If you receive an email like the one below from GoDaddy saying that they are suspending your email address and that you need to verify your account, don’t click on it! It’s a scam, and likely to download malware onto your computer or device!
It really looks as if it could be from GoDaddy, including because they stole GoDaddy’s logo and put it in their fake email. All of this is intended to lull you into a false sense of security, and to believe that the email really is from GoDaddy. (Read our article here about how having your email program display senders’ images and info helps scammers.)
The text of the fraudulent email says “Verify Your GoDaddy Account! Hi (your name), We have been unable to receive/complete your email verification, it is mandatory you complete the process manually today.Complete the process below by following the instruction to confirm your (your email address) is still in use. After you click the button above, you be prompted to complete the following steps:2. Confirm your account password. 3. Hit Submit.”
|Get notified of new Internet Patrol articles for free!
Now, depending on how your email program works and is set, you may be able to notice that even though the name in the ‘From:’ address says ‘GoDaddy’, the email address itself will look something like this:
Decidedly not a GoDaddy address.
And, in fact, the full headers of this scam email look like this:
To: Support Services
Arc-Seal: i=1; a=rsa-sha256; t=1576602310; cv=none; d=google.com; s=arc-20160816; b=kCUtQP2NqSKaxr4jt2S8PpTL4/HKMbyplUa6O55BVjU/t8ei5xQkOVQzcovd1aIKx4 uvc6+OHBHL4og4jRoTcZyy952l2GLD8RyAwDXLggOvFqK/3cIjC99VymHzOgcqhWYjL2 mksG3yBBmiFEz8Y0F2rR8pclGns/OGReb5Q15wV+xXxyyT0NxHgZJrDVdSpartCKBNUs uZEyPzNF15qzwAtLQxaUge7xs5XBLt2ypjcEI7KbTPS9+vXZw7VV9uYBE/94buB1CyOQ lyU4ZWH8VQi+3lZ7An150sMNZiVDvmv2NjtXq8nMieFvEOMquj/k5z3QhfJAMmPzwOO8 XBRg==
X-Received: by 2002:a17:902:7c83:: with SMTP id y3mr24121792pll.34.1576602311148; Tue, 17 Dec 2019 09:05:11 -0800 (PST)
X-Received: by 2002:a17:902:7c83:: with SMTP id y3mr24121684pll.34.1576602310117; Tue, 17 Dec 2019 09:05:10 -0800 (PST)
Arc-Authentication-Results: i=1; mx.google.com; spf=fail (google.com: domain of firstname.lastname@example.org does not designate 126.96.36.199 as permitted sender) smtp.mailfrom=”SRS0=LV7g=2Hemail@example.com”
X-Virus-Scanned: Content scanner at isipp.com
Authentication-Results: mx.google.com; spf=fail (google.com: domain of firstname.lastname@example.org does not designate 188.8.131.52 as permitted sender) smtp.mailfrom=”SRS0=LV7g=2Hemail@example.com”
X-Priority: 1 (Highest)
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:date:content-transfer-encoding:importance:message-id :subject:to:from:delivered-to; bh=Xjg5Xr8aVBMpY4DQoy3SZtf9hB4LZ2PJ6thbPyGRP6M=; b=nUUCf0trG+h9JbQWSfF9+jraS4cDhS6JFthZkhLY6ALtpnHSD752HY3wKlPCLkcIXj VSYdSpGfO+bTihrlReP2QjOZIWG8b/9fj6KdaZ05UTKGJFYUYBm7T7y7J07K6lMjj/3u nKpWVouPWwP/z5RLXW7Z75FIEp1Hk8MIxaDe3VfhQQS9ln4Dk2sqZhQOde5pKS4it7j+ 96lMgma2Regt7apw9ijCk7GtqcUBSPrcjXaNC8ztPZ0VNJvN69SR5Vyodat91jRmzrLD pN/wAxT0IEXD8b+ce/e2OqzieXegf7paINdCuaWWjmuUzuqENFfZSmZO/QUmkpxAgg/N 9n3g==
X-Cmae-Envelope: MS4wfHOpZKrlZWTYFrOAghBPaJAkFjrEov+wdx9EH8ii006woRa5sJoRyELp5UTH32wP55XsyT8rGyp88s0i003uoR7P10CUcrfPnrujYoCfy9NPL1e5gLC0 frLfkjJ4D8KLdM8IARHnS/IvgQgnIleC6cHrfZ6hXZskMe2GPlR55Nf9AONIEvGRxAYKMh3HuWrFmlzdJo2fxZE3M3GuaKgjl8nvMeVY46SIKmNxw4TC/Mdh 0k9wWT4X97PMubtaDVAQqg==
X-Clientproxiedby: EX2.indiv.local (172.16.6.2) To EX1.indiv.local (172.16.6.1)
Content-Type: text/html; charset=”utf-8″
Received-Spf: fail (google.com: domain of firstname.lastname@example.org does not designate 184.108.40.206 as permitted sender) client-ip=220.127.116.11;
Delivered-To: (our email address)
Received: by 2002:a05:6214:ab1:0:0:0:0 with SMTP id ew17csp2971187qvb; Tue, 17 Dec 2019 09:09:12 -0800 (PST)
([18.104.22.168]) (envelope-sender email@example.com) by p3plsmtp27-02-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP for
Received: from mo1-4.mail-out.ovh.ca ([22.214.171.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by CMGW with ESMTP id hGHOiYEp8H1uqhGHPiFLdI; Tue, 17 Dec 2019 10:05:03 -0700
Received: from EX1.indiv.local (gw1.ex.mail.ovh.ca [126.96.36.199]) by mo1.mail-out.ovh.ca (Postfix) with ESMTPS id E576385993 for
Received: from [127.0.0.1] (188.8.131.52) by EX1.indiv.local (172.16.6.1) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1847.3; Tue, 17 Dec 2019 12:04:55 -0500
In case you are not familiar with reading email headers, we have a plain English explanation of them in our how to report spam tutorial.
What these email headers tell us is that this email came not from GoDaddy’s email servers, but was sent by someone using a Microsoft product, sent through OVH.ca. OVH is a cloud service headquartered in France (OVH stands for On Vous Héberge, which translates to We Host You), and OVH.ca is their Canadian domain address.
So, there are many clues that this is not really from GoDaddy, and is a spoofed scam, but only if you know how and where to look.
Did you receive one of these scam emails “from” GoDaddy?
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!