OT: My neighbour's been hacked

If it was a piss weak password then maybe, otherwise they could have hijacked a webmail session in the browser, or whatever the script kiddy hack of the day is, then they changed the password so they know it and the neighbour doesn't

Don't just sit back "baiting" the scammer! Right now he could be using the hacked mail account to change passwords on all your neighbour's bank accounts, or apply for several credit cards ...

Who is the provider? has the neighbour set a recovery address/password/mobile for the account?

You can set the From: address to whatever you fancy when you send an E-mail.

Most servers won't accept a post with a reply to/from email address it doesn't recognise.

When suppliers/companies get hacked the hackers often to get a set of usernames and passwords (or encrypted passwords, which they can try cracking at leisure). Would you believe, people often use the same pasword on all their supplier accounts, and the account name is their email address! The scammer has prob. bought a list of email adresses and "passwords" and is hoping the user used the same password on their mail account!

You can send email with anything in the From: field. The scammer though has to read the replies, so probably wants to get things done before the hacked account gets fixed.

Just a thought, has the scammers emails got a Reply-To: field? If yso you are sending replies there.

What email software is he using or is it webmail?

Can you get access to the full text of the email including the headers?

(e.g. CTRL + U in thunderbird, or in outlook double click to open the message in a new window, click the file tab, then the properties button, see the "internet headers" section at the bottom).

That will show you all the info about how it was routed and via which ISPs etc. (if you are not sure, email me a copy and I will analyse it for you)

Obviously neighbour's one does. Note that the header fields (such as From: etc) are part of the data of the email and are not directly used to route the email. Your email client sends separate commands to the server to say where the email is to go and to whom.

Eh? Not sure you really understand SMTP email. It may be that google/hotmail/micky-mouse-web-mail make sure you have a google or whatever email address in the from field, but you can bet the scammers use their own email server software configured to do whatever they want

- and it's trivial to setup.

Yes, but anyone trying to fool you will use a server that isn't strict like this.

Not sure *you* understand modern SMTP email:

If the recipient's mail provider is any good, failing those will cause an incoming message to get a much higher spam score and so be at risk of landing in the spam box.

Which is not to say a spammer won't try anyway, and they have no other option if they're operating off a hacked machine.

Theo

Are you sure the email address is exactly the same as his? I've seen some that are just one letter different, that needs no hacking at all! Often it just means that somebody has managed to get an email list. Of course you can really hack in which case the other person will probably no longer to get into their email at all. Somebody told me than an old address I had years ago which I never use has become active again, but its certainly not me and I don't even remember its password now. Brian

Not always, some isps stop that kind of thing these days. I know on Virgin if its not one of my aliases then it simply does not work. Brian

He already has someone sorting it for him

if that's the address I'm sending my reply to it still has to be intercepted

no idea

but I am :-)

No idea

well thanks but I'm not that concerned

On 08/09/2021 07:56, Brian Gaff (Sofa) wrote: Somebody told me than an old address

I "think" that a gmail address once used will never be reissued. But 3 or 4 years ago I bought a domain name. Having set up an email account that accepts snipped-for-privacy@domain.co.uk I started getting lots of email to names I have never heard of. Turns out the the domain used to belong to a small business that has gone under and I was now getting all of the standard crap that goes to small businesses. Much reduced now but still get some.

Oh, dont bet on that.

When I had domain routing enabled I got any amount of weird crap coming in. These guys have dictionaries of common names and they try them all.

What are talking about here? The From: field or the rcpt from email given in the smtp transaction? They aren't the same. The two not matching might up the spam score a bit.

Well maybe, but during my investigations the way-back machine showed what the business used to sell :-) and indeed some of the staff members names.

A certain domain, say example.com, nominates servers that are authoritative senders of email from that domain. So if I send an email from snipped-for-privacy@example.com, unless it comes from the nominated server for the example.com domain, it'll flag as spam. It doesn't matter what's in the From field or SMTP envelope if it doesn't come from the right server.

(of course, there's plenty of complexity in the nuances and dealing with things like mailing lists, but that's the idea)

Hence there's now a stronger binding between email addresses and where messages are sent from, which causes various implications for people with forwarding/etc arrangements who want their mail to be received reliably. It means in general you need to send from a server that's registered on your domain, you can't (for example) send via your ISP's mail server claiming to be from your domain.

The big mail hosts (Google, Microsoft) are gradually dialling up these settings to block spam, but means smaller and self-hosted senders need to comply if they want reliable delivery.

Theo