So my sister had someone attempt to scam her on craigslist today.
I know just another craiglist scammer, but this one had a new twist for me.
The scammer had a email sent to her from [email protected]. I thought when talking to her over the phone that it was just a name spoof, or a fake email that looked like it said “Venmo,” when it actually said “Verimo” with the " r i " trick to make it look line an “n” in the name. But, the email looks to have come from [email protected].
Can you fully spoof real domains on emails now? If so how and what can you do to spot this?
My sister was not scammed, there were other signs that this was a fake email.
First, the grammar was weird, Here is the text from the message with concerning language bolded.
Subject: Payment of $1100.00 For “Hamilton Tickets From Ticketmaster”
The payment of $1100.00 has been sent and taking out of @Thom-Mallory’s account. The payment will be into your account as soon as the tickets have been sent as we are in contact with Ticketmaster. The payment is guaranteed and there can not be any reversals.
-Venmo Team
Second, the email came to the address my sister was communicating on rather than the address that her Venmo account is attached to.
SMTP allows for anything to be put in the To:, From:, and Reply-To: fields. They do not need to match the Envelope Sender and many web mail providers allow for this to be different as well.
I’ve always wondered about this: is it because it is technically unfeasible for some reason (unlikely); that is has been left as a hole for just these types of scam/marketer reasons; or that it is simply a legacy issue, i.e. this is the way it was originally built and now it is too hard to change (more likely).
A consequence of the protocol and also necessary for a number of commonly used features.
Some real-world examples:
From field I use this all the time at work since my mail client connects to two different mailboxes - an individual box and a shared address used for support purposes. I usually respond to emails in the support box using the support address, but sometimes it’s appropriate to take these offline so I respond with my individual address. This will also be commonly used when emailing generic addresses (i.e. billing@, support@, info@, etc) and the individual handling the request “takes ownership” so you have one individual you’re dealing with for the conversation
Reply-To field Used commonly for mailing lists, this lets emails to the list be “from” the individual, but anyone that simply clicks “reply” will respond to the list without having to “reply all” or otherwise take more deliberate action to respond to the list.