Curious about an e-mail from NS&I questioning my contact details. Looks
authentic but when I logged in normally all my details are correct.
The only recent event is a temporary number on my mobile while O2/ Vfone
organised the transfer.

The other unrelated event is a call back from emergency services (pocket
dialling) where they wished me to confirm my address details! Clearly
they would have my mobile phone number but how is that linked to my
residential address?
--
Tim Lamb

Am 21/07/2023 um 08:51 schrieb Tim Lamb:
> Curious about an e-mail from NS&I questioning my contact details. Looks
> authentic but when I logged in normally all my details are correct.
> The only recent event is a temporary number on my mobile while O2/ Vfone
> organised the transfer.
>
> The other unrelated event is a call back from emergency services (pocket
> dialling) where they wished me to confirm my address details! Clearly
> they would have my mobile phone number but how is that linked to my
> residential address?

Check the sending SMTP server IP address in the headers (the one with
"received : from ").

--
Ottavio Caruso

In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
<ottavio2006-usenet2012@yahoo.com> writes
>Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>> Curious about an e-mail from NS&I questioning my contact details.
>>Looks authentic but when I logged in normally all my details are
>>correct.
>> The only recent event is a temporary number on my mobile while O2/
>>Vfone organised the transfer.
>> The other unrelated event is a call back from emergency services
>>(pocket dialling) where they wished me to confirm my address details!
>>Clearly they would have my mobile phone number but how is that linked
>>to my residential address?
>
>Check the sending SMTP server IP address in the headers (the one with
>"received : from ").

Hmm. outgoing@emailnsandi.com looks correct.
>

--
Tim Lamb

Tim Lamb <tim@marfordfarm.demon.co.uk> writes:

> Hmm. outgoing@emailnsandi.com looks correct.

Hardly. That domain doesn't even exist.

$ whois emailnsandi.com
No match for domain "EMAILNSANDI.COM".

$ dig -t ns emailnsandi.com

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478

(NXDOMAIN is Non eXistent DOMAIN)

--
Alan J. Wylie https://www.wylie.me.uk/

Dance like no-one's watching. / Encrypt like everyone is.
Security is inversely proportional to convenience

On 21/07/2023 11:41, Alan J. Wylie wrote:
> Tim Lamb <tim@marfordfarm.demon.co.uk> writes:
>
>> Hmm. outgoing@emailnsandi.com looks correct.
>
> Hardly. That domain doesn't even exist.
>
> $ whois emailnsandi.com
> No match for domain "EMAILNSANDI.COM".
>
> $ dig -t ns emailnsandi.com
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478
>
> (NXDOMAIN is Non eXistent DOMAIN)
>

All communications I have had from NS&I customer servies come from
outgoing@nsandi.com without the word email in it.

--
Colin Bignell

Am 21/07/2023 um 10:25 schrieb Tim Lamb:
> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
> <ottavio2006-usenet2012@yahoo.com> writes
>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>> Curious about an e-mail from NS&I questioning my contact details.
>>> Looks  authentic but when I logged in normally all my details are
>>> correct.
>>> The only recent event is a temporary number on my mobile while O2/
>>> Vfone  organised the transfer.
>>>  The other unrelated event is a call back from emergency services
>>> (pocket  dialling) where they wished me to confirm my address
>>> details! Clearly  they would have my mobile phone number but how is
>>> that linked to my  residential address?
>>
>> Check the sending SMTP server IP address in the headers (the one with
>> "received : from ").
>
> Hmm. outgoing@emailnsandi.com looks correct.
>>
>

That's an email address, not an IP address.

Post the full headers here (not the message)

Or even better paste it to pastebin or similar.

--
Ottavio Caruso

On 21/07/2023 09:51, Tim Lamb wrote:
> Curious about an e-mail from NS&I questioning my contact details.

If you have to ask then it will be dodgy.

In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
<ottavio2006-usenet2012@yahoo.com> writes
>Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>><ottavio2006-usenet2012@yahoo.com> writes
>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>Looks  authentic but when I logged in normally all my details are
>>>>correct.
>>>> The only recent event is a temporary number on my mobile while O2/
>>>>Vfone  organised the transfer.
>>>>  The other unrelated event is a call back from emergency services
>>>>(pocket  dialling) where they wished me to confirm my address
>>>>details! Clearly  they would have my mobile phone number but how is
>>>>that linked to my  residential address?
>>>
>>> Check the sending SMTP server IP address in the headers (the one
>>>with "received : from ").
>> Hmm. outgoing@emailnsandi.com looks correct.
>>>
>>
>
>That's an email address, not an IP address.
>
>Post the full headers here (not the message)
>
>Or even better paste it to pastebin or similar.

Er. You are dealing with the agricultural dept. here.

T'bird *all headers selected* offers this:-

<0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>

and MXM-v5-MailEngine

None of which means anything to me:-)
>
>

--
Tim Lamb

In message <u9dvlh$38l84$1@dont-email.me>, mm0fmf <none@invalid.com>
writes
>On 21/07/2023 09:51, Tim Lamb wrote:
>> Curious about an e-mail from NS&I questioning my contact details.
>
>If you have to ask then it will be dodgy.
Hence my interest but I do try to be careful who has my mail address.

--
Tim Lamb

On 21 Jul 2023 at 14:05:33 BST, "Tim Lamb" <tim@marfordfarm.demon.co.uk>
wrote:

> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
> <ottavio2006-usenet2012@yahoo.com> writes
>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>> Looks authentic but when I logged in normally all my details are
>>>>> correct.
>>>>> The only recent event is a temporary number on my mobile while O2/
>>>>> Vfone organised the transfer.
>>>>> The other unrelated event is a call back from emergency services
>>>>> (pocket dialling) where they wished me to confirm my address
>>>>> details! Clearly they would have my mobile phone number but how is
>>>>> that linked to my residential address?
>>>>
>>>> Check the sending SMTP server IP address in the headers (the one
>>>> with "received : from ").
>>> Hmm. outgoing@emailnsandi.com looks correct.
>>>>
>>>
>>
>> That's an email address, not an IP address.
>>
>> Post the full headers here (not the message)
>>
>> Or even better paste it to pastebin or similar.
>
> Er. You are dealing with the agricultural dept. here.
>
> T'bird *all headers selected* offers this:-
>
> <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>
> and MXM-v5-MailEngine
>
> None of which means anything to me:-)

We're not talking about the T'Bird headers, but those of the email you got
from NS&I. Should be 20-30 lines of text.

--
"If you're not able to ask questions and deal with the answers without feeling that someone has called your intelligence or competence into question, don't ask questions on Usenet where the answers won't be carefully tailored to avoid tripping your hair-trigger insecurities."

D M Procida, UCSM

Am 21/07/2023 um 13:05 schrieb Tim Lamb:
> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
> <ottavio2006-usenet2012@yahoo.com> writes
>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>> Looks  authentic but when I logged in normally all my details are
>>>>> correct.
>>>>> The only recent event is a temporary number on my mobile while O2/
>>>>> Vfone  organised the transfer.
>>>>>  The other unrelated event is a call back from emergency services
>>>>> (pocket  dialling) where they wished me to confirm my address
>>>>> details! Clearly  they would have my mobile phone number but how is
>>>>> that linked to my  residential address?
>>>>
>>>> Check the sending SMTP server IP address in the headers (the one
>>>> with  "received : from ").
>>>  Hmm. outgoing@emailnsandi.com looks correct.
>>>>
>>>
>>
>> That's an email address, not an IP address.
>>
>> Post the full headers here (not the message)
>>
>> Or even better paste it to pastebin or similar.
>
> Er. You are dealing with the agricultural dept. here.
>
> T'bird *all headers selected* offers this:-
>
> <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>
> and MXM-v5-MailEngine
>
> None of which means anything to me:-)

That can't be right. Headers are usually tens and tens of lines long.

--
Ottavio Caruso

On 21/07/2023 14:09, Tim Lamb wrote:
> but I do try to be careful who has my mail address.

A waste of your time TBH. You can be very careful about who you mail and
who therefore has your address. But you cannot make those recipients be
careful. So when they get compromised in some way then your mail
address, which is in their address books etc. still gets out to bad actors.

In message <khveraFp20nU1@mid.individual.net>, Tim Streater
<tim@streater.me.uk> writes
>On 21 Jul 2023 at 14:05:33 BST, "Tim Lamb" <tim@marfordfarm.demon.co.uk>
>wrote:
>
>> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
>> <ottavio2006-usenet2012@yahoo.com> writes
>>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>>> Looks authentic but when I logged in normally all my details are
>>>>>> correct.
>>>>>> The only recent event is a temporary number on my mobile while O2/
>>>>>> Vfone organised the transfer.
>>>>>> The other unrelated event is a call back from emergency services
>>>>>> (pocket dialling) where they wished me to confirm my address
>>>>>> details! Clearly they would have my mobile phone number but how is
>>>>>> that linked to my residential address?
>>>>>
>>>>> Check the sending SMTP server IP address in the headers (the one
>>>>> with "received : from ").
>>>> Hmm. outgoing@emailnsandi.com looks correct.
>>>>>
>>>>
>>>
>>> That's an email address, not an IP address.
>>>
>>> Post the full headers here (not the message)
>>>
>>> Or even better paste it to pastebin or similar.
>>
>> Er. You are dealing with the agricultural dept. here.
>>
>> T'bird *all headers selected* offers this:-
>>
>> <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>>
>> and MXM-v5-MailEngine
>>
>> None of which means anything to me:-)
>
>We're not talking about the T'Bird headers, but those of the email you got
>from NS&I. Should be 20-30 lines of text.

I'm beginning to regret asking:-)

My mail is collected by Namesco. I read it using Thunderbird.
>

--
Tim Lamb

In message <u9e0kn$38nfn$1@dont-email.me>, Ottavio Caruso
<ottavio2006-usenet2012@yahoo.com> writes
>Am 21/07/2023 um 13:05 schrieb Tim Lamb:
>> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
>><ottavio2006-usenet2012@yahoo.com> writes
>>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>>><ottavio2006-usenet2012@yahoo.com> writes
>>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>>>Looks  authentic but when I logged in normally all my details are
>>>>>>
>>>>>> The only recent event is a temporary number on my mobile while
>>>>>>O2/ Vfone  organised the transfer.
>>>>>>  The other unrelated event is a call back from emergency services
>>>>>>(pocket  dialling) where they wished me to confirm my address
>>>>>>details! Clearly  they would have my mobile phone number but how
>>>>>>is that linked to my  residential address?
>>>>>
>>>>> Check the sending SMTP server IP address in the headers (the one
>>>>>with  "received : from ").
>>>>  Hmm. outgoing@emailnsandi.com looks correct.
>>>>>
>>>>
>>>
>>> That's an email address, not an IP address.
>>>
>>> Post the full headers here (not the message)
>>>
>>> Or even better paste it to pastebin or similar.
>> Er. You are dealing with the agricultural dept. here.
>> T'bird *all headers selected* offers this:-
>> <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>> and MXM-v5-MailEngine
>> None of which means anything to me:-)
>
>That can't be right. Headers are usually tens and tens of lines long.

I can look at the source on the Namesco site and get pages of
gobbledegook.

Is that what is requested?
>

--
Tim Lamb

In message <sAAHB6uidoukFw$t@marfordfarm.demon.co.uk>, Tim Lamb
<tim@marfordfarm.demon.co.uk> writes
>I'm beginning to regret asking:-)
>
>My mail is collected by Namesco. I read it using Thunderbird.
>>
>

Where you collect from doesn't matter. In Thunderbird, do you have a
"More" button amongst the options with your email (e.g. Reply, Forward
etc) ? If so, select "View Source" which will show you all the headers.

Adrian
--
To Reply :
replace "diy" with "news" and reverse the domain

If you are reading this from a web interface eg DIY Banter,
DIY Forum or Google Groups, please be aware this is NOT a forum, and
you are merely using a web portal to a USENET group. Many people block
posters coming from web portals due to perceieved SPAM or inaneness.
For a better method of access, please see:

http://wiki.diyfaq.org.uk/index.php?title=Usenet

On 21/07/2023 11:49, Colin Bignell wrote:
> On 21/07/2023 11:41, Alan J. Wylie wrote:
>> Tim Lamb <tim@marfordfarm.demon.co.uk> writes:
>>
>>> Hmm. outgoing@emailnsandi.com looks correct.
>>
>> Hardly. That domain doesn't even exist.
>>
>> $ whois emailnsandi.com
>> No match for domain "EMAILNSANDI.COM".
>>
>> $ dig -t ns  emailnsandi.com
>>
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478
>>
>> (NXDOMAIN is Non eXistent DOMAIN)
>>
>
> All communications I have had from NS&I customer servies come from
> outgoing@nsandi.com without the word email in it.

If you do a lookup with the email bit as a sub domain:

C:\Users\John>nslookup email.nsandi.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: maxemail.emailcenteruk.com
Address: 109.68.64.40
Aliases: email.nsandi.com

Then it does resolve....

It is quite common for companies to create a sub domain for bulk email -
saves their main domain getting blacklisted when some muppet clicks
"spam" because they can't be bothered to unsubscribe.

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 21/07/2023 14:52, Tim Lamb wrote:
> In message <u9e0kn$38nfn$1@dont-email.me>, Ottavio Caruso
> <ottavio2006-usenet2012@yahoo.com> writes
>> Am 21/07/2023 um 13:05 schrieb Tim Lamb:
>>> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>>>> Looks  authentic but when I logged in normally all my details are
>>>>>>> The only recent event is a temporary number on my mobile while
>>>>>>> O2/  Vfone  organised the transfer.
>>>>>>>  The other unrelated event is a call back from emergency services
>>>>>>> (pocket  dialling) where they wished me to confirm my address
>>>>>>> details! Clearly  they would have my mobile phone number but how
>>>>>>> is  that linked to my  residential address?
>>>>>>
>>>>>> Check the sending SMTP server IP address in the headers (the one
>>>>>> with  "received : from ").
>>>>>  Hmm. outgoing@emailnsandi.com looks correct.
>>>>>>
>>>>>
>>>>
>>>> That's an email address, not an IP address.
>>>>
>>>> Post the full headers here (not the message)
>>>>
>>>> Or even better paste it to pastebin or similar.
>>>  Er. You are dealing with the agricultural dept. here.
>>>  T'bird *all headers selected* offers this:-
>>>  <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>>>  and MXM-v5-MailEngine
>>>  None of which means anything to me:-)
>>
>> That can't be right. Headers are usually tens and tens of lines long.
>
> I can look at the source on the Namesco site and get pages of gobbledegook.
>
> Is that what is requested?

It may be.

In Thunderbird, with the message selected, open the View tab and click
Message Source (or just press Ctrl-u) and you'll see the raw message
with all its headers.

Am 21/07/2023 um 13:57 schrieb John Rumm:
> On 21/07/2023 11:49, Colin Bignell wrote:
>> On 21/07/2023 11:41, Alan J. Wylie wrote:
>>> Tim Lamb <tim@marfordfarm.demon.co.uk> writes:
>>>
>>>> Hmm. outgoing@emailnsandi.com looks correct.
>>>
>>> Hardly. That domain doesn't even exist.
>>>
>>> $ whois emailnsandi.com
>>> No match for domain "EMAILNSANDI.COM".
>>>
>>> $ dig -t ns  emailnsandi.com
>>>
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478
>>>
>>> (NXDOMAIN is Non eXistent DOMAIN)
>>>
>>
>> All communications I have had from NS&I customer servies come from
>> outgoing@nsandi.com without the word email in it.
>
> If you do a lookup with the email bit as a sub domain:
>
> C:\Users\John>nslookup email.nsandi.com
> Server:  dns.google
> Address:  8.8.8.8
>
> Non-authoritative answer:
> Name:    maxemail.emailcenteruk.com
> Address:  109.68.64.40
> Aliases:  email.nsandi.com
>
>
> Then it does resolve....
>
> It is quite common for companies to create a sub domain for bulk email -
> saves their main domain getting blacklisted when some muppet clicks
> "spam" because they can't be bothered to unsubscribe.
>

You're looking in the wrong place. The OP should understand how to look
for the headers in his mail client.

The SMTP fingerprint is in the "Received from:" header, which the OP is
confusing with the "From:" header.

--
Ottavio Caruso

In message <u9e2ru$393dj$1@dont-email.me>, John Rumm
<see.my.signature@nowhere.null> writes
>On 21/07/2023 11:49, Colin Bignell wrote:
>> On 21/07/2023 11:41, Alan J. Wylie wrote:
>>> Tim Lamb <tim@marfordfarm.demon.co.uk> writes:
>>>
>>>> Hmm. outgoing@emailnsandi.com looks correct.
>>>
>>> Hardly. That domain doesn't even exist.
>>>
>>> $ whois emailnsandi.com
>>> No match for domain "EMAILNSANDI.COM".
>>>
>>> $ dig -t ns  emailnsandi.com
>>>
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478
>>>
>>> (NXDOMAIN is Non eXistent DOMAIN)
>>>
>> All communications I have had from NS&I customer servies come from
>>outgoing@nsandi.com without the word email in it.
>
>If you do a lookup with the email bit as a sub domain:
>
>C:\Users\John>nslookup email.nsandi.com
>Server: dns.google
>Address: 8.8.8.8
>
>Non-authoritative answer:
>Name: maxemail.emailcenteruk.com
>Address: 109.68.64.40
>Aliases: email.nsandi.com
>
>
>Then it does resolve....
>
>It is quite common for companies to create a sub domain for bulk email
>- saves their main domain getting blacklisted when some muppet clicks
>"spam" because they can't be bothered to unsubscribe.

OK John and thanks all interested.

I was slightly twitchy because I didn't get a win this month despite
their raised prize rates.
>

--
Tim Lamb

In message <JrpU0YJ31oukFw4S@ffoil.org.uk>, Adrian <diy@ku.gro.lioff>
writes
>In message <sAAHB6uidoukFw$t@marfordfarm.demon.co.uk>, Tim Lamb
><tim@marfordfarm.demon.co.uk> writes
>>I'm beginning to regret asking:-)
>>
>>My mail is collected by Namesco. I read it using Thunderbird.
>>>
>>
>
>Where you collect from doesn't matter. In Thunderbird, do you have a
>"More" button amongst the options with your email (e.g. Reply, Forward
>etc) ? If so, select "View Source" which will show you all the headers.

Ah! *message source* seems to do it. No *more* button found.

John has kindly resolved the issue.

Now, who got my prize money this month?

--
Tim Lamb

In message <u9e3a6$3941u$2@dont-email.me>, SteveW
<steve@walker-family.me.uk> writes
>On 21/07/2023 14:52, Tim Lamb wrote:
>> In message <u9e0kn$38nfn$1@dont-email.me>, Ottavio Caruso
>><ottavio2006-usenet2012@yahoo.com> writes
>>> Am 21/07/2023 um 13:05 schrieb Tim Lamb:
>>>> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
>>>><ottavio2006-usenet2012@yahoo.com> writes
>>>>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>>>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>>>>><ottavio2006-usenet2012@yahoo.com> writes
>>>>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>>>>> Curious about an e-mail from NS&I questioning my contact
>>>>>>>>details. Looks  authentic but when I logged in normally all my
>>>>>>>>
>>>>>>>> The only recent event is a temporary number on my mobile while
>>>>>>>>O2/  Vfone  organised the transfer.
>>>>>>>>  The other unrelated event is a call back from emergency
>>>>>>>>services (pocket  dialling) where they wished me to confirm my
>>>>>>>>address details! Clearly  they would have my mobile phone
>>>>>>>>number but how is  that linked to my  residential address?
>>>>>>>
>>>>>>> Check the sending SMTP server IP address in the headers (the one
>>>>>>>with  "received : from ").
>>>>>>  Hmm. outgoing@emailnsandi.com looks correct.
>>>>>>>
>>>>>>
>>>>>
>>>>> That's an email address, not an IP address.
>>>>>
>>>>> Post the full headers here (not the message)
>>>>>
>>>>> Or even better paste it to pastebin or similar.
>>>>  Er. You are dealing with the agricultural dept. here.
>>>>  T'bird *all headers selected* offers this:-
>>>>  <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>>>>  and MXM-v5-MailEngine
>>>>  None of which means anything to me:-)
>>>
>>> That can't be right. Headers are usually tens and tens of lines long.
>> I can look at the source on the Namesco site and get pages of
>>gobbledegook.
>> Is that what is requested?
>
>It may be.
>
>In Thunderbird, with the message selected, open the View tab and click
>Message Source (or just press Ctrl-u) and you'll see the raw message
>with all its headers.

OK Steve problem resolved. Ta.

--
Tim Lamb

On 21/07/2023 14:25, Tim Lamb wrote:
> In message <khveraFp20nU1@mid.individual.net>, Tim Streater
> <tim@streater.me.uk> writes
>> On 21 Jul 2023 at 14:05:33 BST, "Tim Lamb" <tim@marfordfarm.demon.co.uk>
>> wrote:
>>
>>> In message <u9dpb9$37gjf$1@dont-email.me>, Ottavio Caruso
>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>> Am 21/07/2023 um 10:25 schrieb Tim Lamb:
>>>>> In message <u9dkc8$36kct$2@dont-email.me>, Ottavio Caruso
>>>>> <ottavio2006-usenet2012@yahoo.com> writes
>>>>>> Am 21/07/2023 um 08:51 schrieb Tim Lamb:
>>>>>>> Curious about an e-mail from NS&I questioning my contact details.
>>>>>>> Looks  authentic but when I logged in normally all my details are
>>>>>>> correct.
>>>>>>> The only recent event is a temporary number on my mobile while O2/
>>>>>>> Vfone  organised the transfer.
>>>>>>>  The other unrelated event is a call back from emergency services
>>>>>>> (pocket  dialling) where they wished me to confirm my address
>>>>>>> details! Clearly  they would have my mobile phone number but how is
>>>>>>> that linked to my  residential address?
>>>>>>
>>>>>> Check the sending SMTP server IP address in the headers (the one
>>>>>> with  "received : from ").
>>>>>  Hmm. outgoing@emailnsandi.com looks correct.
>>>>>>
>>>>>
>>>>
>>>> That's an email address, not an IP address.
>>>>
>>>> Post the full headers here (not the message)
>>>>
>>>> Or even better paste it to pastebin or similar.
>>>
>>> Er. You are dealing with the agricultural dept. here.
>>>
>>> T'bird *all headers selected* offers this:-
>>>
>>> <0.0.22.2F1.1D9BBA9665E2760.0@mta6589.mxmfb.com>
>>>
>>> and MXM-v5-MailEngine
>>>
>>> None of which means anything to me:-)
>>
>> We're not talking about the T'Bird headers, but those of the email you
>> got
>> from NS&I. Should be 20-30 lines of text.
>
> I'm beginning to regret asking:-)
>
> My mail is collected by Namesco. I read it using Thunderbird.

In thunderbird, do CTRL+U while reading a message - it will then show
the entire email in its raw text format without any interpretation. That
will let you see all the original mail headers.

Each time an email gets handled by a node processing the email on it's
way to you, that node will add a few new lines of header to the *top* of
the email - giving you the date and time and the details of the node
that handled the message. So the topmost entry will be from the mail
server that you actually collected the message from (typically by IMAP
or POP3).

Below that will be the one before and so on.

The last one before you get to the message itself will be the one
created by the senders mail software and will show the date and time,
the subject, who it is to, who it is from, and possibly give a reply to
address.

It is also worth looking for the results of any authentication tests
done on the message. These often get added to the header with an
"Authentication" heading...

Searching for the text SPF or DKIM can be handy.

Many mail setups will include a SPF (Sender Policy Framework) text
record stored in the domain name system. That way when a node picks up
and email it can look at the domain part of the email address that
claims to be the one sending the message. It will then look for a text
record in the domain name system called "SPF" on that domain. That
should include a list of all the servers that are allowed to
legitimately send a message for the domain. If they don't match, then
that is red flag that the message may be a spoof - and you might see
"spf=fail" in the notes added in the header.

Many mail systems will also automatically cryptographically sign the the
message and place the resulting signature hash in the message as a DKIM
field. The receiving message handler can then do a similar trick by
looking up the public part of the DKIM key from the DNS records (they
use public key crypto - so separate keys for encoding and decoding
messages). With some maths they can verify that the message must have
been signed by the senders private DKIM key. (they can't work out what
the private key was, bu they can verify it is the one that goes with the
public key that they got from the DNS). So the receiver knows if any
fiddling took place between when the originator sent it, and you got it.
So seeing a DKIM=fail would also be a cause of suspicion.

So for example, a message I received from Amazon includes:

Authentication-Results: [redacted].net; iprev=pass
policy.iprev="54.240.1.40"; spf=pass
smtp.mailfrom="202307201523068ce691987e0e4dae8f6f3a221960p0eu-C560YXP5U5H65@bounces.amazon.co.uk"
smtp.helo="a1-40.smtp-out.eu-west-1.amazonses.com"; dkim=pass
header.d=amazon.co.uk; dkim=pass header.d=amazonses.com; dmarc=pass
(p=quarantine; dis=none)

So that basically says the message came from amazon's mail server, and
it was not altered before I got it.

The DMARC (Domain-based Message Authentication, Reporting & Conformance)
record includes instructions to the receiver with what the sender
recommends that it does with the message if it looks suspect. In this
case it suggests the receiver should lob it in the spam folder i.e.
"quarantine")

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 21/07/2023 15:07, Ottavio Caruso wrote:
> Am 21/07/2023 um 13:57 schrieb John Rumm:
>> On 21/07/2023 11:49, Colin Bignell wrote:
>>> On 21/07/2023 11:41, Alan J. Wylie wrote:
>>>> Tim Lamb <tim@marfordfarm.demon.co.uk> writes:
>>>>
>>>>> Hmm. outgoing@emailnsandi.com looks correct.
>>>>
>>>> Hardly. That domain doesn't even exist.
>>>>
>>>> $ whois emailnsandi.com
>>>> No match for domain "EMAILNSANDI.COM".
>>>>
>>>> $ dig -t ns  emailnsandi.com
>>>>
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478
>>>>
>>>> (NXDOMAIN is Non eXistent DOMAIN)
>>>>
>>>
>>> All communications I have had from NS&I customer servies come from
>>> outgoing@nsandi.com without the word email in it.
>>
>> If you do a lookup with the email bit as a sub domain:
>>
>> C:\Users\John>nslookup email.nsandi.com
>> Server:  dns.google
>> Address:  8.8.8.8
>>
>> Non-authoritative answer:
>> Name:    maxemail.emailcenteruk.com
>> Address:  109.68.64.40
>> Aliases:  email.nsandi.com
>>
>>
>> Then it does resolve....
>>
>> It is quite common for companies to create a sub domain for bulk email
>> - saves their main domain getting blacklisted when some muppet clicks
>> "spam" because they can't be bothered to unsubscribe.
>>
>
> You're looking in the wrong place.

No, I think you are missing the thrust of my suggestion... Tim said the
message was from:

outgoing@emailnsandi.com

Which as others have pointed out is not a recognised domain name

I was suggesting (but concede I did not spell out!) that could be a
misread of:

outgoing@email.nsandi.com

Hence the comment about common practice of sending bulk email from a sub
domain. That sub domain of nsandi.com *does* exist.

> The OP should understand how to look
> for the headers in his mail client.

Indeed, I covered that elsewhere.

> The SMTP fingerprint is in the "Received from:" header, which the OP is
> confusing with the "From:" header.

Again there will potentially be multiple received from, so knowing the
order to read them in helps. Also taking advantage of the spoofing
protection mechanisms that may already be in place like SPF and DKIM is
another good way to learn more about how trustworthy a message is likely
to be.

Looking at text record info from their domain:

C:\Users\John>nslookup
Default Server: dns.google
Address: 8.8.8.8

> set type=txt
> email.nsandi.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
email.nsandi.com canonical name = maxemail.emailcenteruk.com
maxemail.emailcenteruk.com text =

"spf2.0/mfrom ip4:109.68.65.0/24 ip4:109.68.66.0/24
ip4:109.68.71.0/24 ~all"
maxemail.emailcenteruk.com text =

"v=spf1 ip4:109.68.65.0/24 ip4:109.68.66.0/24
ip4:109.68.71.0/24 ~all"
> nsandi.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
nsandi.com text =

"v=spf1 a:learning.nsandi.com ip4:82.199.69.59
ip4:212.250.135.14 ip4:212.250.135.13 ip4:212.250.135.44
ip4:212.250.135.43 ip4:212.250.135.40 ip4:212.250.135.41
ip4:212.250.135.1 ip4:109.68.65.89 ip4:134.213.63.222 ip4:157.203.60.42
ip4:157.203.60.43 ip4:7"
"8.31.110.246 ip6:2a00:1a48:7808:101:be76:4eff:fe08:cdea ~all"
nsandi.com text =

"globalsign-domain-verification=xoi3Yt9gNPsZ3yL1IJjeGsoWjOApOSfyuEqbwDNXzc"
nsandi.com text =

"MS=890C6C7BC37BC3A82D045E6D9D92E0ABC7AACB4C"

Suggests they have an account with maxemail (xtremepush.com) for bulk
and marketing email on the email subdomain, and then their main mail
setup on what looks like some virgin media hosted servers as well as
some of their own.

Did Tim miss the . in the domain?

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

mm0fmf wrote:

> You can be very careful about who you mail and who therefore has your
> address. But you cannot make those recipients be careful. So when they
> get compromised in some way then your mail address, which is in their
> address books etc. still gets out to bad actors.

But if you give out a unique email address per recipient, if/when they
do get compromised you can just kill that one address ...

In message <u9ea6q$3antn$1@dont-email.me>, John Rumm
<see.my.signature@nowhere.null> writes
>On 21/07/2023 15:07, Ottavio Caruso wrote:
>> Am 21/07/2023 um 13:57 schrieb John Rumm:
>>> On 21/07/2023 11:49, Colin Bignell wrote:
>>>> On 21/07/2023 11:41, Alan J. Wylie wrote:
>>>>> Tim Lamb <tim@marfordfarm.demon.co.uk> writes:
>>>>>
>>>>>> Hmm. outgoing@emailnsandi.com looks correct.
>>>>>
>>>>> Hardly. That domain doesn't even exist.
>>>>>
>>>>> $ whois emailnsandi.com
>>>>> No match for domain "EMAILNSANDI.COM".
>>>>>
>>>>> $ dig -t ns  emailnsandi.com
>>>>>
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28478
>>>>>
>>>>> (NXDOMAIN is Non eXistent DOMAIN)
>>>>>
>>>>
>>>> All communications I have had from NS&I customer servies come from
>>>>outgoing@nsandi.com without the word email in it.
>>>
>>> If you do a lookup with the email bit as a sub domain:
>>>
>>> C:\Users\John>nslookup email.nsandi.com
>>> Server:  dns.google
>>> Address:  8.8.8.8
>>>
>>> Non-authoritative answer:
>>> Name:    maxemail.emailcenteruk.com
>>> Address:  109.68.64.40
>>> Aliases:  email.nsandi.com
>>>
>>>
>>> Then it does resolve....
>>>
>>> It is quite common for companies to create a sub domain for bulk
>>>email - saves their main domain getting blacklisted when some muppet
>>>clicks "spam" because they can't be bothered to unsubscribe.
>>>
>> You're looking in the wrong place.
>
>No, I think you are missing the thrust of my suggestion... Tim said the
>message was from:
>
>outgoing@emailnsandi.com
>
>Which as others have pointed out is not a recognised domain name
>
>I was suggesting (but concede I did not spell out!) that could be a
>misread of:
>
>outgoing@email.nsandi.com
>
>Hence the comment about common practice of sending bulk email from a
>sub domain. That sub domain of nsandi.com *does* exist.
>
>> The OP should understand how to look for the headers in his mail
>>client.
>
>Indeed, I covered that elsewhere.
>
>> The SMTP fingerprint is in the "Received from:" header, which the OP
>>is confusing with the "From:" header.
>
>Again there will potentially be multiple received from, so knowing the
>order to read them in helps. Also taking advantage of the spoofing
>protection mechanisms that may already be in place like SPF and DKIM is
>another good way to learn more about how trustworthy a message is
>likely to be.
>
>Looking at text record info from their domain:
>
>C:\Users\John>nslookup
>Default Server: dns.google
>Address: 8.8.8.8
>
>> set type=txt
>> email.nsandi.com
>Server: dns.google
>Address: 8.8.8.8
>
>Non-authoritative answer:
>email.nsandi.com canonical name = maxemail.emailcenteruk.com
>maxemail.emailcenteruk.com text =

Snip totally confusing mathematical/alphabetic diarrhoea
>
>Did Tim miss the . in the domain?

Yes. Humble apologies:-)

I was anxious to get started hand harvesting 4.5 acres of Ragwort before
the ground dries anymore>
>

--
Tim Lamb