Learning how to identify spoofing emails, your email not always be hacked!

Identify spoofing emails

How to identify you received emails appears to be a spoofed email — a common tactic used in phishing or extortion spam, where the attacker forges the "From" address to make it appear as though the email is coming from your own address.

🔍 Breakdown of Key Findings:

1. Forged "From" Address

From: [email protected] To: [email protected]

Your email claims to be from you, to you — a tactic used to intimidate or convince the recipient that their account has been hacked.

2. Actual Source IP and Host

Received: from [sender ip address] (port=10809 helo=subdomain.spammers.domain)

This is the real origin of the email. The IP [sender ip address] is not associated with your legitimate mail server. It belongs to a spammers network.

3. SPF Failure (Softfail)

If you see this error on you email header. 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

Your domain likely has an SPF record set up to identify which mail servers are authorized to send on its behalf. This check soft-failed, which means the sending server is not authorized to send emails on behalf of yourdomain.

4. DMARC Rejection Triggered

If you see this error in your email header :

3.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed ... DMARC reject policy

Your domain has a DMARC policy in place that tells receiving servers what to do when SPF or DKIM checks fail. In this case, both DKIM and SPF failed, and the email was marked as spam accordingly.

5. Spam Score: 35.0 (Very High)

If you see this error in email header

X-Spam-Status: Yes, score=35.0 X-Spam-Bar: +++++++++++++++++++++++++++++++++++

This is an extremely high spam score. Normal thresholds for spam detection are around 5.0 — this hit 35.0. Some notable rules it triggered:

BITCOIN_SPAM patterns (indicative of extortion/blackmail) KAM_CRIM (extortion/blackmail emails) TO_EQ_FM (To == From) RCVD_IN_XBL/PBL: IP address on spam blocklists

Thank you