Hi I have been getting the following email from purism, and I believe this to be a phishing email. Is this legitimate. It requires you to enter your purism password to update your email password due to it claimed to be expiring:
Link Sent:
If it is a phishing email, it is pretty convincing! Also since it seems to have been sent from my own email, does that mean the email server is compromised?
Look at the full headers of the email, probably you will see that there is no valid DKIM signature, in that way you can then tell it is not really sent by the email server/provider it claims to come from.
You believe right, it’s clearly a phishing email
It’s one of the simplest thing to change when an email is sent
So I would bet that your email server is not compromised, but your email address has been retrieved by bots from somewhere
As Skalman said, you could checks the complete source of the email to confirm this
Recently I also received an email coming from my personal email to my personal email, and the exact same email from my professional email to my professional email, but those were more obvious than yours
Return-Path: <jusupov@gf.kg>
X-Original-To: youremail@librem.one
Delivered-To: youremail@librem.one
Received: from mx1.librem.one (mx1.librem.one [138.201.176.93])
by smtp.librem.one (Postfix) with ESMTPS id D6A68835D1
for <youremail@librem.one>; Mon, 16 Oct 2023 18:27:10 +0000 (UTC)
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=18.140.6.250; helo=frosty-moser.18-140-6-250.plesk.page; envelope-from=jusupov@gf.kg; receiver=<UNKNOWN>
Authentication-Results: name mx1.librem.one; dmarc=fail (p=reject dis=none) header.from=librem.one
Received: from frosty-moser.18-140-6-250.plesk.page (ec2-18-140-6-250.ap-southeast-1.compute.amazonaws.com [18.140.6.250])
by mx1.librem.one (Postfix) with ESMTPS id 406A981ED5
for <youremail@librem.one>; Mon, 16 Oct 2023 11:27:08 -0700 (PDT)
Authentication-Results: frosty-moser.18-140-6-250.plesk.page;
spf=pass (sender IP is 45.138.16.85) smtp.mailfrom=jusupov@gf.kg smtp.helo=45.138.16.85.powered.by.rdp.sh
Received-SPF: pass (frosty-moser.18-140-6-250.plesk.page: connection is authenticated)
From: librem.one <youremail@librem.one>
To: youremail@librem.one
Subject: youremail@librem.one Password expires today
Date: 16 Oct 2023 20:27:05 +0200
Message-ID: <20231016202705.4651035CEAF1BCA0@librem.one>
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.=
w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge">
</head>
<body style=3D"margin: 0.5em;">
<p>
ID: youremail@librem.one<br><br>
Your youremail@librem.one password expires today 10/16/2023=
8:27:05 p.m. <br><br>
Use the button below to continue with same password<br><br>
<p> <a style=3D"background: 0% 50% rgb(11, 102, 35); padding: 15px; width: =
10%; text-align: center; color: white; font-size: 15px; text-decoration: no=
ne; display: block; -moz-background-clip: -moz-initial; -moz-background-ori=
gin: -moz-initial; -moz-background-inline-policy: -moz-initial;" href=3D"ht=
tps://cloudflare-ipfs.com/ipfs/QmSEk4YKG4SZqiy6Jnv3ufHHhXcdDWKYy2Bqh5Z9fSir=
TB/index2cha0210.html#youremail@librem.one" target=3D"_blank=
"> Continue </a></p>
<p>Note: Your mails may not be delivered until you verify your account.</p>=
<p>Sincerely,</p>
<p>librem.one Support Team.</p>
<p></p>
</body></html>
I do not see the DKIM signature, but there is a dmarc=fail, maybe I should click on the link and enter the wrong authentication password just to keep the scammers busy 
What if that was their plan all along, to have you see it as phishing and play with it and as a result inadvertently leak the source IP that you submitted the fake information from?
Clues:
Subject: youremail@librem.one Password expires today 10/16/2023 8:27:05 p.m.
Use the button below to continue with same password
https://cloudflare-ipfs.com/ipfs/QmSEk4YKG4SZqiy6Jnv3ufHHhXcdDWKYy2Bqh5Z9fSir= TB/index2cha0210.html#youremail@librem.one
Return-Path: <jusupov@gf.kg>
Also:
5. Website not related to Purism at all
gf.kg is apparently a Russian site (or site in Russian language) for something called “Open Joint Stock Company - Guarantee Fund.” (I used Startpage’s Anonymous View option to see the page.)
Thank you for the analysis! It took me a bit to find the source data, once I got that pointer everything you describe makes a lot more sense. I don’t have an account with Open Joint Stock Company - Guarantee Fund. I am just worried it makes Purism itself look bad. I am not sure if passwords can expire, maybe a Purism question- I am not aware they do?
The only reason I bring it up since i have never seen such a phishing attempt, I guess I have been lucky the last 30 years! Alternatively some sites, like protonmail have a neat feature to report phishing attempts, and every time I have done that I have never seen a similar message again, so they actively are fighting that - maybe domain/or IP blocking. It is a question who is responsible for email safety on a server, or who wants to take any responsibility, or leave it solely up to the user.
I sent him an email to stop phishing, see what he says.
Other forum members who use librem.one can probably answer this question, too.
It may be that the J Usupov email address itself was hijacked by some malcreant without Usupov’s (if he/she exists) awareness, in order to target others.
You could report it to Purism. Always forward suspected phishing emails as an attachment, not quoted inline in your composed email.
You can also report to: phishing-report@us-cert.gov if you don’t mind sending to “the government.” 
You should never respond to phishing attempts or spammers, especially spammers, as they will just then sell your now-confirmed-as-valid email address on.
Responding to a phisher could be fun, but only if you have your wits about you when and if they respond. But again, Usupov may not have even sent that email.
Hmm if I can send it anonymously I would send it to the government, without any header information about my IP or even my email address!
Probably not possible. Personally, I’ve never had any qualms about reporting these to the government. It’s more important to me to try and stop or catch them than to worry about if some agency in some corner of government gets my email address.
And anyway, the goal seemed to be to get you to click on the button, which would do who-knows-what, and not to your benefit, of course.
(i.e. Not to get you to respond to the probably-spoofed/hijacked email account.)
That’s not completely right because not all mail domains use DKIM.
If there is a valid DKIM signature then that is a solid sign that the email is legitimately from where it is claiming to be from (but be careful with what is being claimed).
If there is no valid DKIM signature then that adds evidence that the email might not be legit.
Since there are three different technologies in use for mail legitimacy, you need to look at all three.
DMARC and SPF are the other two.
I mostly look at SPF … and you can see that Purism received the email from 18.140.6.250 (some IP address on a random scam-for-rent Amazon server) but this was an SPF “softfail” because the owner of the relevant domain does not advertise that IP address as a legitimate origination IP address for mail claiming to be from that domain - but the owner of the domain does not say to reject all other IP addresses.
For clarity, the domain here is gf.kg and this illustrates a deficiency in the user interface for most mail clients - since that is what got validated (as a softfail) but that is not shown to you (unless you go fishing through the mail headers).
For my own domains, I explicitly enumerate in the SPF advertised information all valid IP addresses that may originate email and then say to reject all other IP addresses i.e. “hardfail”. For some domain owners that may be impractical or impossible. (So if the scammer had sent the same email but claiming to be from one of my domains then Purism would have been more strident, either rejecting the email outright or at least marking it as probable scam/spam.)
Scammers have lists of domains that are permissive i.e. that can safely be forged without triggering an SPF hardfail.
However a correctly configured mail server (generally speaking) does not accept email originating outside the company’s infrastructure but claiming to be from an internal email address. Maybe Purism should look at that.
I recommend AGAINST that. As @amarok said.
Ignore. Delete. Move on.
FWIW - I get them also every once in awhile. Without analysis it was obvious to me as a phishing attack.
Where do they get my email from? Probably public list-servers where I also post.
Also just iteration. If your email address is firstname@somedomain.com then spammers try all common first names (as well as other common mailbox names).
Also data breaches. If your email address was held by a company that you legitimately deal with but that company then got breached, your email address is then public for the scammers and spammers.
Speaking of data breaches, check out security expert Troy Hunt’s massive database of data breaches: https://haveibeenpwned.com/
(But if one has posted one’s email addresses publicly on one or more websites, no data breach is required to turn one into a phishing target, of course.)
Also one of your friends may have been compromised. That doesn’t yield much for the attacker (compared with a data breach at a company) but in the early days of net nasties this was a very common occurrence i.e. enumerating your “Outlook” contact list.
And, for completeness, you yourself may have been compromised.
Nice looks like there was some leakage from Robinhood, somewhat unexpected since they are supposed to have security at least as good as a bank.
Unlikely since the circle of friends I use this email with is small, but certainly a possibility.
I just copied that in as an example, don’t really use that.