Spam, scam, phishing!

Spamming, phishing, junk. It can sometimes feel like your email address is constantly under attack. So what to do? This is my experience, and hopefully other members more experienced than moi will add pointers, advice and suggestions.

For starters, get a Google (or whichever you prefer – Hotmail, etc.) email account. Always use this account if you need to provide an email address to access a website. I use Google all the time because they have good anti-spam and anti-phishing filters. I back up these emails into Outlook AFTER they have been through Google. I also use Google to fetch emails from my other accounts, as I have several email accounts through my own two websites. Hopefully, those of you who use other providers such as Yahoo, Hotmail, etc. can add to this.

If you run a website for your business, DO NOT put a link to your email address on the page. You can easily use a “contact” form (available free if using Wordpress). If this option is unavailable, you can edit the HTML so it looks like this: sheila.walshe [at] If you think it’s necessary, you can also post in smaller text “please copy and manually insert the “@”.

GOLDEN RULE 1: Never, ever click on a link in the email message. If you think the email might possibly be genuine, open a new browser page and manually type in the URL and investigate further.

GOLDEN RULE 2: Never, ever respond to emails seeking any personal information. A recent Facebook scam directed people to a page to “verify” their accounts. It looked good, looked like a genuine FB page – the giveaway was a box to fill in your credit card details. Always log into Facebook via secure log-in, i.e., https.

So, as happened to an SFN member this morning, you’ve received an email from EDF saying your bank refused the latest request for payment. Is this genuine? NO, it’s not. Most reputable companies (and I use this term advisedly when referring to EDF!) will not contact you in this way. Perhaps you’re still concerned and think the email might just be genuine. Ok, then follow these authentication steps (taken from Google this morning):

Recipients can use authentication to verify the source of an incoming message and avoid phishing scams. For example, if you see messages claiming to be from, but are not properly authenticated as coming from, these are phishing messages. You should not enter or send any personal information. Remember, Google will never ask you to send personal information.

You can view the authentication information by opening a message and clicking on the 'show details' icon below the sender's name .

  • If a message was correctly DKIM3 signed, a 'signed-by' header with the sending domain will appear.

  • If a message was SPF authenticated, a 'mailed-by' header with the domain name will appear.

  • If no authentication information exists, there will be no signed-by or mailed-by headers.

If you would like to know more, here is the Google link:

Many of us run hotels, gites, B&Bs, and we will all have received those emails enquiring about availability for “X” number of people for “X” weeks (insert your own figures here). Here’s a classic example I received a few weeks ago:


Adresse : Place de la république, Boulevard Mitterrand

11 bp 475 Bamako 11

Téléphone : 0022 566 832 361


Je suis Mr THIERRY VIGNON je vous contacte afin de vous faire part de

mon intéressement pour votre location de votre bien pour une période

de 3 semaines à compter du 07 juillet 2012 pour mes petites vacances

étant donné que ma mission de travail prend fin bientôt .

Je désire avoir plus d'informations sur votre location a savoir une

bonne description des lieux et le tarif pour la période demandée.

N'hésitez pas à me contacter par si vous êtes intéressé par ma

proposition 0022 566 832 361 ou sur mon adresse e-mail:

Most of us will spot this as a scam straight way. For starters, he says: votre location de votre bien. The genuine enquirer would at least have made mention of the area. Also, full details of the house, and the charges are set out on the websites. A useful exercise to perform is to do a Google search on the sender’s name, and/or copy a line or two of the text and paste into Google search.

I hope this helps, and please add your knowledge and advice here.

1 Like

Be aware that these details merely tell you that the message originates from a server authorised to send mail from the domain in the envelope “From:” field.

However it does NOT veryify that domain is anything to do with where the message is portrayed as coming from.

I can easily set up a domain - lets say, and send messages from it which purport to come from mybank - BUT no domain registrar is going to check that I have anything to do with “mybank”. I can get my messages all SPFed and DKIMed so that they look nice and legit, but they are not.

Reading headers is a useful skill, but don’t over-trust domain validation without looking at and thinking about the domain being validated.

so billy, still as relevant today as it was when the OP posted it in Sept 2012…

Yeah totally. I guess the OP will have moved on but email is still stuffed full of spam and phishing.

Anyway - you were the first one to post on a 9 year old thread :stuck_out_tongue_winking_eye:

1 Like