Phishing? E-mail from NS&I questioning my contact details

Am 21/07/2023 um 08:51 schrieb Tim Lamb:

Check the sending SMTP server IP address in the headers (the one with "received : from ").

In message <u9dkc8$36kct$ snipped-for-privacy@dont-email.me, Ottavio Caruso snipped-for-privacy@yahoo.com writes

Hmm. snipped-for-privacy@emailnsandi.com looks correct.

Hardly. That domain doesn't even exist.

$ whois emailnsandi.com No match for domain "EMAILNSANDI.COM".

$ dig -t ns emailnsandi.com

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478

(NXDOMAIN is Non eXistent DOMAIN)

All communications I have had from NS&I customer servies come from snipped-for-privacy@nsandi.com without the word email in it.

Am 21/07/2023 um 10:25 schrieb Tim Lamb:

That's an email address, not an IP address.

Post the full headers here (not the message)

Or even better paste it to pastebin or similar.

If you have to ask then it will be dodgy.

In message <u9dpb9$37gjf$ snipped-for-privacy@dont-email.me, Ottavio Caruso snipped-for-privacy@yahoo.com writes

Er. You are dealing with the agricultural dept. here.

T'bird *all headers selected* offers this:-

snipped-for-privacy@mta6589.mxmfb.com>

and MXM-v5-MailEngine

None of which means anything to me:-)

Hence my interest but I do try to be careful who has my mail address.

We're not talking about the T'Bird headers, but those of the email you got from NS&I. Should be 20-30 lines of text.

Am 21/07/2023 um 13:05 schrieb Tim Lamb:

That can't be right. Headers are usually tens and tens of lines long.

A waste of your time TBH. You can be very careful about who you mail and who therefore has your address. But you cannot make those recipients be careful. So when they get compromised in some way then your mail address, which is in their address books etc. still gets out to bad actors.

In message snipped-for-privacy@mid.individual.net>, Tim Streater snipped-for-privacy@streater.me.uk> writes

I'm beginning to regret asking:-)

My mail is collected by Namesco. I read it using Thunderbird.

In message <sAAHB6uidoukFw$ snipped-for-privacy@marfordfarm.demon.co.uk>, Tim Lamb snipped-for-privacy@marfordfarm.demon.co.uk> writes

Where you collect from doesn't matter. In Thunderbird, do you have a "More" button amongst the options with your email (e.g. Reply, Forward etc) ? If so, select "View Source" which will show you all the headers.

Adrian

In message <u9e0kn$38nfn$ snipped-for-privacy@dont-email.me, Ottavio Caruso snipped-for-privacy@yahoo.com writes

I can look at the source on the Namesco site and get pages of gobbledegook.

Is that what is requested?

If you do a lookup with the email bit as a sub domain:

C:\Users\John>nslookup email.nsandi.com Server: dns.google Address: 8.8.8.8

Non-authoritative answer: Name: maxemail.emailcenteruk.com Address: 109.68.64.40 Aliases: email.nsandi.com

Then it does resolve....

It is quite common for companies to create a sub domain for bulk email - saves their main domain getting blacklisted when some muppet clicks "spam" because they can't be bothered to unsubscribe.

It may be.

In Thunderbird, with the message selected, open the View tab and click Message Source (or just press Ctrl-u) and you'll see the raw message with all its headers.

You're looking in the wrong place. The OP should understand how to look for the headers in his mail client.

The SMTP fingerprint is in the "Received from:" header, which the OP is confusing with the "From:" header.

OK John and thanks all interested.

I was slightly twitchy because I didn't get a win this month despite their raised prize rates.

In message snipped-for-privacy@ffoil.org.uk>, Adrian snipped-for-privacy@ku.gro.lioff> writes

Ah! *message source* seems to do it. No *more* button found.

John has kindly resolved the issue.

Now, who got my prize money this month?