absolutely nothing to stop you doing it wrong, maliciously or otherwise). The postmark is the equivalent of the headers in the email.

 

[najaB]

Sorry, I cannot agree, the header is what the scammer is hoping will hook the would be victim as it often reads as if it has come from your supplier whilst as previously stated the originating e-mail address may well give clues that it is not genuine.

The problem is that the email client will almost always only show the From: header which is trivial to spoof. What you need is the full headers since most MTAs will include the SMTP MAIL FROM address in the Received by: header. Even then, all the spammer needs to do is use a null MAIL FROM address.

However, if you look at the chain of Received by: headers you can normally figure out if the message has been spoofed because most MTA will record the rDNS entry for the IP address sending the message as well as the hostname used in the ELHO. If there's a mis-match (particularly if the rDNS entry points to a dynamic IP range or a VPS server) then it's highly likely that the message has been spoofed.

 

[Bevan Price]

I frequently get emails claiming to be from BT and inviting me to click a link to view my bill. The sender details are often random details , sometimes from btinternet addresses, sometimes from elsewhere. I now ignore them all.
Note, a virus or malware checker is unlikely to identify a "link" as dodgy; it is the act of clicking that link that may let malware access your computer.

This week I also received an email claiming to be from BT and have a "voice mail" for me. Also inviting me to click a link to log in to BT. Also deleted. Apart from any other reason, as far as I know, this computer is not equipped to process voice mail.

 

[py_megapixel]

The problem is that the email client will almost always only show the From: header which is trivial to spoof. What you need is the full headers since most MTAs will include the SMTP MAIL FROM address in the Received by: header. Even then, all you need to do is use a null MAIL FROM address.

However, if you look at the chain of Received by: headers you can normally figure out if the message has been spoofed because most MTA will record the rDNS entry for the IP address sending the message as well as the hostname used in the ELHO. If there's a mis-match (particularly if the rDNS entry points to a dynamic IP range or a VPS server) then it's highly likely that the message has been spoofed.

Incidentally, my email client has an option for 'view all message headers' which allows all of this information to be read. I'm not sure how standard that is though.

(It's obviously not practical to leave this option on all the time because there are so many headers that it obstructs actually reading the message)

 

[najaB]

Incidentally, my email client has an option for 'view all message headers' which allows all of this information to be read. I'm not sure how standard that is though.

It's reasonably common, though often hidden away. For example, in Outlook you have to go to the message properties tab.