Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Hoax exposed

Read: 7482 Comments: 9 Rating: 14

Thursday, July 25, 2019

It seems that unsolicited emails never cease to deliver some unpleasantness: in the example below, the author threatens to reveal our alleged passion for adult content to the general public.


The impostor blackmails recipients and demands a ransom in exchange for withholding the materials that may ruin their reputation.


The attacker claims that the recipients have no choice because he cannot be caught and, according to his statement, he sent the message using the reader's own compromised account.


Не At first glance, nothing invites suspicion—the Sender field shows *** But, as we’ve already mentioned many times before, in reality the information in this field means next to nothing. This sender’s information may have nothing to do with their real email address. To find out where the message actually comes from, you will need to view the message headers. We’ve already written about how this can be done. See the issueFrom grandpa in the village.


So this is how the elusive hacker's cover is blown.


And from this we can easily deduce that the message is a hoax.

Is there something else worth mentioning about this email? Well, the scammer makes use of the Feedback ID header:


The header may help to determine how efficient a mailing actually is.

If you're a large volume sender, you can use the FeedBack Loop (FBL) to identify campaigns in your traffic that are getting the most complaints from Gmail users. The FBL is particularly useful to ESPs; they can use it to see who is abusing their services.

Senders will need to embed a new header called the Feedback-ID, which consists of parameters (called identifiers) that uniquely identify their individual campaigns. Any identifiers with an unusual spam rate and that might cause deliverability issues will be reported in the Postmaster Tools FBL dashboard.


As described above, the header can be used to determine whether a message has been marked as spam. This is handy for scammers who can use the statistics to modify their emails and bypass spam filters.

The message is signed:


So an anti-spam filter, which validates sender signatures, would probably let this in (which is not the case with Dr.Web!)

The message is delivered as an image rather than text. There are two ways to discern this. First, right-clicking on the message text will bring up a save image option in the drop-down menu.


Second, choosing to forward the message will reveal the image border.


And the deception doesn’t end there!

The message supposedly features a special spot that helps determine when the email was opened (we wrote about theseh pixels in the issue «Hotspot»).


But let's right-click once more and view the email in HTML format:


Here we can clearly see that the entire message is the image we've just mentioned.

The Anti-virus Times recommends

The scammer did the following:

  1. Faked the sender information.
  2. Used an image instead of text.
  3. Signed the email.

And none of that helped them get past Dr.Web Anti-spam! Which is nice.

If you receive a message of this kind, never panic and perform the simple steps we mentioned above.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.