No Stupid Questions

2298 readers

23 users here now

There is no such thing as a Stupid Question!

Don't be embarrassed of your curiosity; everyone has questions that they may feel uncomfortable asking certain people, so this place gives you a nice area not to be judged about asking it. Everyone here is willing to help.

ex. How do I change oil
ex. How to tie shoes
ex. Can you cry underwater?

Reminder that the rules for lemmy.ca still apply!

Thanks for reading all of this, even if you didn't read all of this, and your eye started somewhere else, have a watermelon slice 🍉.

founded 2 years ago

MODERATORS

Kokomheart@lemmy.ca

otter@lemmy.ca

How does someone send a phishing email using a legitimate domain? (notification.intuit.com in this case) (lemmy.ca)

submitted 2 days ago* (last edited 2 days ago) by otter@lemmy.ca to c/nostupidquestions@lemmy.ca

7 comments fedilink hide all child comments

A friend received a spam email from quickbooks@notification.intuit.com

Intuit is a real company, and intuit.com is their real domain. Looking online, a number of people received this scam email a few months ago, and then again over the last week.

If you came across this post from Google, this is why it reeks of a scam email:

12 of other email addresses are listed in the to and cc fields
it says that a subscription is set to renew, "$399.99 will soon be taken out of your account" and that it will happen within the "next 24 hours". Classic sense of urgency
It includes an 888 phone number that does not come up as any legitimate number, and it includes a PDF which my friend did not download in case it is malicious

Does this mean that Intuit lost control of that subdomain, or is there another way that someone might be spoofing it? I can have my friend check any other metadata if it would be helpful.

If you came here from Google, welcome to the Fediverse :)

you are viewing a single comment's thread
view the rest of the comments

[–] groet@feddit.org 31 points 2 days ago* (last edited 2 days ago) (4 children)

E-Mail is old. So old that when it was invented, "hacking" and "security" was not really something anybody thought about.

To send an email you connect to the recipients mail server and type in all the data of the mail. Including recipient, subject, mail body and importantly the address displayed in the "from" and "reply to" fields. They are all defined by the sender. The Email protocol has no way to verify if this information is correct and the sender is actually part of the aledged domain.

Today, when you send a mail, most of the time you will not connect to the recipient mail server directly, but to a "sending" mail server, which then sends the mail to the recipient. For example if you log in to gmail, you write the mail on a google Mailserver which sends it to the recipient. Or you connect to your companies exchange through outlook.

There is a modern extension to the mail protocol, which allows a domain owner to define the sending mail server which is allowed to send mails on behalf of this domain. But it is in the responsibility of the receiver to check. (Its called sender policy framework SPF)

So most likely intuit didn't do anything and the scamer just send mail without a sending mail server. And your receiving mail server did not verify the SPF correctly. Or intuit did not define an SPF. Or they did but it allows sources that do actually not belong to intuit but might be controllable by the scammers. This can happen if they want to send mails from cloud hostet systems and include them in their SPF, which may include systems by other customers of the cloud hoster.

If you want to verify mail yourself, look in the mail headers (often called: view source) and look at the "received" headers. They deta the full path the mail has taken including which system initially wrote the mail. They are ordered bottom to top, so the (chronologically) first entry is the lowest. Check if the ip adress/hostnames for the first few hops belong to intuit and if they don't, its most likely spam.

TLDR: what is necessary to send mails from somebody else's domain? Nothing. You can just do that. Mail is insecure by design and should be abolished.

[–] hddsx@lemmy.ca 9 points 2 days ago (1 children)

Even if you do have DKIM, DMARC, and SPF someone can still spoof your domain and the admin will still get an email about it. After that, instructions are unclear since the receiving domain is rejecting it properly.

Ask me how I know

[–] hendrik@palaver.p3x.de 2 points 2 days ago

Yeah, it has to be both sides cooperating. You can set a recommendation what to do with mails that failed the checks. Including dropping the mail altogether. But it's open to the receiver to honor that request, or not do any checks at all.

load more comments (2 replies)