A fake email, although it seems that everyone will easily recognize it based on the content, is sometimes quite difficult. This is evidence of a new phishing email sent to the owners of the .rs domain to info and office email addresses, which appears to be from SBB. However, even though it is marked as spam (and it may not be) it is quite convincing. Recognizing a fake
Recognizing a fake email on Gmail
First, open the email normally like any other email (warning: do not click anything in that email).
In this email, Google immediately marked it as dangerous, and if this is not the case with you, then the procedure is certainly the same. Let's go to the three dots on the right.
When we find the Show original option, the complete email with technical specifications will be shown in a new tab. As in the picture below.
Here we already see more technical data, which seems like too much information for less experts and is not worth looking at, however, we only need to pay attention to these three squares, which tell us enough, and we can freely ignore the rest.
The first square right at the beginning google, like all email servers, checks SPF, DKMI and DMARC, here is SPF, it didn't pass, it says SOFTFAIL (more about what it means in the article setting the SPF record).
The second square immediately says that the domain eunet.co.rs has not authorized this IP address as its own for sending emails.
The third square talks about the pisser, here you can immediately see that it is not transparent. The first is IPv6 is not strange but you will see the rest with regular email below.
The fourth square tells about who sent the email which here is mta.k9grasscrufts.com which is actually not eunet.co.rs as it is presented at the beginning. This can be different if, for example, you use google, outlook or some other mail server such as hosting, it does not have to be from a domain.
Here's what a regular email looks like.
Now you can compare the fake email above and the regular one below.
Checking if an email is fake from WebMail RoundCube
We open the email but do not click anything inside the email.
Then we go to the upper right corner to the three dots, then to "More" and to "Show Source"
When we click there, a new tab will open with all the technical data as in the picture below.
We see here, as well as on Google, that SPF is a problem and that it did not go through and was received as if it were a totally different server that is not connected to this email server. Although eunet.co.rs is everywhere where he successfully faked, however, it is not possible to fake records such as SPF, DKMI and DMARC because it is set exclusively on the server where the domain is.
Checking links within emails
From this picture, we can see where we put the mouse on "Restore service now" and it showed us that the link is a totally tenth one and is not from SBB. Do not click on the link to check it because it could be a virus or verify that the email is active and you will receive even more spam. Just place your mouse on a link and you will see in the lower right corner what the link is without clicking on it. Or right-click and copy the link address, and you will also see which one it is without opening it.
