Hi I have been getting the following email from purism, and I believe this to be a phishing email. Is this legitimate. It requires you to enter your purism password to update your email password due to it claimed to be expiring:
Look at the full headers of the email, probably you will see that there is no valid DKIM signature, in that way you can then tell it is not really sent by the email server/provider it claims to come from.
It’s one of the simplest thing to change when an email is sent
So I would bet that your email server is not compromised, but your email address has been retrieved by bots from somewhere
As Skalman said, you could checks the complete source of the email to confirm this
Recently I also received an email coming from my personal email to my personal email, and the exact same email from my professional email to my professional email, but those were more obvious than yours
Thank you for the analysis! It took me a bit to find the source data, once I got that pointer everything you describe makes a lot more sense. I don’t have an account with Open Joint Stock Company - Guarantee Fund. I am just worried it makes Purism itself look bad. I am not sure if passwords can expire, maybe a Purism question- I am not aware they do?
The only reason I bring it up since i have never seen such a phishing attempt, I guess I have been lucky the last 30 years! Alternatively some sites, like protonmail have a neat feature to report phishing attempts, and every time I have done that I have never seen a similar message again, so they actively are fighting that - maybe domain/or IP blocking. It is a question who is responsible for email safety on a server, or who wants to take any responsibility, or leave it solely up to the user.
I sent him an email to stop phishing, see what he says.
Probably not possible. Personally, I’ve never had any qualms about reporting these to the government. It’s more important to me to try and stop or catch them than to worry about if some agency in some corner of government gets my email address.
That’s not completely right because not all mail domains use DKIM.
If there is a valid DKIM signature then that is a solid sign that the email is legitimately from where it is claiming to be from (but be careful with what is being claimed).
If there is no valid DKIM signature then that adds evidence that the email might not be legit.
Since there are three different technologies in use for mail legitimacy, you need to look at all three.
DMARC and SPF are the other two.
I mostly look at SPF … and you can see that Purism received the email from 126.96.36.199 (some IP address on a random scam-for-rent Amazon server) but this was an SPF “softfail” because the owner of the relevant domain does not advertise that IP address as a legitimate origination IP address for mail claiming to be from that domain - but the owner of the domain does not say to reject all other IP addresses.
For clarity, the domain here is gf.kg and this illustrates a deficiency in the user interface for most mail clients - since that is what got validated (as a softfail) but that is not shown to you (unless you go fishing through the mail headers).
For my own domains, I explicitly enumerate in the SPF advertised information all valid IP addresses that may originate email and then say to reject all other IP addresses i.e. “hardfail”. For some domain owners that may be impractical or impossible. (So if the scammer had sent the same email but claiming to be from one of my domains then Purism would have been more strident, either rejecting the email outright or at least marking it as probable scam/spam.)
Scammers have lists of domains that are permissive i.e. that can safely be forged without triggering an SPF hardfail.
However a correctly configured mail server (generally speaking) does not accept email originating outside the company’s infrastructure but claiming to be from an internal email address. Maybe Purism should look at that.
Also one of your friends may have been compromised. That doesn’t yield much for the attacker (compared with a data breach at a company) but in the early days of net nasties this was a very common occurrence i.e. enumerating your “Outlook” contact list.
And, for completeness, you yourself may have been compromised.