We have recently become the unwitting victim/innocent party in an email spoofing scam therefore the email@example.com email address is no longer in use.
There are actually three addresses in an email – obtainable by opening the full header and envelope.
The genuine sender
The envelop and header contains a full list of each server to server message route, down at the bottom will be the actual originating address – this is easily machine readable but looks like complete nonsense to the average user – this is actually the address of the person (in this case the scammer) who sent the email – I have no idea who this is as I have never seen any of the scam emails!
This is the address used by anti-spam software, out of office, the “reply” button in email clients etc. It’s usually set to the same email as above by the email software (outlook etc), however can be set to anything, in this case the spammer has used my email address as the innocent party who receives all the responses – I am currently getting over 500 “replies” to emails I haven’t sent per day!
This may be set by the user and is usually a friendly-form of the user’s email – for example <Joe Smith (sales)> rather than joseph.c.Smith45@……. In this case the scammer has set this different to the “Reply-To” with something containing the names Merlin and/or Catherine based upon the responses I have seen.
The scammer has to use a genuine email address in the “Reply-To” field, hence they find some genuine email address from anywhere – it doesn’t matter to them that the email address they pick is flooded with responses, or that the business’ reputation suffers – it’s just a random email address!
All the scammer needs, is that the user opens the email – or even tries to open any attachments – as based on the automatic responses received from many anti-virus software systems the original message contains a virus ‘HEUR:Exploit.MSOffice.Generic’ – although the spammer may be using other vira so it could be others.