Thanks Phil. Yes, I'm not sure how it was done but the settings are correct in my PC. AT&T has helped me to assign a new password to my account to shut this down. They say it appears to have been hacked on the AT&T web mail site. We too noticed the Reply To address change. I suspected something when I had no incoming mail. It appears that any, not just replies to me were going to that hacked address. The only thing I can think of is that AT&T net mail was changing to a new setup. We were all notified that by June 30, all accounts would have to migrate to the new ATT.net/mail arrangement. Subsequently I received a message offering the opportunity to proceed with my migration. I did that and was surprised when they asked me to login again. Right there I gave someone my login info. They were then able to login to my web mail site and access the address book there. I am going to delete the address book there since I am not on the road much anymore. With the changed password, the hacker can no longer login into my account. My apologies to all who got that message. I have seen it before, coming from other people over the months.
73, Roy -- W0SL
R/D/Gd/Ggd
On 6/26/2013 11:05 PM, Phil Karn wrote:
Today I got a scam email purporting to be from Roy Welch, W0SL, asking for an emergency loan. If I got it, I suspect many others on amsat-bb got it too.
The originating IP address is in Nigeria. Where else?
I've seen this exact scam before. In those cases someone had stolen the password of the person they were pretending to be.
I don't think that happened here. The "From" address was his correct email account 'rdwelch@swbell.net' but the Reply-To: address was 'rdwelclh@yahoo.com'. Note the extra 'l'.
I think the scammers created this second account on Yahoo and used it to send the scam email, forging Roy's address in the from field. Any reply would, of course, go to the scammer's address on Yahoo and many people might not notice the subtle change.
swbell.net has no SPF (Sender Policy Framework) records in the Domain Name System to indicate to the rest of the Internet which IP addresses may legitimately originate email from that domain, so recipient systems cannot easily detect forgeries.