A friend of mine recently forwarded me an email he received that looked like it had come from me.
Except, of course, it hadn’t. It was a complete forgery, and not a very good one at that.
I am both slightly honored that I’m worth forging, and quite annoyed that someone actually did.
We’ll look at the message and all the clues it contains that make it a fairly obvious fake, and then generalize those clues to help you separate spam from legitimate email.
Become a Patron of Ask Leo! and go ad-free!
Here’s a screenshot of the message. (Click on it to make it larger if it’s hard to read.)
Let’s look at a few items in the message that indicate it’s a fake.
1: The header
If you look at the “From:” address, while it says it’s from “Ask Leo”, it’s not.
The faker manufactured an “ask.leo” email address on a completely bogus domain — a domain completely unrelated to anything I do. As far as I can tell, there’s no website there, either.
Email from me will always be “from” an askleo.com email address, or perhaps an aweber.com (my mailing list service) email address. In rare cases, you might get an email from @pugetsoundsoftware.com, which is my corporate identity.
I have no idea what this fake domain is all about.
Takeaway: Always watch the “From:” email addresses to make sure that they make sense with respect to whomever the email claims to be from.
2: The links
When I hovered over the links in the message, another clue appeared.
The links all go to a subdomain off of that bogus domain — once again, nothing related to Ask Leo! at all.
Gmail wouldn’t even let me click on those without warning me.
Links in any of my emails go to askleo.com-related domains, or in some cases, aweber.com domains.
Takeaway: before clicking on links, hover over them to examine where they go, and make sure the destination makes sense. And of course, if your email program warns you that the link is suspicious, don’t proceed.
3: The additional text
The additional text below “my” signature is another giveaway that this is pure spam.
This type of unrelated text — sometimes gibberish, sometimes coherent, but always unrelated — is placed into spam emails to bypass spam filters. The filters look at the text of messages to see how “spammy” they are. If there’s a lot of text that isn’t suspect, the filters are less likely to filter this email as spam.
Takeaway: if a message has a lot of seemingly random, unrelated text, it’s likely to be a spammer’s attempt to bypass spam filters.
4: The contact information
Near the bottom of the message is some contact information. I’ve blurred it out for reasons I’ll explain below, but it certainly wasn’t my contact information and didn’t appear to be related to anything else in the message.
Perhaps it made the message look a little more official, but it — like everything else — was bogus.
Takeaway: do look at the contact information at the bottom of emails you receive. Not only is it required in bulk email campaigns, it’s another clue you can use. If it doesn’t make sense because it’s unrelated to anything in the email, that’s another sign you might be looking at spam.
Items you don’t see
Me being me, I dug a little deeper than I’d expect most people to look.
The email headers you don’t see clearly indicated that this was spam. SPF and DKIM information — technical data used for just this purpose — had clear “Fail” indications.
The headers also indicated that the email had been sent directly from the bogus domain hosted on a popular shared-hosting site.
When I clicked on the links (don’t worry, I did so safely ), I was immediately redirected to a different site selling some kind of external WiFi antenna (not a “booster” as the email claimed). The redirect included someone’s affiliate link, so had I purchased the device, the spammer would have made a buck or two. (The shopping site seemed legitimate, but I didn’t dive too deeply into it.)
And of course there are things only I would notice: improper use of my trademark, the writing style, and even the formatting looks nothing like the messages I send.
What we can infer
Even though the email originated at the website of the bogus domain used throughout, we can’t confirm conclusively that the domain owner is at fault. There are two valid scenarios:
- The domain owner is at fault and is not very good at hiding his or her tracks.
- The domain owner’s website has been hacked, and someone else entirely is running this fake operation without his or her knowledge or consent.
I suspect the latter, but there’s not enough data to prove it. Had there been an actual website at the domain, perhaps we could make a few more conclusions. That there were subdomains involved (“theta”, in the examples) might support the domain owner’s complicity.
The contact information at the bottom? Very likely some innocent third party (hence my obscuring it); just something added by the spammer to make the message appear more legitimate.
Dealing with fake “Ask Leo”
As we know, “from’ spoofing is easy and rampant. There’s little to be done about that. (Technically this isn’t that, since they didn’t actually spoof my email address — just my name in the From: line.)
But blatant impersonation takes this to a whole different level.
So far, I’ve:
- Contacted the hosting service
- Contacted the registrar of the bogus domain
- Contacted the listed owner of the domain
As I write this I’ve not heard back from any of them, which is not surprising.
Depending on any responses, additional incidents that come to my attention, or additional information that comes to light, I may or may not take further action.
I do expect whatever happens next to cost me money.
At a minimum, the impostor did us a little service: their fakery provided us an example of things you can watch for to distinguish spam from legitimate email.
Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.
I'll see you there!