How Scammers Fake Emails: Understanding Email Spoofing & Sextortion Scams

When I recently received an email that appeared to come from my own email address, I was intrigued rather than alarmed. The email claimed that my devices had been hacked, that a hacker had full access to my data, and that they would expose me unless I paid a ransom. Of course, this was a scam, but it led me to investigate how these fraudsters manage to make an email look like it came from my own account. The answer? Email spoofing.

In this post, I’ll break down how scammers fake emails, explain the security mechanisms designed to prevent it, and show you how to analyse an email’s headers to spot a spoofed email.

What is Email Spoofing?

Email spoofing is a technique where attackers forge the “From” field of an email to make it appear as if it was sent from someone else, sometimes even from your own email address. This technique is commonly used in phishing attacks, spam campaigns, and sextortion scams like the one I received.

At a high level, email spoofing exploits the Simple Mail Transfer Protocol (SMTP), which lacks built-in authentication for verifying senders. Without proper security measures, a malicious sender can specify any email address they want in the “From” field.

How Spoofed Emails Are Sent

To understand how spoofed emails work, we need to look at how email transmission happens:

  1. SMTP Communication: When an email is sent, it passes through multiple mail servers before reaching the recipient.
  2. Forging the ‘From’ Field: A spammer uses an external mail server to send an email with a forged sender address.
  3. Bypassing Authentication: If the recipient’s email service does not strictly enforce SPF, DKIM, or DMARC policies, the email is delivered even though it is forged.

Example of a Spoofed Email Header:

Received: from theluckydogsaloonx.com (23.230.215.106)
by outlook.office365.com with Microsoft SMTP Server;
From: "your-email@example.com" <your-email@example.com>
Return-Path: your-email@example.com
SPF: SoftFail
DMARC: Fail

Here’s what’s happening:

  • The actual sending server is theluckydogsaloonx.com (23.230.215.106), not Hotmail.
  • The “Return-Path” and “From” headers are forged to appear as my own email.
  • SPF (Sender Policy Framework) shows a soft fail, meaning this sender is not authorized by Hotmail.
  • DMARC fails, indicating a spoof attempt.

Investigating the Sender’s IP Address

Upon further investigation, I found that the IP address 23.230.215.106 is associated with Stark Industries Solutions Ltd, a VPN provider based in Ashburn, Virginia, USA. According to reports, this provider has been linked to cybercriminal activities, including:

  • Hosting infrastructure used for ransomware operations and phishing campaigns.
  • Allegedly supporting Russian-affiliated cybercriminal groups, such as FIN7.
  • Providing servers used for email spoofing, cyberattacks, and malware distribution.

This suggests that the scam email originated from a VPN or a cybercriminal server, allowing the attacker to remain anonymous. It highlights how bad actors use shady VPNs and hosting providers to send spoofed emails without detection.

Additionally, when I attempted to verify the domain and IP using NSLOOKUP, I found that:

  • The domain theluckydogsaloonx.com no longer exists, meaning it was likely a temporary burner domain used by the attacker and later deleted.
  • The IP address 23.230.215.106 has no associated reverse DNS (PTR) record, which is unusual for legitimate email servers like Microsoft’s.

This further confirms that the sender was using a disposable infrastructure to evade detection, a common tactic among cybercriminals.

For more details on Stark Industries Solutions Ltd and their role in cybercrime, check out this investigation by Krebs on Security:

Stark Industries Solutions: An Iron Hammer in the Cloud

How to Detect Email Spoofing

If you receive an email claiming to be from yourself, here’s how to check if it’s a spoof:

  1. Check Email Headers: In Gmail, Outlook, or any mail client, look at the “Received” headers.
  2. Analyse SPF, DKIM, and DMARC:
    • SPF (Sender Policy Framework): Checks if the email was sent from an authorized IP.
    • DKIM (DomainKeys Identified Mail): Ensures the email was signed by the actual domain.
    • DMARC (Domain-based Message Authentication, Reporting & Conformance): Defines rules for rejecting unauthorized emails.
  3. Look for Suspicious Return-Path Domains: If the return path differs from the sender’s email domain, it’s likely spoofed.
  4. Pay Attention to Urgency & Threats: Scammers use fear tactics (“You have 48 hours to pay”).
  5. Check for Cryptocurrency Demands: No legitimate company will ask for payment in Bitcoin or Litecoin (at least for the time being).

How to Protect Yourself from Email Spoofing

While you can’t prevent someone from spoofing your email address, you can protect your accounts and ensure these emails are flagged as spam.

  • Enable 2FA on Your Email Accounts: Even though spoofing doesn’t require access to your email, securing your account prevents actual hacks.
  • Check Your Email Provider’s SPF, DKIM, and DMARC Policies: If you own a domain, enforce strict email authentication rules.
  • Use Email Filtering & Spam Reporting: Mark spoofed emails as spam to improve detection for others.
  • Never Respond or Pay Scammers: These scams are automated and mass-sent. If you ignore them, they move on.

Final Thoughts

Scam emails that appear to come from your own address can be alarming, but they are not evidence of hacking, just a sign that a spammer is spoofing your address. By understanding email headers and security mechanisms, you can recognize these scams and avoid falling for them.

Investigating the source of spoofed emails can reveal shady VPNs, cybercrime networks, and compromised infrastructure that attackers rely on.

Additionally, the discovery that the attacker’s domain was deleted shortly after use and the lack of a reverse DNS record for the sender’s IP reinforces how cybercriminals frequently change infrastructure to avoid detection.

If you’ve received a spoofed email, take a few minutes to analyse the headers and see how it was faked; it’s a fascinating look into how scammers operate.