06-11-2021 08:11 PM - edited 08-11-2021 10:08 AM
Normally my Tiscali email inbox does not receive spam which is a great credit to TalkTalk's spam detection systems. Recently I have received a few unwanted items. I have extracted the Internet headers from the most recent, seemingly innocuous item
I have blocked the sender in my email client Outlook 365, but maybe it could be blocked at the network level somehow. Mail server vmi650226.contaboserver.net seems to be the culprit.
Edit: Incomplete headers removed. Complete headers posted further down the thread.
on 09-11-2021 06:47 AM
on 08-11-2021 10:06 AM
I found that when I marked it as Junk last Saturday Outlook had kindly kept it in its Spam folder. So I have now forwarded it to both suggested Phishing reporting addresses. I just used normal mail forwarding. I don't know enough about email to know whether the original headers go with it that way or whether I should have forwarded it as an attachment. Anyway in case either of the Phishing analysis teams want more details I will let it fester in the Spam folder for a while. Hopefully here is the complete header information, but still with my email address substituted.
Received: from mail-pj1-f50.google.com ([184.108.40.206]) by mx.talktalk.net with SMTP id jRqamlj1SaLdMjRqbm5EPx; Sat, 06 Nov 2021 19:59:29 +0000 Received: from smtp-out-11.tiscali.co.uk (smtp-out-11.tiscali.co.uk [220.127.116.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.tt.xion.oxcs.net (Postfix) with ESMTPS id 4Hmp9t0BwXz6wFtS for <email@example.com>; Sat, 6 Nov 2021 19:59:30 +0000 (UTC) Received: from [18.104.22.168] (vmi650226.contaboserver.net. [22.214.171.124]) by smtp.gmail.com with ESMTPSA id b22sm7826071pfv.36.2021.11.06.12.59.26 for <firstname.lastname@example.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Nov 2021 12:59:27 -0700 (PDT) Received: by mail-pj1-f50.google.com with SMTP id o10-20020a17090a3d4a00b001a6555878a8so5737019pjf.1 for <email@example.com>; Sat, 06 Nov 2021 12:59:29 -0700 (PDT) Received: from mx.tt.xion.oxcs.net ([10.15.2.4]) by imap-director-5.dovecot.tt.ham.xion.oxcs.net with LMTP id 0PIjBaLehmG7IQAApYRtmA (envelope-from <firstname.lastname@example.org>) for <email@example.com>; Sat, 06 Nov 2021 19:59:30 +0000 Received: from imap-director-5.dovecot.tt.ham.xion.oxcs.net ([10.15.5.5]) by imap-backend-27.dovecot.tt.ham.xion.oxcs.net with LMTP id yLtdBaLehmEmIgAAiXVn5w (envelope-from <firstname.lastname@example.org>) for <3@1733643>; Sat, 06 Nov 2021 19:59:30 +0000 From: <email@example.com> To: <firstname.lastname@example.org> Subject: Looking for a serious guy for a relationship Date: Sat, 6 Nov 2021 19:59:27 -0000 Message-ID: <email@example.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002F_01D7D349.40A70540" X-Mailer: Microsoft Outlook 16.0 X-Delivered-To: firstname.lastname@example.org X-CMAE-Envelope: MS4wfPRN8zINRq/7bCdBJkFIYU9OxOSBRciZNcqri8YhZb6HTDin0q45+eaB9Zl4tnc64FU4eEiJrYTArZseA59d5J7UsURQVeCdOBmsguFDh6Ga1hFF2yTl mte3trX2hfufNvZxzB18D+5F/8zEKimeqNE51sjaryXdL3l5RD7JMZ+4Z4PuuIDlaMEUW0f4sBIebEAWi7mqs0dG5qdXKpTbk78= Thread-Index: AQGSHgbACKxd37ANDjr9GBaC198g+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:from:subject:to; bh=vXhvQOcYYYb68vUWk+3MwhdSOMe5PGm1i8ZbQKRWXXc=; b=OFJeWApQvoE96mLKDD6dH5hilaXW9fv8H760zEfYw0rvBcsE3Q2UvQrNfAAZg5D8a8 C3H4qHSFWrTAF2Q4RColyTY976G7NGOgyhGwlmTbUc1ajs8u3vmeLxa1iYtdkJe5PN3m Te9lna96IRzNGnRbuPhHWx2wyEWy2L18szSIJD7yzpqrXPYdy/BJ+/4ruGR+5L89Av/l 8wpUSS9uOoTUNCRjTHJNVVn44npiO9W9ccQKfP8sixPDEozqfBKABYkKSbpjU9jIIPjX 7yFY1s4iNdV0ULkJdeT0K0xBH7jbsNS+F+zUDbo1eYY64iqcUo5XosgyhYdP83+oh7r8 U4Qg== X-Gm-Message-State: AOAM530mnScsOfbl6BrlN9ydIniGtNdZy3kB9uuZJNQ9vKnZFAVVe1AB SNAmT/4wvRN4e2oppfSRLEEiuiLw/TxxuEnJ X-Google-Smtp-Source: ABdhPJzn0WU7tF2T8CYzAVM6tI9WF8OHGpQHdiUog2N2mqrrCxp/vQqwG8UwNkLlJrC5PKl3WM4H4g== X-Received: by 2002:a17:90a:7d11:: with SMTP id g17mr39752606pjl.19.1636228767807; Sat, 06 Nov 2021 12:59:27 -0700 (PDT) X-Google-Original-From: OaklynHorn
on 07-11-2021 10:50 AM
Also worth reporting to the UK Government Suspicious Email Reporting Service (SERS). https://www.ncsc.gov.uk/information/report-suspicious-emails
I think SERS is better equipped to handle the fake primary school address situation.
on 07-11-2021 10:39 AM
If I have the misfortune to receive another one I will forward it to them.
on 07-11-2021 10:36 AM
on 07-11-2021 10:24 AM
Naturally I redacted my actual email address, blocked the sender in Outlook 365, and permanently deleted the email. This is about the third one which has made it through. I could unredact the headers as published here in the community and forward them to the TalkTalk phishing team. Would that help? Or have I accidently missed a bit off the top when I cut & pasted from the email? Otherwise wait until another one comes through.
on 06-11-2021 11:06 PM
Unfortunately the mail header isn't complete so header analysis doesn't analyse the send and receive paths as it should.
Sent from an USA West Coast porn website hosted by Contabo apparently to Gmail and thence via a fake UK school account via Gmail to your tiscali email address. At least that's what it looks like from what you've posted.
The porn website has got your tiscali email address. But the normal advice to use TalkTalk Mail webmail to 'Mark as spam' might just block the Google servers sending to TalkTalk rather than block mail from the originating Contabo IP address.
Treat as you would a phishing email and forward to TalkTalk the unredacted header - just forward the email to email@example.com for the TalkTalk security team to take a look.