We see it fairly often. An email comes “From” a real name, but the actual email address is wrong, a spammer’s or scammer’s Gmail or worse. Once we saw this with a very slightly misspelled domain — let’s say “pondervorthy” instead of “ponderworthy”. I just learned of a way to handle it, when one has email filtration which can do it, and when it works for another reason:
Let’s say we’re protecting me. I know all of my email addresses, at work and home. If I set my email filtration system to consider spam everything From “Jonathan E. Brickman” and “Jonathan Brickman”, which does not come from any of my email addresses, that will take good care. The biggest risk is another person named Jonathan Brickman trying to email me. Reportedly, one should actually do it like this, scanning email headers:
FROM: Jonathan Brickman, FROM: "Jonathan Brickman
This is because some of the bad actors are adding spaces after the name text. So the final quote is not set up in the filter rule. It’s really two different FROM field lookups within headers of the email, OR’d, in this system.
Now there are a number of Jonathan Brickmans in the world, but I haven’t met one yet (if you are one, please do email me at jeb@ponderworthy.com, that way we both will have done so at least once); I’m not sure there are many Jonathan Edward Brickmans; but if I found that there were, I’d put in a nickname in parenthesis, set the filtration rule for it
FROM: Jonathan Brickman (JEB), FROM: "Jonathan Brickman (JEB)
and that should do the job nicely, giving me a unique “From” real name for filtration purposes.
There may be other “gotchas”, I will test this over time. It cannot do a comprehensive block, but can clearly help.
In Microsoft Outlook rules, some of the above logic seems to be missing: one cannot filter based on text or email addresses not in the header. I will be checking Exchange Online shortly. One third-party service is confirmed as working well for this.
A sample SMTP conversation. You’ll need Putty (telnet mode!) in Windows, or Cygwin with ‘inetutils’ installed (for telnet), or the telnet for your Linux. The idea is that you are playing the role of a machine trying to send email through a mail server you select. You can learn causes of failure this way that you cannot learn any other way, or not at all easily.
- Blue is transmit.
- Red is receive.
- We start with a telnet on port 25. The first step is a Linux command line as written, directly translatable to Cygwin’s telnet, and GUIable in Putty.
- The messages received will vary somewhat, but the initial numbers won’t.
- The greater-than and less-than signs (< >) are required.
- Replace mail.domain.com with the FQDN or IP of the mail server. This is essential to get to the correct SMTP server.
- Replace test.domain.com with the Internet FQDN of the machine you are on if it exists, and otherwise, use test and the final domain name of the mail server you are trying to reach. This is how you are identifying yourself, as legitimately as available, to that mail server.
- Most SMTP servers, especially ESMTP servers, respond well to EHLO these days. A few still need the original, HELO.
- If it says OK at each step, the mail server has accepted what you have sent. Otherwise, it will give a short error, generally with a standard SMTP error code which you can look up.
- Choose the sender and the recipient carefully, according to what kind of test you are needing. For instance, if you are testing a simple mailbox, the FROM can be your own email address, and the TO can be a mailbox to which you have access, behind that mail server. Distribution lists and scan-to-email can indicate needed variations.
telnet mail.domain.com 25
220 mail.domain.com ESMTP
EHLO test.domain.com
250 test.domain.com
MAIL FROM: <sender@domain.com>
250 2.1.0 Sender OK
RCPT TO: <recipient@domain.com>
250 2.1.5 Ok
DATA
354 Enter mail, end with “.” on a line by itself
testing
testing
testing
.
250 2.0.0 Ok: queued as xxxxxxx
Try it. https://www.betterbird.eu/. The Thunderbird team has been ignoring huge quantities of bugs and usability issues for decades. They kicked out a profoundly gifted developer several years ago, who has been leading Betterbird, a careful “soft fork” of Thunderbird, which maintains all helpful interoperability while fixing many, many bugs. Betterbird is lighter and faster, it does CardDav address books natively to Gmail and other providers, it has a far better HTML email composer, and much, more more!
If (when) anyone gets a bad actor email, i.e., a “phishing” scam trying to produce misdirection of funds and/or identity theft, those emails should be sent here:
reportphishing@apwg.com
and if it was sent from or arrived into a Microsoft mailbox, also here:
phish@office365.microsoft.com
Awhile ago it came to light that the following needed to be added to SPF records for email-enabled domains using Constant Contact:
include:ccsend.com include:constantcontact.com include:confirmedcc.com
Things have gotten a lot better. The following now covers all of the above:
ip4:208.75.120.0/22
A very good SPF checker:
https://vamsoft.com/support/tools/spf-policy-tester
Here is possibly the original SPF checker:
http://www.kitterman.com/spf/validate.html
To do a deep study of a bounceback, the best tool this writer has ever seen is here:
https://testconnectivity.microsoft.com/
in the Message Analyzer tab. Just paste every header you have into there and submit, and then read. Lots and lots of excellent information comes up.
