How email phishing works

Spam folder

This is a little bit off-topic from my usual beaches-and-travel-and-food, but email infrastructure is a hobby of mine so bear with me while I try to explain things for the layman.

You’ve gotten a phishing email before, unless your provider is super good at filtering them (more on that in a moment). They claim that someone accessed your account and you should change your password, or someone made a purchase and you should log in to cancel it, or whatever. Hopefully you’ve never clicked. If you think an email might really be from your bank or whatever, go use your usual bookmark to visit the site instead.

If your email client is any good, it showed you that no matter how legit the email looked, the link you’re about to click is really http-some-super-sketchy-site-dot-something. Or maybe That’s the thing phishers try to target - figuring out how to conceal the destination from you. Sometimes they use url shorteners like, or close-but-not-quite domains, and that often works because legit sites use them too (which there’s really no excuse for, in email, and if your bank does that you should close your account because chances are they’re doing other security wrong too).

Here’s where it gets interesting: to do bulk url-shortening, you have to set up an account. is public by default - if you know how to ask, you can get the list of every link a particular account has made a shortener for. Individualized links make the page look legit when you get there by customizing them with your email and as much profile info as they’ve collected from the public web, so you can look at the other links and find out similar things about other people. (You can pause reading now to go lock down your Facebook account, I won’t mind.)

Now let’s look at a specific, ripped-from-the-headlines example: the Podesta hack. The phishing email is included in the archive it was used to steal, so it’s publicly available. The link’s no longer valid, but it’s reconstructable. You can see that they used the public Google profile to pre-populate the landing page with the email and public profile pic, so it looks super-legit at a glance. The list of other links is also no longer available, but plenty of security firms routinely download that sort of thing (that’s how your provider gets so good at filtering them) and many of them publish their findings (time-delayed - providers pay for real-time access).

Here’s a June 2016(!) analysis of that group of phishing links. Again, security firms publish these things basically to show off: “hire us, and you could have this information AS IT HAPPENS.” GMail, for instance, will see a batch of phishing emails come in and be analyzing the first few so fast the rest of the batch will never even make it to your Spam folder anymore because GMail essentially hangs up on the call before any more get delivered.

That SecureWorks analysis is interesting, incidentally, because it means that while a 14-year-old could have done it, it was definitely, publicly, not a 14-year-old who did do it. Podesta was part of a list of a couple thousand emails of very stereotypical spying targets - political journalists, aerospace researchers, military personnel, and so on. If it wasn’t Russia, it was somebody very interested in making it look like it was Russia. Pretty significant either way.

Anyway, this is, or was, my weird hobby: back in the pre-web days, group email lists were our Facebook, our web forum. I ran some, and when spam started to become a thing, I started customizing my software to filter it. As spam got more sophisticated, so did my customization; it was a continual arms race (though back then it was about selling snake oil, no literal armaments involved). In hindsight, guess I should have made it my career path, then I’d be the one doing these reconstructions. Or the one doing the phishing - I often mused that trying to keep one step ahead of spammers meant constantly thinking of better way to spam, and I’m sure a lot of people in my shoes crossed over to the side with the money.

But that isn’t how I roll, so rather than keep fighting an increasingly well-funded opponent I just shut down the server. I still watch from the sidelines, and it’s been interesting to see a piece of my hobby-of-several-decades find its way into world news.

Anyway, back to beach news soon. Or rather, forest news: we’re due for our first real snowfall tomorrow night, so hopefully it’ll be photogenic.