I got one of these in late October also, mine didn’t give the password they supposedly had. Some things about the mail that signaled “fake” to me were how it carefully avoided including any specific information at all that might have shown they knew “anything” about me. It says we hacked your “operating system”, not mentioning if it is Windows, Mac, or other. It says we accessed your “social accounts”, not mentioning any specific social accounts like Facebook etc. It says we hacked your email, browsing history, contacts, photos and videos, files from your computer, porn sites, etc, etc, yet of all that stuff they supposedly hacked, the email includes no reference to any actual information that from any of my contacts, photos, history, files. It seems to me if they had all that information, I would have expected at least one bit of all that information to have made it into their message to me, even if inadvertently. It would seem to me the fact that there isn’t one bit of actual information about me in the email, is most likely not due to then just not mentioning it, but the most likely explanation is that in fact they have no actual information about me. I would expect since a blackmailer wants to get someone to pay them blackmail, they would make at least a minimal effort to demonstrate that they actually had some blackmail information on you, and if they don’t do that, it’s most likely because they have no such information.
Hi all (long time)
Just a quick data point. I’ve gotten a half dozen of these over the last month or so. They were sent to (and from) an address of one of my own domains.
Rather than blocking the address, I revisited my DMARC records and upped the policy from “none” to “quarantine” (DMARC are instructions mail services may follow if someone spoofs the from address, among other failures; Adam wrote about it here in 2014). Even if set to “reject” my provider does not actually reject mail, it just ups the spam handling signals.
What I found interesting is that I received another one today, virtually identical, but not from my address this time. (Some of previous examples bragged that they were using my account to send the mail as “proof” my account was compromised.)
Anyway, I’m left wondering if the attack might be sophisticated enough to actually check the DMARC policy and adjust to avoid possible rejection or quarantine. I’ll keep monitoring for now and eventually block the address.
I seriously doubt that any of them actually came from your domain. What appears as the "From: " address is almost always faked, ignored and isn’t relevant. You have to look at the header information to determine exactly where it originated and the intermediate locations it passed through. I use https://www.spamcop.net to assist me in this.
If you find that it actually did originate from your domain, then your e-mail has been hacked.
The easiest way by far to do this is using spamgourmet.com (cc @mpainesyd). As others have said, I would never go back to running a mail sever, the pain is not worth it with all the options out there today. The nice thing about SpamGourmet, is that you can create email addresses on the fly, as you are filling out a registration form. No need to go to the site or a server to create a new alias or mailbox. It’s a straightforward service, well designed. I highly recommend people check it out. And, @cwilcox, it has a mechanism to allow sending from one of your addresses, too. I’ve been using it for years, and it’s really excellent.
Unfortunately, it’s not accepting new users.