Trying to understand the point of this scam email

I was reviewing my spam folder and spotted this: Finally! My AdultSexMeet confirmation is here!

People are going to have one of two reactions:

  • Hooray! Free porn! Confirm, confirm, confirm! OR
  • OMG! I didn’t sign up for porn! Now everyone can see my profile! I’m so embarrassed! Close, close, close!

I inspected the buttons and links in the email and they are all <a> with mailto in the href with multiple addresses in the mailto. Many, many addresses. All different like backpackersworld.com and tasmaniatours.com.au and yandex.ru.

Screenshot of HTML structure of link

I have seen this methodology in a few emails now that I’m looking for it.

I’m trying to understand the point of this attack. Are they trying to harvest email address confirmations? My email address has been in countless breaches because “the internet”. It’s not a state secret. Seems a lot of effort to go to for something that is public knowledge.

I’m not sure what to warn my users about. “Don’t click suspicious links ever. If you click this type it will expose your email address… er… some more.”

What am I missing?

Is it possible to hijack specific e-mail with remote access?

I don’t know exactly how to ask this but I was recently presented with e-mails that look like they came from my e-mail and IP address but I didn’t send them and never saw them. It is a back and forth correspondence with another gmail account. Is it possible someone was able to set up a forwarding without my knowing and make it look like it was coming to and from me? I did find that someone had snuck in AnyDesk and had remote access to my laptop during this time, so they had access to everything.

Changing password: Verify with old password, verify by email, or don’t verify?


Scenario

I want to change my password.

I have access to my account, this is not a forgotten password journey.

I’ve seen three approaches to this.

Method 1: Re-verify with old password

  1. Log on
  2. Navigate to my account panel
  3. Choose “Change password” option
  4. Enter my current password (verifying I know the account details)
  5. Enter my new password
  6. Submit, password is changed

This is probably the most common, and the most secure, as you have to verify immediately before changing the password.

If you gain access to someone else’s account when they’re already signed in (perhaps because they opted to save their log in details) you can’t change their password.

Method 2: Re-verify by email

  1. Log on
  2. Navigate to my account panel
  3. Choose “Change password” option, the system emails me a password reset link
  4. Open email client and locate the message
  5. Follow the link (verifying I have access to the email account)
  6. Enter my new password
  7. Submit, password is changed

This is easiest for users who have quick access to their email on their device. Presuming you have email set up in a local email client, you open the client, open the most recent email, and follow the link, skipping the “enter current password” step. You might even get a push notification, which would make this even faster.

However this is probably slowest for users who don’t have quick access to their email.

Method 3: Don’t re-verify

  1. Log on (verifying I know the account details)
  2. Navigate to my account panel
  3. Choose “Change password” option
  4. Enter my new password
  5. Submit, password is changed

This is the quickest method, with the lowest interaction cost.

Arguably the user is already logged in, and therefore verified, so shouldn’t need to reverify.

This assumes scenarios where an unauthorised user has gained access to the account panel are too rare to justify complicating the process.

Weighing up the options

Is there anything I’ve not considered?

I’d like to go with option 3, but the fact it’s so rarely seen makes me think there’s something I’m missing.

If it was only between options 1 and 2, I suppose I’d go with option 1, since we can’t know if the email is readily accessible.

How to prompt existing customers to change their email

I’m looking for some UX examples to how other companies have handled this situation:

Scenario: Devs are using an old password encrypting method (sha1) I believe and need to change it to a more secure encryption.

What they did: When users logged in they just encrypted their password with the new encryption and the users didn’t know a thing.

The only problem is we have a number of users who aren’t frequent users who will only login periodically.

Devs want to clear all the passwords and require users to reset their passwords.

Problem: We don’t want to alert them to the fact that there are security issues as we hold alot of important data in their accounts of users customers.

When that happens users would attempt to login and just get hit with a message saying there login details are incorrect.

The initial approach was….users will eventually just click on forgotten password after being told ‘invalid credentials’

However, this just feels wrong and we’ve tried to think of various flows but due to dev contraints we have to stick with them having to click on the forgotten password. (not the best solution but need to make the most out of this)

My question is… what message would make sense in asking them to reset their password that doesn’t alert to security issues?

Additionally are there any existing companies that have handled randomly asking users to reset their passwords?

sending mails with wp_mail() to multiple recipients using wp_cron and dynamic email body data

I have a frontend submission form, where users can add events to a custom post type. I want to send an email to each user 1 week before this event takes place.

The emails are sent via wp_cron. The function is called with a hook. Its working correctly, but i want to add custom values to the email body.

With my code its not possible to add dynamic value to the body template of my email.

With this function below, i loop through the events post type and get the required data

function leweb_get_events_detail() {      // Query     global $  wp_query;      // Arguments       $  args = array(         'post_type' => 'events',     );      // Start the Query     $  query = new WP_Query( $  args );      // The Loop     if( $  query->have_posts() ) {          $  results = array();          while( $  query->have_posts() ) {              $  query->the_post();                           $  event_date_timestamp = get_post_meta( get_the_ID(), 'event_date_timestamp', true );             $  future_timestamp = strtotime("+1 week");              // Damit wird geprüft ob schon einmal diese Email gesendet wurde             $  notification = get_post_meta( get_the_ID(), 'event_creator_notification' );              if( !in_array( '1week', $  notification )  && $  event_date_timestamp < $  future_timestamp ) {                  $  event_id = get_the_ID();                 $  event_email = get_post_meta( get_the_ID(), 'event_email', true );                  $  results[] = array(                                  'event_id'      => $  event_id,                                  'event_date_timestamp' => $  event_date_timestamp,                                 'event_email'     => $  event_email,                 );              }         }          return $  results;      }      wp_reset_query();  } 

The function below lets me fetch data from the post_meta array

function leweb_get_values_from_post_meta( $  meta = '') {      $  results = leweb_get_events_detail();      $  values = array();     foreach( $  results as $  key => $  value ){          $  values[] = $  value[ $  meta ];      }      return $  values; } 

The function below is called from wp_cron. The email is sent to all recipients who match the above conditions and a value is added to the post meta, to prevent multiple sends of this email.

function leweb_send_mail_to_author() {       // Alle Emails aus dem Array auslesen und für das BCC Feld im Email Header vorbereiten     $  emails = leweb_get_values_from_post_meta( 'event_email');      if ( !empty( $  emails ) ) {          $  emails = 'BCC: ' . implode( ',', $  emails );          // Email senden         $  to = '';         $  subject = 'Dein Event findet bald statt!';         $  body = file_get_contents( get_stylesheet_directory() . '/templates/email/event-creator-notification.php');         $  headers = array( 'Content-Type: text/html; charset=UTF-8','From: Example <office@example.com>', $  emails );          wp_mail( $  to, $  subject, $  body, $  headers );          // Wert in post_meta eintragen um die Mehrfachsendung zu verhindern         $  post_id = leweb_get_values_from_post_meta( 'event_id');          foreach( $  post_id as $  id ) {              add_post_meta( $  id, 'event_creator_notification', '1week' );          }      }  } 

After i coded this i figured out, its not possible to send dynamic content in the body of my email. The only way to achieve this, is to call the wp_mail() in foreach. But this would be heavy i think? Its possible that this job sends up to hundred emails per run in the future…

So i was wondering if there is another way to do this clean?

Thanks for your opinions, i know its a bit complex, but i dont have any other ideas…