Security of Web Addresses

EdH · 2020-03-20, 21:58

I see different prefixes on all kinds of .com addresses. Are these prefixes tied in to the xxxx.com even when at the end, or can they be spoofed in that manner?

Specific case: I often receive ads from roku@email.roku.com, but today I received one from roku@email1.roku.com with a "more info" link which I clicked on and it flashed, but did not bring up the expected info. I had not noticed the "1" originally, but did after the click failed (of course). Does the "1" within the address pose a possibility for someone to spoof emails from Roku?

Further, the link was prefaced as . . . p s : / / l .email1 . roku . com / lots of ascii. Would that be a true roku.com address or could it go somewhere else?

Thanks for any comments. . .

Edit - additional info. All links on the page appear to have the same address - good chance it's a spoof?

retina · 2020-03-20, 22:05

The "from" portion of any email is completely arbitrary. Anyone can put anything there. There is no way to verify the origin of any email from just the headers.

Anyone could send you an email from president@state.gov, or anything else they care to put there.

EdH · 2020-03-20, 22:07

Quote:

Originally Posted by retina

The "from" portion of any email is completely arbitrary. Anyone can put anything there. There is no way to verify the origin of any email.

Anyone could send you an email from president@state.gov, or anything else they care to put there.

Thanks! I thought as much. Now I wonder how to find out what was clicked on, without clicking there again. . .

Edit: Does that hold true for the links, as well?

retina · 2020-03-20, 22:11

Quote:

Originally Posted by EdH

Thanks! I thought as much. Now I wonder how to find out what was clicked on, without clicking there again. . .

That depends upon your email client software.

View the message in raw mode, or some similar option, and see where the links really go.

EdH · 2020-03-20, 22:17

Quote:

Originally Posted by retina

That depends upon your email client software.

View the message in raw mode, or some similar option, and see where the links really go.

I have the full address, I think. but as mentioned it has roku.com/ r t s /go2.aspx? lots of ascii.

I'm figuring something got d/led, but nothing is in my d/l folder. Could I be lucky and the intended d/l didn't work?

retina · 2020-03-20, 22:23

Quote:

Originally Posted by EdH

I have the full address, I think. but as mentioned it has roku.com/ r t s /go2.aspx? lots of ascii.

I'm figuring something got d/led, but nothing is in my d/l folder. Could I be lucky and the intended d/l didn't work?

There are a few ways that addresses can be made to look like something else with the @ prefix. Lame example, but I hope you can see the technique:

http://legit.looking.domain.com@hackers.evil.domain.cc/virus.cgi

ewmayer · 2020-03-20, 22:27

Quote:

Originally Posted by EdH

I have the full address, I think. but as mentioned it has roku.com/ r t s /go2.aspx? lots of ascii.

I'm figuring something got d/led, but nothing is in my d/l folder. Could I be lucky and the intended d/l didn't work?

Using Mac mail on my laptop, I simply hover the cursor over whichever link the e-mail wants me to click, then when the underlying address shows up as hovertext, compare to who ever is alleging they sent the message. Here's a screenshot of an example from yesterday - the weird Sender address already had me convinced it was a phish-mail, did the hovertext-trick just by way of confirming. But the better-quality phishes will have a realistically spoofed Sender-field, so the link-hovertext trick is crucial. (Note: in my screenshot, I had to move the cursor to select a subregion of the screen to capture, which left the cursor not-over-the-clickable-link ... the little hovertext rectangle appeared with cursor over the link):

EdH · 2020-03-20, 22:30

Quote:

Originally Posted by retina

There are a few ways that addresses can be made to look like something else with the @ prefix. Lame example, but I hope you can see the technique:

http://legit.looking.domain.com@hackers.evil.domain.cc/virus.cgi

The link doesn't have an "@" within. I've got a scan going right now. Hopefully as is well, or will be. (I suppose I'll see. . .) Gotta run.

Thanks for all the quick help.

EdH · 2020-03-20, 22:35

Quote:

Originally Posted by ewmayer

Using Mac mail on my laptop, I simply hover the cursor over whichever link the e-mail wants me to click, then when the underlying address shows up as hovertext, compare to who ever is alleging they sent the message. Here's a screenshot of an example from yesterday - the weird Sender address already had me convinced it was a phish-mail, did the hovertext-trick just by way of confirming. But the better-quality phishes will have a realistically spoofed Sender-field, so the link-hovertext trick is crucial. (Note: in my screenshot, I had to move the cursor to select a subregion of the screen to capture, which left the cursor not-over-the-clickable-link ... the little hovertext rectangle appeared with cursor over the link):

Thanks! Those ones I normally catch, but this one apparently got me. The hover was super close to the roku version, even with roku.com, etc. I guess I need to look even closer. . .

I've always been somewhat suspicious of the all the prefixes anyway, but everybody is going that route: mail.---.com, my.---.com, etc. --- .com.

retina · 2020-03-20, 22:36

Quote:

Originally Posted by ewmayer

Using Mac mail on my laptop, I simply hover the cursor over whichever link the e-mail wants me to click, then when the underlying address shows up as hovertext, compare to who ever is alleging they sent the message. Here's a screenshot of an example from yesterday - the weird Sender address already had me convinced it was a phish-mail, did the hovertext-trick just by way of confirming. But the better-quality phishes will have a realistically spoofed Sender-field, so the link-hovertext trick is crucial. (Note: in my screenshot, I had to move the cursor to select a subregion of the screen to capture, which left the cursor not-over-the-clickable-link ... the little hovertext rectangle appeared with cursor over the link):

IMO allowing html view is asking for trouble. Plain text only is safest.

ewmayer · 2020-03-20, 22:41

Quote:

Originally Posted by retina

IMO allowing html view is asking for trouble. Plain text only is safest.

I happen to be quite practiced at not clicking *any* link until having first checked where it goes via the hover technique. It seems this is especially difficult on smartphones, however, since there one use the same fingertip to navigate and then press-just-a-little-harder-to-open-link - one more reason I only use 'em for offline GIMPS crunching. :)

2020-03-20, 21:58	#1
EdH "Ed Hall" Dec 2009 Adirondack Mtns 11×347 Posts	Security of Web Addresses I see different prefixes on all kinds of .com addresses. Are these prefixes tied in to the xxxx.com even when at the end, or can they be spoofed in that manner? Specific case: I often receive ads from roku@email.roku.com, but today I received one from roku@email1.roku.com with a "more info" link which I clicked on and it flashed, but did not bring up the expected info. I had not noticed the "1" originally, but did after the click failed (of course). Does the "1" within the address pose a possibility for someone to spoof emails from Roku? Further, the link was prefaced as . . . p s : / / l .email1 . roku . com / lots of ascii. Would that be a true roku.com address or could it go somewhere else? Thanks for any comments. . . Edit - additional info. All links on the page appear to have the same address - good chance it's a spoof? Last fiddled with by EdH on 2020-03-20 at 22:01

2020-03-20, 22:05	#2
retina Undefined "The unspeakable one" Jun 2006 My evil lair 1834₁₆ Posts	The "from" portion of any email is completely arbitrary. Anyone can put anything there. There is no way to verify the origin of any email from just the headers. Anyone could send you an email from president@state.gov, or anything else they care to put there. Last fiddled with by retina on 2020-03-20 at 22:06

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Water security	Nick	Soap Box	78	2021-06-12 16:55
Local network addresses	JHansen	Lounge	2	2007-11-28 12:00
Key fob security.	Xyzzy	Science & Technology	13	2007-03-09 02:39
Don't post other people's full email addresses	Unregistered	Forum Feedback	2	2004-10-05 14:02
Free throw away instant email addresses ( receive only )	dsouza123	Lounge	3	2003-08-25 20:36