I recently switched my mail/domain from Google to name cheap. I’ve been keeping a critical eye on my junk mail as the spam filtering doesn’t seem as good.

I saw neat scam email from my own email adress. It was the usual “I am a hacker give me money” nonsense but the trick with them using my own email adress is pretty neat. I assume they’ve injected some sort of common replace string?

Just curious if anyone knows the trick here.

Update: followed the advice most of you have provided and spam mail has gone way down as a result. Leaving post here for the next poor sod who runs into these problems. Maybe Google will lead folks here instead of reddit.

Thank you kind strangers.

  • dual_sport_dork 🐧🗡️@lemmy.world
    link
    fedilink
    arrow-up
    71
    ·
    edit-2
    1 year ago

    It is trivial to write a piece of software, or use existing email software, to forge the contents of the from: field in an email header. In fact, you can forge the entire email header if you feel like, and there’s really nothing stopping anyone from doing it. The header information which includes the alleged sender of the email is just plain text. You can fire off any email containing any header – forged or not – at any mail server and the data will at least get there. What the mail server does with it afterwards is up to however it’s configured.

    There are various techniques that email providers and mail relays use to attempt to verify the integrity of email messages, including DKIM, reverse DNS or PTR record, and the Sender Policy Framework, and if any of these don’t check out the mail server may reject incoming messages or automatically divert them to spam folders. This isn’t foolproof, though, and some mail servers are more lenient than others. Many private mail servers are also misconfigured, or minimally configured, and allow pretty much any damn fool thing to get through.

  • Ocelot@lemmies.world
    link
    fedilink
    English
    arrow-up
    21
    ·
    edit-2
    1 year ago

    When you send an email to a mail server, you can set the “FROM” address to literally anything. The mail server does not care and forwards stuff on, as long as you’re authenticated. Anyone can run their own mail server anywhere that will dutifully just relay emails, which is what spammers often do. There are entries in DNS called SPF records (Sender Policy Framework) which mailservers use to validate on the receiving side that the FROM address coming from the mail server matches with a list of allowed mail servers IP address(es). If it doesn’t match it gets sent to spam, or outright rejected (depending on if the record says ~all or -all). It is often not ideal to reject any message that fails this check, because if you have some local system that runs its own mailserver and sends alert emails it might not necessarily match.

    • Seigest@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      I see. I think this is that case. It was in the spam folder. So it sounds like the new mail service is doing all it can here.

      I’d also gotten a few fake Amazon fliers form like “vape demon69 dot com” which somehow didn’t get marked as spam so I’ve been concerned that the junk prevention may really suck. But at least it seems to be marking the spoofed ones as junk.

      • Korthrun@lemmy.sdf.org
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        1 year ago

        you can set the “FROM” address to literally anything.

        Hey all, “that guy” chiming in.

        You can set the “FROM” address to any string that meets the specifications of the “Address Specification” section of the relevant RFCs (5322 and 6854, maybe others). Which is SUPER FAR from “literally anything”.

        I know this seems like some neck-beard bullshit, but we’re here answering the question for someone who clearly has little understanding of email internals. Hyperbole is bad in this context IMO.

      • Absolutemehperson@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’d also gotten a few fake Amazon fliers form like “vape demon69 dot com”

        That’s obviously legit. Didn’t you know it’s illegal to lie on the internet?

      • Ocelot@lemmies.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If you’re running your own domain and mail server with everything validated via SPF and DKIM etc then this layer of spam filtering won’t do anything. Other spam filters like AI-based ones that look at the contents of message for spammy stuff need to take over after that point.

        Fighting spam is constant cat-and-mouse battle and you’ll never truly get rid of all of it.

        • rufus@discuss.tchncs.de
          link
          fedilink
          arrow-up
          2
          arrow-down
          2
          ·
          edit-2
          1 year ago

          And you don’t even need SPF or AI to discard mails coming from the wrong mailserver. If you know the domain, you can do a lookup and see if the connecting mailserver is the one in the MX record. Check PTR records. At least throw away mail that’s coming from some random server and claims to come from your own domain. You should know who is supposed to be a mailserver for your addresses.

          • Ocelot@lemmies.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            This isn’t really going to be accurate all the time. It is a totally reasonable configuration to use a mailserver not in the MX records. Lots of companies that send automated emails use a service like mailgun or sendgrid as a relay, which isn’t their MX server. It doesn’t come from their company’s mailserver. The only way to validate that is by adding mailgun/sendgrid as an include in the SPF record.

            PTR records are very difficult to maintain for any accuracy since lots of companies use cloud providers and don’t bring their own IPs.

            You’ll often miss things like “Your credit card expired” or “please change your password” or even “Here’s your monthly bill from the power company” emails.

            • rufus@discuss.tchncs.de
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              1 year ago

              I’ve tried and lots of providers want the PTR. I think Gmail is espectally strict when it comes to antispam, doing the DNS lookups and checking IP ranges. I forgot what gets you into the spam folder and what gets your mail rejected completely. You’re right with the MX record though. I think I misremembered whatever I configured in Postfix. SPF is the way for that.

              But I just follow suit with the big providers and am very strict with the incoming mail. I need to look it up, but i think i refuse them if the mailserver doesn’t have any dns records at all. And if it sends something silly in the HELO. With mailchimp or mailinglists, isn’t the way to do it to set mailchimp in the envelope-from and your company into the from header? and then I can check at least that mailchimp this is a proper mailserver? If you don’t set it up properly, you kinda deserve your mail getting lost.

              But I think now I know where we don’t understand each other. I just check if it’s a proper mailserver with the first few checks. That gets rid of >>50% of my spam immediately. I don’t use that to verify the mailserver is allowed to send mail for that specific domain. That’s a job for SPF later. It just needs to have anything. And that’s enough to weed out most of the spam, especially from hacked boxes and crude IPs from the far east.

              One exception. I have a specific list with servers allowed to send mail from my own domain. This prevents phishing and impersonating people internally. Nobody except me is supposed to configure mailing campaigns or mailing lists anyway. But now that we’re speaking of it, I think I should get rid of that extra config and use SPF for that. I configured that years ago, anyways.

  • tarjeezy@lemmy.ca
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    Look up the instructions for your mail provider to set up SPF, DKIM, and DMARC records in your DNS so email services know which emails sent from your domain are actually legit. Without those records telling email servers what’s valid and how to handle what’s not, it’s basically the Spiderman pointing at Spiderman meme.

    https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain/

    • Seigest@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Thank you, I had to bug the support line a bit to figure it out, but they agreed I needed to use this guide and helped me out. My inbox is now a little safer thanks to your advice.

  • Steve@communick.news
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    The trick is setting up your own email server that has some basic common security features disabled. That way they can send email from any address they want.

  • orangeNgreen@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    2
    ·
    1 year ago

    Is it possible they actually accessed your account? Alternatively, do you have a lowercase “L” in your name that they could have replaced with a capital “I”?

    • Seigest@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      No Ls also nothing in my sent box and it was marked as spam so rhe mail service knew somthing was up with it.

    • thanks_shakey_snake@lemmy.ca
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      Dunno who’s downvoting this, but that’s honestly a valid possibility. The other answers explain a really important concept (it’s really easy to fake from addresses) but these ideas aren’t wrong.

      • Dr Cog@mander.xyz
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        It’s not a possibility at all unless the “hacker” is extremely stupid.

        If you have access to an account, you generally don’t want to make the owner of the account suspect that it is compromised.

        • thanks_shakey_snake@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Or the “hacker” is an automated script (…which is probably pretty stupid, to your point), as the vast majority of attacks are.

          If it’s more like a spearphishing-to-impersonate attack-- i.e. A specific individual is being targeted-- then yeah, it’d be important to avoid detection. They wouldn’t do that unless they are extremely bad at their task.

          But most attacks are fairly coarse attempts at exploiting a rather glaring security hole against a large number of targets, and their goal might not be what you’d think… Like for example “iterate through this list of 100,000 sites, see if they’re using [some vulnerable framework], and see if they still have the default admin password.” The attacker doesn’t care about being foiled by any one victim, because (for example) their goal is to collect accounts that are:

          a) Unmonitored by their owners, and;

          b) Able to send and receive emails

          Is that scenario more likely than FROM address forgery? No. Is that scenario “not a possibility at all?” Also no.

  • Dr. Coomer@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    There are many ways they could be getting your email, but first, why your email? Well, it’s because it the easiest way for them to fake legitimate messages. Now, where are they getting them from? Most likely your socials or other accounts. One instance I’ve experienced was on offerup (don’t use it, too many scammers).