Phishing – How often do spammers, phishers, etc. change e-mail addresses?

Their only goal is to deliver the selected text block to the victim. Whether and how often they change a (fake) e-mail address is unclear, as individuals or marketing groups all work independently.

If an e-mail address is blacklisted, it is usually helpful to change an e-mail address, because in this case the message is not transmitted to the victim (spammers are stupid).

Spam – Are you preventing spammers from forging e-mails that you send to another person or yourself?

I have received the following email with the following headers. How do spammers use this method to trick users into hacking their account?

How can you stop spammers with our e-mail? For non-techies like my grandma, it can be scary to receive an e-mail like this one that says her account is hacked.

What is the spammer doing right in the headers below? Does it show which application you are using for it?

The way back: 
X-Original To:
Submitted to:
Obtained: from ( [])
(Using TLSv1.2 with encryption ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
Certificate requested) from (Postfix) with ESMTPS ID 420623000080
to the ; Marry,
6 Mar 2019 19:25:57 +0000 (UTC)
Obtained: from (unknown []) by (Postfix) with the ESMTP ID AF51A20196C14 for ;
6 Mar 2019 13:25:55 -0600 (CST)
Obtained: from ([]) of cmsmtp with
ESMTP ID 1cAth7PiS5rNM1cAthzAVL; Wed, 06. March 2019 13:25:55 - 600
Received from [] (port = 51959 helo =[]) by with esmtpsa (TLSv1: ECDHE-RSA-AES256-SHA: 256) (Exim
4.91) (cover off ) id 1h1cAr-0024QG-EJ for;
Wed, 06. March 2019 14:25:55 - 500
Authentication results:; dmarc = none (p = no dis = none)
header.from =
Authentication results:; spf = no
Authentication results:; dkim = fail reason = "Key not found in DNS"
(0-bit key) header.d = header.b = "kBI6UFVj"
X-Authority reason: nr = 8
Dkim signature: v = 1; a = rsa-sha256; q = dns / txt; c = relaxed / relaxed; d =;
s = default; h = From: MIME Version: Content Type: Message ID:
List ID: Date: Subject: To: Sender: Reply To: Cc: Content-Transfer-Encoding:
Content ID: Content-Description: Date resent: Resent-From: Resent Sender:
Resent-To: Resent-Cc: Resent-Message-ID: In-Reply-To: References: List-Help:
List Unsubscribe: List Subscribe: List Post: List Owner: List Archive;
bh = oj1E + Py8RM4SW8xpzCQWMyx9GodmBpw8HrVQgEtGCkw =; b = kBI6UFVjOJ6gguimz80GscFl2T
OLPs8fsRExWixOejYw4T4 + itDQNQPEy7NT + RBH + D055aCgf2clk8w44DauK2Lye1uw9ZFP6tlwQ3F
2kKxi3ea3Vaeo1ojR3yshBjGaj2Yit / 5mas9dAQLKOlXfd7dVSthXl2hiza9XbMbP6WSUw2g / zdek
/ jnxnN410aiy7vES / sbKi4v5PyDPTe8kYSkcHVZrFIP9XpNLjrzXiw18lo97osS1pl3Oe9ySv3DVF
WXOfdIxAhvZCqq0o4329IO3oT + O8GGwiY2BAvH1L4JCrRK0y8An6I2ZAhii6XTEaoViKt3FVhESz 1PvGPDMA ==;
X-Abuse Reports To: 
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
Subject: pat
X-Aid: 3931138227
Date: Wed, 6th March 2019 20:25:52 +0100
List ID: y2znb9cxhdkkp12r9ojihcp70vn50etc23e368dl
Message ID: <>
X complaints to: 
Content Type: Text / HTML
MIME version: 1.0
X Anti-Abuse: This header has been added to track abuse. Please attach it to the abuse report
X Anti-Abuse: Primary Host Name -
X Anti-Abuse: Original Domain -
X-Anti-Abuse: Sender / Caller UID / GID - [47 12] / [47 12]
X Anti-Abuse: sender address domain -
X-Bwhitelist: no
X-Source IP: 87,252,183,184
X-Source-L: No.


X-Exim-Id: 1h1cAr-0024QG-EJ
X source transmitter: ([]) []51959
X-Source Auth:
X-Email Count: 244
X-Source-Cap: emVyb3BsdXM7aW1wbG9kZWk7dXNjZW50cmFsNDI3LmFjY291bnRzZXJ2ZXJncm91cC5jb20 =
X-Local-Domain: yes
X-Spam flag: YES
X-Spam Status: Yes, Rating = 11.7 Required = 4.0 Tests = BAYES_50, DKIM_INVALID,
autolearn_force = no version = 3.4.2
X-Spam Report: *
4.0 BAYES_50 BODY: The Bayesian spam probability is 40 to 60% *
      [score: 0.4999] *
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level *
Mail domains differ *
1.1 LOCALPART_IN_SUBJECT Local part of To: Address appears in *
Object *
0.4 MIME_HTML_MOSTLY BODY: Multi-part message, mostly text / HTML MIME *
0.0 HTML_MESSAGE BODY: HTML in the message *
0.8 MPART_ALT_DIFF BODY: HTML and text parts differ *
1.2 HTML_IMAGE_ONLY_04 BODY: HTML: Images with 0-400 bytes of words *
0.1 DKIM_SIGNED message has a DKIM or DK signature, not necessarily *
valid *
2.0 RCVD_IN_BRBL Received is listed in Barracuda RBL * *
0.1 FORGED_OUTLOOK_TAGS Outlook can not send HTML in this format. *
0.1 DKIM_INVALID DKIM or DK signature is present but invalid *
1.9 FORGED_MUA_OUTLOOK Fake mail purporting to be from MS Outlook
X-Spam Level: ***********
X-Spam Checker Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Attached: 1551903952102.jpg
X-Pm-Origin: external
X-Pm content encryption: on delivery
X-Pm transmission encryption: TLSv1.2 with encryption ECDHE-RSA-AES256-GCM-SHA384 (256/256 bit)

Version: ProtonMail

wcBMAwRosWm2Ti4BAQf / Ykwvv6atXqvoTqX + F4J6T2IriLr3Ol294QaLqwpZ
VRJuZ0g39DFmnWhHiZtPwo0WEr4Tvn4dg1g7wWTT8r / w5rJ7M2cukmKTdZR6
eRXtm0PDO2mWzoOo7ra6YsmrakB0asnTL1oA2DWi9u + TrXr / DyeYetnwqwQ1
cJcWpLm7X4cp / AiiJeFqmG0LrUB7qmJnonu / EbfxFIec2YBwcTDZmN1yw9BS

Dealing with repeated spammers / accounts

How do you deal with repeated account compromises that send spam?

We have a huge problem with the passwords of users' e-mail accounts, which are vulnerable to IP addresses around the world and used to send spam.

Usually we just change the password in the email account and write the user. Recently, however, there have been multiple email accounts for these accounts that are at risk or the same email account has been compromised time and again.

Mostly the problem is an extremely weak or insecure password. In other cases, I suspect that the user has malware installed on their computer (and does not know what else is going on with their computer) or checks the account over insecure networks.

If it happens over and over again, sometimes we will proactively change the passwords of all of the account's email accounts or lock the account at other times. But apparently people do not like it – and they would as well outsource their hosting to a company that either knows no compromise issues or to a web hosting company that does not care about sending spam repeatedly.

I begin to believe that I lose the hard battle. I think it might be easier to let the spammers run rampant. And then, when people complain that they can not send mail for blacklisting, I simply tell them "hard%? $ #!".

I mean, is that what everyone else is doing?

Sorry, I did too much the weekend and this week and had to get into my soapbox a bit.