Phishing? E-mail from NS&I questioning my contact details

In thunderbird, do CTRL+U while reading a message - it will then show the entire email in its raw text format without any interpretation. That will let you see all the original mail headers.

Each time an email gets handled by a node processing the email on it's way to you, that node will add a few new lines of header to the *top* of the email - giving you the date and time and the details of the node that handled the message. So the topmost entry will be from the mail server that you actually collected the message from (typically by IMAP or POP3).

Below that will be the one before and so on.

The last one before you get to the message itself will be the one created by the senders mail software and will show the date and time, the subject, who it is to, who it is from, and possibly give a reply to address.

It is also worth looking for the results of any authentication tests done on the message. These often get added to the header with an "Authentication" heading...

Searching for the text SPF or DKIM can be handy.

Many mail setups will include a SPF (Sender Policy Framework) text record stored in the domain name system. That way when a node picks up and email it can look at the domain part of the email address that claims to be the one sending the message. It will then look for a text record in the domain name system called "SPF" on that domain. That should include a list of all the servers that are allowed to legitimately send a message for the domain. If they don't match, then that is red flag that the message may be a spoof - and you might see "spf=fail" in the notes added in the header.

Many mail systems will also automatically cryptographically sign the the message and place the resulting signature hash in the message as a DKIM field. The receiving message handler can then do a similar trick by looking up the public part of the DKIM key from the DNS records (they use public key crypto - so separate keys for encoding and decoding messages). With some maths they can verify that the message must have been signed by the senders private DKIM key. (they can't work out what the private key was, bu they can verify it is the one that goes with the public key that they got from the DNS). So the receiver knows if any fiddling took place between when the originator sent it, and you got it. So seeing a DKIM=fail would also be a cause of suspicion.

So for example, a message I received from Amazon includes:

Authentication-Results: [redacted].net; iprev=pass policy.iprev="54.240.1.40"; spf=pass smtp.mailfrom=" snipped-for-privacy@bounces.amazon.co.uk" smtp.helo="a1-40.smtp-out.eu-west-1.amazonses.com"; dkim=pass header.d=amazon.co.uk; dkim=pass header.d=amazonses.com; dmarc=pass (p=quarantine; dis=none)

So that basically says the message came from amazon's mail server, and it was not altered before I got it.

The DMARC (Domain-based Message Authentication, Reporting & Conformance) record includes instructions to the receiver with what the sender recommends that it does with the message if it looks suspect. In this case it suggests the receiver should lob it in the spam folder i.e. "quarantine")

No, I think you are missing the thrust of my suggestion... Tim said the message was from:

snipped-for-privacy@emailnsandi.com

Which as others have pointed out is not a recognised domain name

I was suggesting (but concede I did not spell out!) that could be a misread of:

snipped-for-privacy@email.nsandi.com

Hence the comment about common practice of sending bulk email from a sub domain. That sub domain of nsandi.com *does* exist.

Indeed, I covered that elsewhere.

Again there will potentially be multiple received from, so knowing the order to read them in helps. Also taking advantage of the spoofing protection mechanisms that may already be in place like SPF and DKIM is another good way to learn more about how trustworthy a message is likely to be.

Looking at text record info from their domain:

C:\Users\John>nslookup Default Server: dns.google Address: 8.8.8.8

Non-authoritative answer: email.nsandi.com canonical name = maxemail.emailcenteruk.com maxemail.emailcenteruk.com text =

"spf2.0/mfrom ip4:109.68.65.0/24 ip4:109.68.66.0/24 ip4:109.68.71.0/24 ~all" maxemail.emailcenteruk.com text =

"v=spf1 ip4:109.68.65.0/24 ip4:109.68.66.0/24 ip4:109.68.71.0/24 ~all" > nsandi.com Server: dns.google Address: 8.8.8.8

Non-authoritative answer: nsandi.com text =

"v=spf1 a:learning.nsandi.com ip4:82.199.69.59 ip4:212.250.135.14 ip4:212.250.135.13 ip4:212.250.135.44 ip4:212.250.135.43 ip4:212.250.135.40 ip4:212.250.135.41 ip4:212.250.135.1 ip4:109.68.65.89 ip4:134.213.63.222 ip4:157.203.60.42 ip4:157.203.60.43 ip4:7" "8.31.110.246 ip6:2a00:1a48:7808:101:be76:4eff:fe08:cdea ~all" nsandi.com text =

"globalsign-domain-verification=xoi3Yt9gNPsZ3yL1IJjeGsoWjOApOSfyuEqbwDNXzc" nsandi.com text =

"MS=890C6C7BC37BC3A82D045E6D9D92E0ABC7AACB4C"

Suggests they have an account with maxemail (xtremepush.com) for bulk and marketing email on the email subdomain, and then their main mail setup on what looks like some virgin media hosted servers as well as some of their own.

Did Tim miss the . in the domain?

But if you give out a unique email address per recipient, if/when they do get compromised you can just kill that one address ...

Snip totally confusing mathematical/alphabetic diarrhoea

Yes. Humble apologies:-)

I was anxious to get started hand harvesting 4.5 acres of Ragwort before the ground dries anymore>

OK John. I have scribbled that down somewhere readily available. And thanks for the full explanation.

I have been online since 1993. Not happened yet... as far as I know!

Multiple times here, from one-man outfits to trillion-yen companies

I'd have expected NSandI to use a .gov suffix not a .com one

Should be .co.uk really, rather than .com, and for a non-commercial outfit .org.uk makes the most sense.

In message snipped-for-privacy@marfordfarm.demon.co.uk>, Tim Lamb snipped-for-privacy@marfordfarm.demon.co.uk> writes

Lucky you. It has happened several times here.

Adrian

Happened many times to me. Addresses that I hardly ever use receive spam. Its no big deal.

Dealing with spam 10 - 20 times my wanted email is simply routine.

I think I lose about 70% of uk.d-i-y postings too as the posters are killfiled

Normally they ask you where you live, I guess you could move, but where would they say the billing address was then?

I never respond to any emails that look like they are going to ask for details through a web site, as the real company would already know them. Also, they often address you as your email address, I know Virgin and others will address you by whatever name you agree with them to be, Nobody else would know your name, though in my case they could guess it. Brian

Prevents the scammers from using the .com URL, whereas they cannot use the org.uk or gov.uk ones.

I too would have expected a different suffix from NS&I. However I would also have expected them to register the .com synonyms.

No reason why they can't do both.

Andy

I will pass your appreciation of the output from their nslookup tool to microsoft's developers :-)

(To be fair I did not need to include the full log of the command line session, but thought it worth doing since it demonstrates how to query other types of information from the public DNS records)

That makes likelihood that the email was legit stronger since it was from a an actual domain associated with the organisation the message purported to come from, rather than a non existent one.

(and getting mail delivered reliably from a non existent domain is much harder these days - most mail systems will just drop it)

And to be fair, more fun than wading through email headers!

This might tell you:

Indeed. No PWNAGE found.

Presumably *not* for your Demon address?

Indeed. I did enter my current mail address:-)