Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Suggestions?
--
Tim Lamb

Are you or they on Yahoo or have any of you ever been
?
Its not much to do with Iphones as far as I can tell. They are probably one
of the most secure portable devices there are.
Look at the actual email addresses used though, as often you will find them
different.
Not a new problem.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Tim Lamb" wrote in message
...
Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Suggestions?
--
Tim Lamb

In message , "Brian Gaff (Sofa)"
writes
Are you or they on Yahoo or have any of you ever been
?
Its not much to do with Iphones as far as I can tell. They are probably one
of the most secure portable devices there are.
Look at the actual email addresses used though, as often you will find them
different.
Not a new problem.

They are both on Yahoo as is my wife. I have an disused Yahoo mail
address.

The lack of sensible message and incorrect send addresses are pretty
obvious on Thunderbird but might fool a phone user.

The usual content is a URL.

--
Tim Lamb

On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Suggestions?

First have at the full message headers of spoofed email. That will tell
you if it actually came from her mail system or an unrelated one. Look
for a SPF record in the header as well, and see what status is attached
to it (e.g. "Pass" or "Soft fail").


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

Tim Lamb wrote:
They are both on Yahoo as is my wife. I have an disused Yahoo mail
address.

The lack of sensible message and incorrect send addresses are pretty
obvious on Thunderbird but might fool a phone user.

The usual content is a URL.

At some point, possibly a decade ago or more, somebody got their mail
hacked. Might have been you, them, or anyone you corresponded with. They
hoovered up the addressbook and any correspondances (eg if you sent a mail
to Fred CC daughter, then Fred's account knows you both and knows that you
know each other).

They then send out messages purporting to be from someone you might know.
The illusion will likely fall apart if they try to write text (because it's
quite likely they won't sound like Fred), so they just send a URL and hope
someone is gullible to click on it.

(I'd guess the URL would forward to a fake Gmail/Yahoo/Outlook/etc login
page, in the hope of snaffling your email credentials)

Not a lot you can do about it, except change email addresses and maybe blackhole
mail claiming to come from the old one.

Theo

"Tim Lamb" wrote in message
...
Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

Contacting them how ?

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Very unlikely to be their end infected. The iphone is
very very difficult to infect because of the walled garden
approach to apps only being able to see what you allow
them to see.

Of course its possible they have allowed an app to have
access to their contacts and that's how its happening.

Suggestions?

Ask them if others get a similar result after contacting them.

Brian Gaff (Sofa) wrote

Are you or they on Yahoo or have any of you ever been ?

I am and don’t have a problem with junk mail.

Its not much to do with Iphones as far as I can tell. They are probably
one of the most secure portable devices there are.

Yes, but it is still possible to allow an app access to your contacts.

Look at the actual email addresses used though, as often you will find
them different.

But that doesn’t help with stopping it happening in future.

Not a new problem.

"Tim Lamb" wrote in message
...
Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Suggestions?
--
Tim Lamb

In message , John
Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
A few times recently I have had junk mails purportedly from my
daughters shortly after contacting them.
I post to a number of other folk without this happening. Is it my
end (limited anti-virus protection) or their end ( i-phone users)?
Suggestions?

First have at the full message headers of spoofed email. That will tell
you if it actually came from her mail system or an unrelated one. Look
for a SPF record in the header as well, and see what status is attached
to it (e.g. "Pass" or "Soft fail").

I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check anyway
because of the lack of content.



--
Tim Lamb

In message , %
writes


"Tim Lamb" wrote in message
.. .
Coincidence or....?

A few times recently I have had junk mails purportedly from my
daughters shortly after contacting them.

Contacting them how ?

CCd in a mail for the last one.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Very unlikely to be their end infected. The iphone is
very very difficult to infect because of the walled garden
approach to apps only being able to see what you allow
them to see.

Of course its possible they have allowed an app to have
access to their contacts and that's how its happening.

Suggestions?

Ask them if others get a similar result after contacting them.

OK.

--
Tim Lamb

On Mon, 23 Dec 2019 04:23:54 +1100, clinically insane, pedophilic, serbian
bitch Razovic, the resident psychopath of sci and scj and Usenet's famous
sexual cripple, making an ass of herself as "jew pedophile Ron Jacobson (jew
pedophile Baruch 'Barry' Shein's jew aliash)", farted again:


Are you or they on Yahoo or have any of you ever been ?

I am and don¢t have a problem with junk mail.

NOBODY asked you ANYTHING, you retarded piece of trolling senile ****! tsk

--
Website (from 2007) dedicated to the 85-year-old trolling senile
cretin from Oz:
https://www.pcreview.co.uk/threads/r...d-faq.2973853/

On 22/12/2019 18:59, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
Â*A few times recently I have had junk mails purportedly from my
daughtersÂ* shortly after contacting them.
Â*I post to a number of other folk without this happening. Is it my
endÂ* (limited anti-virus protection) or their end ( i-phone users)?
Â*Suggestions?

First have at the full message headers of spoofed email. That will
tell you if it actually came from her mail system or an unrelated one.
Look for a SPF record in the header as well, and see what status is
attached to it (e.g. "Pass" or "Soft fail").

I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check anyway
because of the lack of content.

In thunderbird, just hit CTRL + U to display the full message source.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In message , John
Rumm writes
On 22/12/2019 18:59, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
*A few times recently I have had junk mails purportedly from my
daughters* shortly after contacting them.
*I post to a number of other folk without this happening. Is it my
end* (limited anti-virus protection) or their end ( i-phone users)?
*Suggestions?

First have at the full message headers of spoofed email. That will
tell you if it actually came from her mail system or an unrelated
one. Look for a SPF record in the header as well, and see what
status is attached to it (e.g. "Pass" or "Soft fail").
I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check
anyway because of the lack of content.

In thunderbird, just hit CTRL + U to display the full message source.

Right! 4 pages of gobbledegook:-)

Sent from jumbo.zone but otherwise nothing I understand. It obviously
passed all the authentication checks.

--
Tim Lamb

Yes this is a historic problem. Nearly everyone who used Yahoo mail in the
online way, rather than using a client and has done it for some years seems
to have been hacked partially, ie they know who certain email addresses were
associated with from the address books hacked.
I regularly see their names but filter them via incorrect email addresses
in the line with the right name.
Normally they are of the type. I'm sorry to contact you but I've had my
card stolen and am in (insert place name here) and wondered if you could
give me some money,
Or it might be, Hey found this great site, then they put a graphic of the
innocent looking site obscuring the address of the one with the malware on
it. The latter never works for me as the graphic is not 'read' for obvious
reasons.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Tim Lamb" wrote in message
news
In message , "Brian Gaff (Sofa)"
writes
Are you or they on Yahoo or have any of you ever been
?
Its not much to do with Iphones as far as I can tell. They are probably
one
of the most secure portable devices there are.
Look at the actual email addresses used though, as often you will find
them
different.
Not a new problem.

They are both on Yahoo as is my wife. I have an disused Yahoo mail
address.

The lack of sensible message and incorrect send addresses are pretty
obvious on Thunderbird but might fool a phone user.

The usual content is a URL.

--
Tim Lamb

Well it does if you use offline clients on pop3, also Many I-phones can be
easily set up to see the email address it came from which is seldom yahoo.

I never really go to sites from emails, unless I've checked the send address
first these days, though the malware infected sits are fewer and as has been
said, the phishing aspect has increased, I guess because there are so many
gullible people about One trick of course is to viesw email in plain text,
this reveals the real web addresses in the email, but means links do not
work and for many badly configured email newsletters the content appears
either blank or just with the the footer on it as the dweeb who sent it did
not send anything but the html.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Rod Speed" wrote in message
...
Brian Gaff (Sofa) wrote

Are you or they on Yahoo or have any of you ever been ?

I am and don’t have a problem with junk mail.

Its not much to do with Iphones as far as I can tell. They are probably
one of the most secure portable devices there are.

Yes, but it is still possible to allow an app access to your contacts.

Look at the actual email addresses used though, as often you will find
them different.

But that doesn’t help with stopping it happening in future.

Not a new problem.

"Tim Lamb" wrote in message
...
Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Suggestions?
--
Tim Lamb

Well most devices these days can be set up so that you are informed when
email is being sent.
Even way back in the Outlook Express days as I still am, you can set a flag
to let you know when something tries to send email behind the scenes. Many
pcs particularly get themselves boted, but greylisting has actually stopped
a lot of that.
The server always rejects the first attempt to send the email, hoping that
the botted machine just sends the lot fast to avoid detection, hence they
all get rejected, but a proper email from your own client will retry.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Tim Lamb" wrote in message
...
In message , John Rumm
writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
A few times recently I have had junk mails purportedly from my
daughters shortly after contacting them.
I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?
Suggestions?

First have at the full message headers of spoofed email. That will tell
you if it actually came from her mail system or an unrelated one. Look for
a SPF record in the header as well, and see what status is attached to it
(e.g. "Pass" or "Soft fail").

I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check anyway
because of the lack of content.



--
Tim Lamb

You need to selectively read the things, even the from line can be very
interesting if you compare it to the one you see on a good valid message.
Normally the email client is also listed which can be a give away straight
away.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Tim Lamb" wrote in message
...
In message , John Rumm
writes
On 22/12/2019 18:59, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
A few times recently I have had junk mails purportedly from my
daughters shortly after contacting them.
I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?
Suggestions?

First have at the full message headers of spoofed email. That will tell
you if it actually came from her mail system or an unrelated one. Look
for a SPF record in the header as well, and see what status is
attached to it (e.g. "Pass" or "Soft fail").
I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check anyway
because of the lack of content.

In thunderbird, just hit CTRL + U to display the full message source.

Right! 4 pages of gobbledegook:-)

Sent from jumbo.zone but otherwise nothing I understand. It obviously
passed all the authentication checks.

--
Tim Lamb

Yes well, I think a sensible approach to what you let have access to your
address book is in order. I know for example that in order to use the amazon
echo devices to make calls you need to allow it to have access to the
mobiles address book. I have yet to see any problems from this.
The main things I do see with mobiles are the location services being used
to try to get you to go to shops etc. The Tile App does this on its free to
use app, but of course you can ignore them or turn off location services
sharing so it only works when you want to find something. There is no such
thing as a free lunch, and to be fair they do tell you in their voluminous
terms and conditions which nobody reads of course!

There are a lot of things to be wary of out there, never post pictures
unedited to facebook while on holiday, as unless you are careful they reveal
where you are and what time you were there in the metadata, allowing the
canny crook to go and do over your home address while you are away.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Tim Lamb" wrote in message
...
In message , %
writes


"Tim Lamb" wrote in message
. ..
Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters
shortly after contacting them.

Contacting them how ?

CCd in a mail for the last one.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Very unlikely to be their end infected. The iphone is
very very difficult to infect because of the walled garden
approach to apps only being able to see what you allow
them to see.

Of course its possible they have allowed an app to have
access to their contacts and that's how its happening.

Suggestions?

Ask them if others get a similar result after contacting them.

OK.

--
Tim Lamb

On 23/12/2019 08:54, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 18:59, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
Â*A few times recently I have had junk mails purportedly from my
daughtersÂ* shortly after contacting them.
Â*I post to a number of other folk without this happening. Is it my
endÂ* (limited anti-virus protection) or their end ( i-phone users)?
Â*Suggestions?

First have at the full message headers of spoofed email. That will
tell you if it actually came from her mail system or an unrelated
one.Â* Look for a SPF record in the header as well, and see what
status isÂ* attached to it (e.g. "Pass" or "Soft fail").
Â*I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check
anywayÂ* because of the lack of content.

In thunderbird, just hit CTRL + U to display the full message source.

Right! 4 pages of gobbledegook:-)

Sent from jumbo.zone but otherwise nothing I understand. It obviously
passed all the authentication checks.

Past em here or email them to me, and I can probably get you a bit more
info - like where it came from, whether its using a compromise account
or just spoofing etc.

(we only need the headers - you can snip the actual body, and react any
real mail addresses etc)


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In message , "Brian Gaff (Sofa 2)"
writes
Yes this is a historic problem. Nearly everyone who used Yahoo mail in the
online way, rather than using a client and has done it for some years seems
to have been hacked partially, ie they know who certain email addresses were
associated with from the address books hacked.
I regularly see their names but filter them via incorrect email addresses
in the line with the right name.
Normally they are of the type. I'm sorry to contact you but I've had my
card stolen and am in (insert place name here) and wondered if you could
give me some money,
Or it might be, Hey found this great site, then they put a graphic of the
innocent looking site obscuring the address of the one with the malware on
it. The latter never works for me as the graphic is not 'read' for obvious
reasons.

Other than exercise caution, there doesn't seem much can be done.

--
Tim Lamb

In message , John
Rumm writes
On 23/12/2019 08:54, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 18:59, Tim Lamb wrote:
In message ,
John Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
*A few times recently I have had junk mails purportedly from my
daughters* shortly after contacting them.
*I post to a number of other folk without this happening. Is it
my end* (limited anti-virus protection) or their end ( i-phone users)?
*Suggestions?

First have at the full message headers of spoofed email. That will
tell you if it actually came from her mail system or an unrelated
one.* Look for a SPF record in the header as well, and see what
status is* attached to it (e.g. "Pass" or "Soft fail").
*I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check
anyway* because of the lack of content.

In thunderbird, just hit CTRL + U to display the full message source.
Right! 4 pages of gobbledegook:-)
Sent from jumbo.zone but otherwise nothing I understand. It
obviously passed all the authentication checks.

Past em here or email them to me, and I can probably get you a bit more
info - like where it came from, whether its using a compromise account
or just spoofing etc.

(we only need the headers - you can snip the actual body, and react
any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

--
Tim Lamb

Brian Gaff (Sofa 2) wrote

Yes this is a historic problem. Nearly everyone who used Yahoo mail in the
online way, rather than using a client and has done it for some years
seems to have been hacked partially,

That would certainly explain why I have never seen
it even tho yahoo has always been my main email
address that I have used for decades now. I don’t
use the online system at all and have no address
book there.

ie they know who certain email addresses were
associated with from the address books hacked.

I regularly see their names but filter them via incorrect email addresses
in the line with the right name.

Normally they are of the type. I'm sorry to contact you but I've had my
card stolen and am in (insert place name here) and wondered if you could
give me some money,

Or it might be, Hey found this great site, then they put a graphic of the
innocent looking site obscuring the address of the one with the malware on
it.

Never got any of either type.

The latter never works for me as the graphic is not 'read' for obvious
reasons.


"Tim Lamb" wrote in message
news
In message , "Brian Gaff (Sofa)"
writes
Are you or they on Yahoo or have any of you ever been
?
Its not much to do with Iphones as far as I can tell. They are probably
one
of the most secure portable devices there are.
Look at the actual email addresses used though, as often you will find
them
different.
Not a new problem.

They are both on Yahoo as is my wife. I have an disused Yahoo mail
address.

The lack of sensible message and incorrect send addresses are pretty
obvious on Thunderbird but might fool a phone user.

The usual content is a URL.

--
Tim Lamb

Brian Gaff (Sofa 2) wrote

Well it does if you use offline clients on pop3,

It does what ?

also Many I-phones can be easily set up to see the email address it came
from which is seldom yahoo.

I never really go to sites from emails, unless I've checked the send
address first these days,

I just check the url that it wants to go to.

though the malware infected sits are fewer

And my email client and anti virus software
finds those and reports a few of them.

and as has been said, the phishing aspect has increased, I guess because
there are so many gullible people about

I don’t get caught by those.

One trick of course is to viesw email in plain text, this reveals the real
web addresses in the email,

I can see that when hovering over the link.

but means links do not work and for many badly configured email
newsletters the content appears either blank or just with the the footer
on it as the dweeb who sent it did not send anything but the html.

Don’t read any newsletters like that. I do read
a few professionally produced ones.

"Rod Speed" wrote in message
...
Brian Gaff (Sofa) wrote

Are you or they on Yahoo or have any of you ever been ?

I am and don’t have a problem with junk mail.

Its not much to do with Iphones as far as I can tell. They are probably
one of the most secure portable devices there are.

Yes, but it is still possible to allow an app access to your contacts.

Look at the actual email addresses used though, as often you will find
them different.

But that doesn’t help with stopping it happening in future.

Not a new problem.

"Tim Lamb" wrote in message
...
Coincidence or....?

A few times recently I have had junk mails purportedly from my
daughters shortly after contacting them.

I post to a number of other folk without this happening. Is it my end
(limited anti-virus protection) or their end ( i-phone users)?

Suggestions?
--
Tim Lamb

On Tue, 24 Dec 2019 00:54:38 +1100, cantankerous trolling geezer Rodent
Speed, the auto-contradicting senile sociopath, blabbered, again:

FLUSH troll****

00:54 in Australia??? Now what? Did you just get out of bed and START with
your trolling or did you just stop it before you went to bed, you abnormal
senile asshole troll? I'll soon find out! LOL

--
Richard addressing Rot Speed:
"**** you're thick/pathetic excuse for a troll."
MID:

On Tue, 24 Dec 2019 01:03:03 +1100, cantankerous trolling geezer Rodent
Speed, the auto-contradicting senile sociopath, blabbered, again:

FLUSH troll****

REALLY??? 01:03??? AGAIN??? LMAO! And you are up and trolling ALREADY???????

ROTFLOL! Just HOW clinically insane are you, senile Rodent?

--
Bill Wright addressing senile Ozzie cretin Rot Speed:
"Well you make up a lot of stuff and it's total ******** most of it."
MID:

In message , Tim Lamb
writes
In message HZudnSRANIrfP53DnZ2dnUU78RmdnZ2d@brightvi
ew.co.uk, John Rumm writes
In thunderbird, just hit CTRL + U to display the full message source.
Right! 4 pages of gobbledegook:-)
Sent from jumbo.zone but otherwise nothing I understand. It
obviously passed all the authentication checks.

Past em here or email them to me, and I can probably get you a
bit more info - like where it came from, whether its using a
compromise account or just spoofing etc.

(we only need the headers - you can snip the actual body, and
react any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

Try this:-

From - Mon Dec 9 08:05:17 2019
X-Account-Key: account4
X-UIDL: 21366
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: from LO2P265MB1421.GBRP265.PROD.OUTLOOK.COM
(2603:10a6:401:5a::14)
by CWLP265MB0962.GBRP265.PROD.OUTLOOK.COM with HTTPS via
CWLP265CA0338.GBRP265.PROD.OUTLOOK.COM; Mon, 9 Dec 2019 03:24:06 +0000
Received: from LO2P265CA0401.GBRP265.PROD.OUTLOOK.COM
(2603:10a6:600:f::29) by
LO2P265MB1421.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:94::16) with
Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.2516.14; Mon, 9 Dec 2019 03:24:06 +0000
Received: from AM5EUR02FT010.eop-EUR02.prod.protection.outlook.com
(2a01:111:f400:7e1e::202) by LO2P265CA0401.outlook.office365.com
(2603:10a6:600:f::29) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.14 via
Frontend
Transport; Mon, 9 Dec 2019 03:24:06 +0000
Authentication-Results: spf=none (sender IP is 118.97.118.130)
smtp.mailfrom=onigiri.co.id; marfordfarm.demon.co.uk; dkim=none
(message not
signed) header.d=none;marfordfarm.demon.co.uk; dmarc=none action=none
header.from=onigiri.co.id;compauth=fail reason=001
Received-SPF: None (protection.outlook.com: onigiri.co.id does not
designate
permitted sender hosts)
Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id
(118.97.118.130) by
AM5EUR02FT010.mail.protection.outlook.com (10.152.8.144) with Microsoft
SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id
15.20.2495.18 via Frontend Transport; Mon, 9 Dec 2019 03:24:05 +0000
Received: from localhost (localhost [127.0.0.1])
by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with
ESMTP id 7BC5A12256D
for ; Mon, 9 Dec 2019 10:19:11
+0700 (WIB)
Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id ([127.0.0.1])
by localhost (mx5-siagan-mbaru-g12-itu.indomaguro.co.id
[127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id Wns20PcwSrH6 for ;
Mon, 9 Dec 2019 10:19:11 +0700 (WIB)
Received: from localhost (localhost [127.0.0.1])
by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with
ESMTP id 1C03012256B
for ; Mon, 9 Dec 2019 10:19:11
+0700 (WIB)
X-Virus-Scanned: amavisd-new at
mx5-siagan-mbaru-g12-itu.indomaguro.co.id
Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id ([127.0.0.1])
by localhost (mx5-siagan-mbaru-g12-itu.indomaguro.co.id
[127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id EwNacX-0Qg_V for ;
Mon, 9 Dec 2019 10:19:11 +0700 (WIB)
Received: from sp.onigiri.co.id (unknown [191.55.76.13])
by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with
ESMTPA id ED7FB122570
for ; Mon, 9 Dec 2019 10:19:09
+0700 (WIB)
From: "Hannah Lamb"
To: "Pa"
Reply-To: "Hannah Lamb"
Subject: Hello Pa
Thread-Index: Ky1lejU1cXY1d20uOWU3Ki51eTZmMQ==
Date: Mon, 9 Dec 2019 06:23:31 +0300
Message-Id:
10U6HCH5TFTN4ZZXP7FT5DUSS0RP83PZ0M4N0T2N@HU0US2NY 2HF3HH7.namprd14.prod.o
utlook.com
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_10U6HCH5TFTN4ZZXP7FT5DUSS0RP83PZ0M4 N0T2NHU0US2NY2H
F3HH7_"
Return-Path:
X-MS-Exchange-Organization-ExpirationStartTime: 09 Dec 2019
03:24:05.5006
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
08def035-c0b7-433d-ddc6-08d77c573ede
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: b58b9882-6915-43fd-93c2-085d389cfee5:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
CIP:118.97.118.130;IPV:NLI;CTRY:ID;EFV:NLI;SFV:SPM ;SFS10001);DIR:INB;S
FP:;SCL:5;SRVR:LO2P265MB1421;H:mx5-siagan-mbaru-g12-itu.indomaguro.co.id;
FPR:;SPF:None;LANG:en;CAT:SPOOF;
X-MS-Exchange-Organization-AuthSource:
AM5EUR02FT010.eop-EUR02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id:
08def035-c0b7-433d-ddc6-08d77c573ede
X-MS-TrafficTypeDiagnostic: LO2P265MB1421:
X-MS-Oob-TLC-OOBClassifiers: OLM:1728;
X-MS-Exchange-Organization-SCL: 6
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2019 03:24:05.1073
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
08def035-c0b7-433d-ddc6-08d77c573ede
X-MS-Exchange-CrossTenant-Id: b58b9882-6915-43fd-93c2-085d389cfee5
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P265MB1421
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5773365
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2516.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG20160513016)(7 50127)(52000205
0)(701014)(944506383)(944626516)


--
Tim Lamb

Tim Lamb wrote:

Try this:-

the spammer is making no attempt to claim their address is anything
other than an indonesian one



the only yahoo address there is in the message is



however they've set the descriptive part of the send to

"Hannah ****"

which presumably matches your daughter, and obviously they know your
demon address is one she has corresponded with previously, so they know
who to spam

She (like almost every yahoo email user I know) clearly had her
accounted hacked and details hoovered from it at some time in the past.

clearly the emails you've received so far have been easy to spot, not
much you can do but keep a suspicious eye on them, or encourage her to
change email provider.

On 23/12/2019 11:38, Tim Lamb wrote:
In message , John
Rumm writes
On 23/12/2019 08:54, Tim Lamb wrote:
In message , John
Rumm writes
On 22/12/2019 18:59, Tim Lamb wrote:
In message ,
JohnÂ* Rumm writes
On 22/12/2019 11:23, Tim Lamb wrote:
Coincidence or....?
Â*A few times recently I have had junk mails purportedly from my
daughtersÂ* shortly after contacting them.
Â*I post to a number of other folk without this happening. Is it
myÂ* endÂ* (limited anti-virus protection) or their end ( i-phone
users)?
Â*Suggestions?

First have at the full message headers of spoofed email. That will
tell you if it actually came from her mail system or an unrelated
one.Â* Look for a SPF record in the header as well, and see what
status isÂ* attached to it (e.g. "Pass" or "Soft fail").
Â*I have yet to find my way around T bird headers. This might be the
incentive. They display marked as probable junk but I would check
anywayÂ* because of the lack of content.

In thunderbird, just hit CTRL + U to display the full message source.
Â*Right! 4 pages of gobbledegook:-)
Â*Sent from jumbo.zone but otherwise nothing I understand. It
obviouslyÂ* passed all the authentication checks.

Past em here or email them to me, and I can probably get you a bit
more info - like where it came from, whether its using a compromise
account or just spoofing etc.

(we only need the headers - you can snip theÂ* actual body, and react
any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

Some folk are just too impatient.

In message , Andy Burns
writes
Tim Lamb wrote:

Try this:-

the spammer is making no attempt to claim their address is anything
other than an indonesian one



the only yahoo address there is in the message is



however they've set the descriptive part of the send to

"Hannah ****"

which presumably matches your daughter, and obviously they know your
demon address is one she has corresponded with previously, so they know
who to spam

She (like almost every yahoo email user I know) clearly had her
accounted hacked and details hoovered from it at some time in the past.

clearly the emails you've received so far have been easy to spot, not
much you can do but keep a suspicious eye on them, or encourage her to
change email provider.

Would simply changing her Yahoo address help?

OK So far.

Does anyone know if the link was dangerous?

The initial giveaway was the extra v in her mail address but T'bird had
flagged it as *junk* anyway.


--
Tim Lamb

In message , Richard
writes
On 23/12/2019 11:38, Tim Lamb wrote:
Somebody wants the woodwork bench they lent me 15 years ago
returned!

Some folk are just too impatient.

Quite! The full story is that hid daughter is now at home with children
and wants to take up picture framing.

Apart from a brush down, all I have actually done so far is to set about
repairing the one it replaced.


--
Tim Lamb

In message , Tim Streater
writes
In article , Tim Lamb
wrote:

In message , Tim Lamb
writes
In message HZudnSRANIrfP53DnZ2dnUU78RmdnZ2d@brightvi
ew.co.uk, John Rumm writes
In thunderbird, just hit CTRL + U to display the full message source.
Right! 4 pages of gobbledegook:-)
Sent from jumbo.zone but otherwise nothing I understand. It
obviously passed all the authentication checks.

Past em here or email them to me, and I can probably get you a
bit more info - like where it came from, whether its using a
compromise account or just spoofing etc.

(we only need the headers - you can snip the actual body, and
react any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

Try this:-

From - Mon Dec 9 08:05:17 2019

...

From: "Hannah Lamb"

She's in Indonesia. There's a number of server addresses between her
and your Outlook stuff, with some having onigiri addresses. I looked at
www.onigiri.co.id which seems legit, at first glance.

Hmm.. could it just be innocuous spam?


--
Tim Lamb

On 23/12/2019 20:47, Tim Lamb wrote:

In message , Tim Lamb
writes
In message HZudnSRANIrfP53DnZ2dnUU78RmdnZ2d@brightvi
ew.co.uk, John Rumm writes
In thunderbird, just hit CTRL + U to display the full message source.
Right! 4 pages of gobbledegook:-)
Sent from jumbo.zone but otherwise nothing I understand. It
obviously passed all the authentication checks.

Past em here or email them to me, and I can probably get you a
bit more info - like where it came from, whether its using a
compromise account or just spoofing etc.

(we only need the headers - you can snip the actual body, and
react any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

Try this:-

From - Mon Dec 9 08:05:17 2019

Ta, [snip]

ok, that is just a straight spoof - and not a very good attempt either -
it makes no attempt to hide its actual origin and even the from address
is not disguised in any way. (which ironically improves its chances of
successful delivery)

It definitely did not originate from Hannah's yahoo account. So all the
spammer would need to send that message are the email addresses "to" and
"from".

Having said that, if you visit

https://haveibeenpwned.com/

and enter Hannah's real email address, then (assuming I have un-munged
it correctly), it appears in 12 databases of compromised addresses (i.e.
the email address and other details have been breached from compromised
web sites in the past). So if any of these hacked sites revealed
password details (almost certainty), and the same details were used for
things like her Yahoo account, then you will need to assume that is also
compromised, and the email addresses contained therein also made public,
along with any other sensitive content in the emails)

(Moral of that story, never re-use passwords between sites, no matter
how insignificant you feel them to be).


BTW, if want something to help analyse headers for you, MS have a tool he

https://mha.azurewebsites.net/

Regarding potentially dangerous links in messages, go to:

https://www.virustotal.com/gui/home/url

and paste them into the URL scanner. It will firstly unravel any URL
minimisations and find the actual target address, it will then scan what
it find there and give a report without you needing to access the site
yourself.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 24/12/2019 10:19, Tim Lamb wrote:
In message , Richard
writes
On 23/12/2019 11:38, Tim Lamb wrote:
Â*Somebody wants the woodwork bench they lent me 15 years ago returned!

Some folk are just too impatient.

Quite! The full story is that hid daughter is now at home with children
and wants to take up picture framing.

Apart from a brush down, all I have actually done so far is to set about
repairing the one it replaced.

If only you had a working workbench huh :-)


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On Tue, 24 Dec 2019 14:14:32 +0000, John Rumm
wrote:

snip


(Moral of that story, never re-use passwords between sites, no matter
how insignificant you feel them to be).

Whilst I generally don't, I was wondering if you could recommend a
free (ideally) password manager that would sync between Android and
Windows?

I don't necessarily need many other features (like autofill or
password generator) just that it's good at what it needs to do?

Cheers, T i m

On 24/12/2019 18:33, T i m wrote:
On Tue, 24 Dec 2019 14:14:32 +0000, John Rumm
wrote:

snip


(Moral of that story, never re-use passwords between sites, no matter
how insignificant you feel them to be).

Whilst I generally don't, I was wondering if you could recommend a
free (ideally) password manager that would sync between Android and
Windows?

Firefox will do that now...

I don't necessarily need many other features (like autofill or
password generator) just that it's good at what it needs to do?

Some folks quite like commercial solutions like Dashlane.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In message , John
Rumm writes
On 23/12/2019 20:47, Tim Lamb wrote:

In message , Tim Lamb
writes
In message HZudnSRANIrfP53DnZ2dnUU78RmdnZ2d@brightvi
ew.co.uk, John Rumm writes
In thunderbird, just hit CTRL + U to display the full message source.
Right! 4 pages of gobbledegook:-)
Sent from jumbo.zone but otherwise nothing I understand. It
obviously passed all the authentication checks.

Past em here or email them to me, and I can probably get you a
bit more info - like where it came from, whether its using a
compromise account or just spoofing etc.

(we only need the headers - you can snip the actual body, and
react any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!
Try this:-
From - Mon Dec 9 08:05:17 2019

Ta, [snip]

ok, that is just a straight spoof - and not a very good attempt either
- it makes no attempt to hide its actual origin and even the from
address is not disguised in any way. (which ironically improves its
chances of successful delivery)

It definitely did not originate from Hannah's yahoo account. So all the
spammer would need to send that message are the email addresses "to"
and "from".

Having said that, if you visit

https://haveibeenpwned.com/

and enter Hannah's real email address, then (assuming I have un-munged
it correctly), it appears in 12 databases of compromised addresses
(i.e. the email address and other details have been breached from
compromised web sites in the past). So if any of these hacked sites
revealed password details (almost certainty), and the same details were
used for things like her Yahoo account, then you will need to assume
that is also compromised, and the email addresses contained therein
also made public, along with any other sensitive content in the emails)

(Moral of that story, never re-use passwords between sites, no matter
how insignificant you feel them to be).


BTW, if want something to help analyse headers for you, MS have a tool he

https://mha.azurewebsites.net/

Regarding potentially dangerous links in messages, go to:

https://www.virustotal.com/gui/home/url

and paste them into the URL scanner. It will firstly unravel any URL
minimisations and find the actual target address, it will then scan
what it find there and give a report without you needing to access the
site yourself.

Thanks for this John.

She will be here over Christmas and can experiment.

--
Tim Lamb

In message , John
Rumm writes
On 24/12/2019 10:19, Tim Lamb wrote:
In message , Richard
writes
On 23/12/2019 11:38, Tim Lamb wrote:
*Somebody wants the woodwork bench they lent me 15 years ago returned!

Some folk are just too impatient.
Quite! The full story is that hid daughter is now at home with
children and wants to take up picture framing.
Apart from a brush down, all I have actually done so far is to set
about repairing the one it replaced.

If only you had a working workbench huh :-)

Ha. Up and running. I had to chop out and relay a section next to the
vice. Hollowed by chopping sticks.

I suspect my grandfather acquired this one when he retired as a village
school head. It is about 3" short of the other ( 32.5") and now stands
on 3" feet.

--
Tim Lamb

On Tue, 24 Dec 2019 19:20:28 +0000, John Rumm
wrote:

On 24/12/2019 18:33, T i m wrote:
On Tue, 24 Dec 2019 14:14:32 +0000, John Rumm
wrote:

snip


(Moral of that story, never re-use passwords between sites, no matter
how insignificant you feel them to be).

Whilst I generally don't, I was wondering if you could recommend a
free (ideally) password manager that would sync between Android and
Windows?

Firefox will do that now...

snip

Thanks, that seems to work. ;-)

Cheers, T i m