This is some information on email scams run by spoofing the identity of
the sender. You might occasionally receive email pretending to be from
CMI faculty members / people from the office / other you know; the
information below should help you determine if the message is genuine.
There are two `from' addresses typically associated to an email message.
Visible From (sometimes called the
Header From) is the From
addresss line that is ordinarily displayed by Mail User Agents (MUA)
(i.e., mutt / alpine / CMI webmail / other mail apps). Spoofing this is
one of the easiest methods to trick unsuspecting recipients, and one
that is also easy to catch.
from address is the
Envelope_from line, which is what the mail servers communicate with
each other; it is not difficult to spoof this either, but there are
server-level catches for this, and examining the raw message should help
you determine whether a message is genuine or not.
Usually the person sending such email would want you to disclose some
private information or pay some money in some form. This is done by
asking you to reply to them by email or by clicking on some link
embedded in the message itself.
- Reply to their email: If the
From address or
address does not appear to be the actual address of the purported
sender, do not reply to it. E.g., in the recent past, we have
received email purportedly from the CMI Director, but with an email
address from a domain in South America.
- Click on a link: Quite often, the visible text of the link shown
to you in the message is not the actual URL. In HTML, a link
is given by writing something like this
Therefore it is easy to trick a receipient to click some malicious
URL masqueraded as a friendly one. Therefore the safest option is to
copy and paste the link you see in a browser.
These steps will help you decide if a message is genuine:
- Open the full headers (sometimes called the `raw message').
In CMI webmail, open the message, and click on the three dots
("More") that you see in the top line. You will see an option
called "Show source". Clicking that will display the full
- Look at the
Envelope From (sometimes called
Return-Path) header line. This is different from the
From, which is what is typically displayed
by a Mail User Agent.
- Read the
Received lines from the bottom upwards. This is
the order of the servers through which message passed. Each line will
give hostnames or IP addresses or both of the corresponding server.
There is a service called WHOIS which lists various pieces of
information about machines on the internet. You can do a web search
to find websites offering this service; if you give the IP address
of a machine found in a
Received line, you should be able to
get some information about its location, the network it belongs to etc.
- Each domain (e.g. cmi.ac.in) has a few authorised servers from
which outgoing messages can go, and the domains publish this
information. Some of the mechanisms to check this are Sender Policy
Framework (SPF), Domain Key, etc. If the sender's domain has
published this information, and the messages passes these tests,
appropriate headers are typically added by the recipient's mail
server, before delivering it to the recipient's mailbox.
- Sometimes, the sender's mail server will require the sender to
authenticate before sending the message. In that case, the server
will add a header line that the user has been authenticated.
- a message sent from CMI's webmail
Received: from webmail.cmi.ac.in (localhost [127.0.0.1])
(Authenticated sender: REDACTED)
by mail.cmi.ac.in (Postfix) with ESMTPA id REDACTED
for REDACTED_RECIPIENT_ADDRESS; Tue, 24 Nov 2020 02:36:37 +0530 (IST)
- a message sent by a CMI user from an IMAP client on a
phone/laptop/home PC etc.
Received: from IP_ADDR_REDACTED (unknown IP_ADDR_REDACTED)
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
... (Authenticated sender: REDACTED)
by mail.cmi.ac.in (Postfix) with ESMTPSA id REDACTED; ...
- CMI sysadm will not ask you to confirm your password by email or
by clicking any link.
- If you get some phishing email pretending to be from someone from
CMI, please try to verify its veracity
- first by checking its full headers (this will typically give
- then by checking with your friends, the purported sender
(using his/her CMI email address) or with sysadm
before acting on them.
If you have any questions, please feel free to write to sysadm