I got a spam email (it’s certainly been going around, I’ve had dozens of these from different senders) where the header information appears to be:
From: CVSPharmacy <tesswheatley@ seacoastrealty. com>
To: taylorcody55@ comcast. net
Date: 11/29/2023 1:26 PM PST
Subject: Fw: Acknowledging Your Loyalty with an Oral B iO Series9
Note that my email address does not appear anywhere here, but that’s not my main question. Did this email really come from “tesswheatley@ seacoastrealty. com” (which is a real URL) or from “taylorcody55@ comcast. net” or from someone else? (I put a space in these so they wouldn’t be clickable.)
The reason is that I am wondering if it would be fair to forward the email to the realty company email address complaining about someone there (as named in the header information) sending out spam? It’s not something I would usually do, but if it is “Tess”, this seems unusually stupid, and I thought she should get some blowback from one of her victims.
Highly unlikely. Email spoofing is a relatively simply method scammers use to add layers of anonymity between them and you.
Not that different from getting a ton of spam calls from a single number then calling that number back and the person who answers legitimately has no idea what you are talking about.
Probably not. Hit the reply button and see what shows up in your client’s “To:” field, which still probably isn’t the same address it came from, but at least you’d know where it’s going to (not that it makes a difference).
So how many levels down does the spoofing go? There’s the ostensible sender (CVS) and the “sender address” inside the pointy things. Those are both spoofed? Would they normally pick a real URL to include as the spoofed sender? And why are so many from .edu addresses?
These scams rely on people not understanding things like URLs and email addresses. What is obviously a scam to you and me is not obvious to shockingly vast numbers of people.
When you hit the reply button? “CVSPharmacy” isn’t an email address. I assume, then, that there’s a link they want you to click on.
In that case, the only way to find out where it came from is to have someone decode the headers, and even that may well be useless if they bounced it off a few other email servers before it got to you.
Sorry, that’s all that shows, but when I hover over it, it’s the same as the “From” email address.
Of course, there is at least one link they want me to click on, that’s pretty much the point of the thing. It’s a “take a survey to win a prize” scam. They aren’t expecting or hoping for a reply email.
.edu addresses are quite readily available on the school’s website and often, in an open address directory. One compromised email that wasn’t in BCC format can give you hundreds of addresses. My students would frequently forward emails with all of those addresses (say, everyone in their major) to people outside the school, forgetting that they were sending not just content but prior recipients.
If you want the email address for the main contact at any business in the city I work in or two neighboring cities, I have them. One of our government people, a few times a year, sends something out and CCs (not BCC) all of us.
Not that it really matters in that case, but still, it always seemed unprofessional. Plus there’s always a handful of people that will hit Reply All.
What email provider are you using? In Gmail, there’s an option to see the raw message. You click the three dot menu in the upper right and then click “Show Original”. That will let you see the full header, instead of just the basic info.
Said headers are quite hard to read, but if you look for the lines that start with “Received:” and scroll down to the last one, it will (purportedly) show the first address that the email actually hit–which should be the mail server of the webpage in question.
Granted, this is probably overkill. But if it shows a site that isn’t related to the email address, it’s probably not from them.
All of that said, there’s nothing wrong with forwarding the email to the actual official email of the company, to let them know about a scam. I’ve seen sites that will put out warnings about these.
Why don’t all scammers fake their address? Comcast threatening to terminate my web access unless I send them my credit card info is from something like dumbass1234567891011121314@gmail.com
My email is comcast.net, and I use their native email application. They have something similar, they call it “view source.” Here is the last “Received: from” in that resulting page of stuff.