This morning Boadicea received two e-mails, one of which purported to come from Janus, and the other from me. They didn’t, of course. The other recipients (addressees) of these two spoof e-mails were people who blog on The Chariot or on MyT, so you may have received them too.
I did a little research – e-mail protocols were not one of my specialist fields when I was still working, but the old brain hasn’t quite rusted yet.
Unfortunately I discovered that here is nothing you can do about this type of spoof, but rest assured it doesn’t mean that anyone’s machine has been hacked or is virus-ridden. However, you can – with a bit of effort – reassure yourselves that a message is a spoof, providing you and the purported sender are both members of WordPress. All e-mail clients have a facility for showing you the contents of the “Message Header”. You may have to search around a bit on various menus, depending which client you’re using, but you’ll find it in the end. Message headers look quite daunting, so just search for a phrase that looks something like this –
google.com: domain of sipuxxxab@hotmail.com designates 65.55.116.18 as permitted sender
I’ve used as an example an e-mail that I’ve just this minute received from Sipu – though naturally it doesn’t really come from him, he’s just another of us that is being spoofed.
Now, the important bit is the IP (in blue and bold in the example), which will always sit between ‘designates’ and ‘as permitted sender’. If you bother to do a search on this particular one, you’ll find it’s a Hotmail account on an ARIN server, but don’t worry about that. Now nip across to the WordPress comments page in the dashboard and find a comment by the guy you suspect of being spoofed. Notice that his originating IP will be shown on the left. Question time – is it the same as the IP in the message header?
If it’s not, it’s a spoof; if it is the same, it’s a genuine message from the apparent sender. Simples. 🙂
Sipu’s real IP is currently 198.54.202.xxx so there’s no way this example was really from him.
I admit I’m not being entirely technically rigorous, but it’s good enough for a reassuring check.
Boadicea's Chariot 
This particular IP appears in all of today’s spoofs, so I have reported it to the appropriate ISP.
Thank you Bearsy. I would hate people to think I was a stalker. I would try and be more subtle than that!
Yes, Bearsy, I’ve had two purporting to be from you and one from a copy of my own address. Thanks for instituting proceedings!
Thanks for the info Bearsy. I had two more this morning purporting to be from Toc, again. These idiots are flogging the same old dead horse each time, Canadian clinic selling Viagra, which of course is, as we know, is the cure for dead horses. Sorry, that’s not funny. But, they are bloody annoying.
I should have added that G-mail (Google mail) suddenly decided that there was something dodgy with my aussiebearsy e-mail account (they called it “suspicious activity”) and refused to log me in until I had been verified by a code sent to my mobile as a text, and had then changed my password.
Interesting.
“Now nip across to the WordPress comments page in the dashboard and find a comment by the guy you suspect of being spoofed. Notice that his originating IP will be shown on the left. Question time – is it the same as the IP in the message header?”
I can see no originating IP or email address. All I see his his/my avatar next to the comment. Am I going to the wrong page or is it because I do not have the right privileges? On my own blog, I can see all the info. Not that it matters.
Gmail keeps asking for my cell number so that it can text me if my account gets hijacked. But I am unwilling to give it. If that happens they must send info to another email account. Hopefully both will not be hijacked at the same time.
Sipu – authors can see the details of Charioteers who have, at some time, posted a comment on a post published by that author. Or that’s the way it worked last time I checked.
Owners can see everything all the time. 😀
I haven’t given them my mobile number either – when they paused my account, a web page explained what had happened and asked me for a one-off mobile number.
Ah yes. Thank you.
I remember the good old days before firewalls, strong encryption etc.. It used to be possible to spoof emails very easily by just telnetting to port 25 and then typing in the SMTP commands and data by hand. Oh what jolly japes we had!
Things have come on a bit since then, I do not think it would be quite so well received these days!
I see from my Mail Box that I have many returned emails. These Bastards seem to do this about every two weeks.
Simple, just don’t open them, the ultimate low tech option, works a charm.