Chennai Mathematical Institute

Email Safety


Email Safety

This is some information on email scams run by spoofing the identity of the sender. You might occasionally receive email pretending to be from CMI faculty members / people from the office / other you know; the information below should help you determine if the message is genuine.

There are two `from' addresses typically associated to an email message. The Visible From (sometimes called the Header From) is the From addresss line that is ordinarily displayed by Mail User Agents (MUA) (i.e., mutt / alpine / CMI webmail / other mail apps). Spoofing this is one of the easiest methods to trick unsuspecting recipients, and one that is also easy to catch. The other from address is the Envelope_from line, which is what the mail servers communicate with each other; it is not difficult to spoof this either, but there are server-level catches for this, and examining the raw message should help you determine whether a message is genuine or not.

Usually the person sending such email would want you to disclose some private information or pay some money in some form. This is done by asking you to reply to them by email or by clicking on some link embedded in the message itself.

  1. Reply to their email: If the From address or the Reply-To address does not appear to be the actual address of the purported sender, do not reply to it. E.g., in the recent past, we have received email purportedly from the CMI Director, but with an email address from a domain in South America.
  2. Click on a link: Quite often, the visible text of the link shown to you in the message is not the actual URL. In HTML, a link is given by writing something like this 
        <a href=ACTUAL_URL>TEXT_YOU_SEE</a>
    Therefore it is easy to trick a receipient to click some malicious URL masqueraded as a friendly one. Therefore the safest option is to copy and paste the link you see in a browser.

These steps will help you decide if a message is genuine:

  1. Open the full headers (sometimes called the `raw message'). In CMI webmail, open the message, and click on the three dots ("More") that you see in the top line. You will see an option called "Show source". Clicking that will display the full headers.
  2. Look at the Envelope From (sometimes called Return-Path) header line. This is different from the `visible' From, which is what is typically displayed by a Mail User Agent.
  3. Read the Received lines from the bottom upwards. This is the order of the servers through which message passed. Each line will give hostnames or IP addresses or both of the corresponding server. There is a service called WHOIS which lists various pieces of information about machines on the internet. You can do a web search to find websites offering this service; if you give the IP address of a machine found in a Received line, you should be able to get some information about its location, the network it belongs to etc.
  4. Each domain (e.g. cmi.ac.in) has a few authorised servers from which outgoing messages can go, and the domains publish this information. Some of the mechanisms to check this are Sender Policy Framework (SPF), Domain Key, etc. If the sender's domain has published this information, and the messages passes these tests, appropriate headers are typically added by the recipient's mail server, before delivering it to the recipient's mailbox.
  5. Sometimes, the sender's mail server will require the sender to authenticate before sending the message. In that case, the server will add a header line that the user has been authenticated. Two examples:
    1. a message sent from CMI's webmail 
          Received: from webmail.cmi.ac.in (localhost [127.0.0.1])
        (Authenticated sender: REDACTED)
        by mail.cmi.ac.in (Postfix) with ESMTPA id REDACTED
        for REDACTED_RECIPIENT_ADDRESS; Tue, 24 Nov 2020 02:36:37 +0530 (IST)
    2. a message sent by a CMI user from an IMAP client on a phone/laptop/home PC etc. 
          Received: from IP_ADDR_REDACTED (unknown IP_ADDR_REDACTED)
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        ... (Authenticated sender: REDACTED)
        by mail.cmi.ac.in (Postfix) with ESMTPSA id REDACTED; ...

Please remember:

  1. CMI sysadm will not ask you to confirm your password by email or by clicking any link.
  2. If you get some phishing email pretending to be from someone from CMI, please try to verify its veracity
    1. first by checking its full headers (this will typically give away)
    2. then by checking with your friends, the purported sender (using his/her CMI email address) or with sysadm before acting on them.

If you have any questions, please feel free to write to sysadm