Scamwatch Reporting

I do a lot of Scamwatch reports, and want to make my reporting more effective.

What’s the best way to copy an email for them? I hit the “i” which gives me the header information and copy that, but it does not do much more than give the spam filter eg Client Atmail 7.2.0.14467 and reveal the Reply email (which is usually some random email address - they want you to click the link). I remember doing some “forwarding” that gave more information for my ISP.

I hover over the link and write where it goes, so I can put that into the Website box. I can’t find a way to just copy it.

There are days I wish I had an “account” with the boxes all filled in, so I could just fly through, as sometimes the reporting takes longer than the scam.

For Scamwatch and other needs I often use a screen capture. On IOS it defaults to a picture which will appear briefly requesting you save or edit. You can always open from pics to edit later and move it save to a different file/folder. I’ve an App to resize (reduce the resolution) if required to produce a more compact pic to attach and send.

For a PC I simply open Paint or Word and paste the image directly. Most often paint as it’s easy to edit (Crop and resize to a lesser resolution).

Hence any detail I can reveal on the screen can be saved without too great a difficulty. It still leaves one to manually type in some of the responses to Scamwatch.

People investigating email scams want the “raw” email in its entirety, which retains all the information they need to investigate the scam. How you get that depends entirely on the mail client you are using; look for an “export” or “save message” option.

In Gmail the option is “Download message”, which saves the message as a file in “.eml” format, which you can then upload to Scamwatch with your report. In ProtonMail the option is “Export”, which also saves the file in “.eml” format. Other message file formats investigators might be able to use are “.msg” and “.html”.

If exporting the message in its entirety isn’t an option, people investigating email scams will generally find the “message headers” useful as well; this is information usually invisible to you (the message recipient), but it is information which is tacked onto the message by each server the message passes through on its trip from the sender to you. It provides information on where the message came from, how it made its way to you, and other information such as the validation checks that were applied in transit.

Again, how you get the message headers depends entirely on the mail client you are using; in Gmail the option is “Show original”, and in ProtonMail it is “View headers”. These options display text which you can copy-and-paste into your Scamwatch report.

Note that the message headers really aren’t human-readable (unless supporting email systems is your job!), but they are very helpful to an investigator.

Note also that, if you forward an existing email, all the message headers on the email are lost and the recipient will only see the message headers generated on the forwarded email’s trip from you to them. That’s one of the reasons why an investigator really wants to obtain the “raw” email in its entirety, and receive it from you as a “.eml” or other file.

Welcome to the community @Fred26
Are there any risks to a personal device in taking the suggested steps? One might expect ScamWatch would offer similar examples and advice to those reporting. But then again ScamWatch is a Govt service.

Are there any risks to a personal device in taking the suggested steps?

If by “personal device” you mean a mobile phone or tablet, the email apps on most such devices have fewer features than the equivalent email client application on a desktop or laptop computer, so the steps I listed may not be possible on a personal device, and you would need to either save the file or extract the message headers using the email client on your desktop or laptop.

As to the “risk”, the only risk to you is that of information exposure; if you take a genuine confidential email message, save it in its entirety it and then provide it to a third party, you are providing them with the confidential information. If is it a government body like ScamWatch, you can reasonably assume they will treat it appropriately, but there is of course no guarantee. If it’s a scam message, it is very unlikely to contain confidential information, so this isn’t a risk.

Providing just the message headers supplies much less information, but the information may still be confidential from your perspective if it is a genuine email message eg details about the sender such as their email address, IP address and email client. Again, if it is a scam message, this is unlikely to be an issue unless you consider your own email address and IP address to be confidential, because these are also included in the message headers.

In summary, taking the steps I described previously will generally not be possible on a mobile phone or tablet, but if done on a desktop or laptop, carries no risk to yourself or your devices if you are doing so to provide scam email messages to ScamWatch.

One might expect ScamWatch would offer similar examples and advice to those reporting

Each mail client has its own method of saving raw messages and extracting message headers, so ScamWatch can only provide general guidance, just as I have done.

However, if ScamWatch can see that you are the first reporter of what appears to be a major new attack (not just the hundredth person today to report a Nigerian Prince email), they will probably want to investigate promptly and in detail, and may reach out to you personally and have you assist them, which may well involve them giving you specific instructions related to your email client for you to provide them with further information.

To be fair to ScamWatch, any criminal with the time, inclination and some computer skills can attempt to scam thousands or millions of people around the world and there is little if anything ScamWatch can do to prevent this. Their role is more around educating businesses and the general public, monitoring trends and liaising with other organisations (Microsoft/Apple/Google as operating system suppliers, web site hosting services, mobile carriers, ISPs etc) to have them fix security bugs, block illegitimate traffic, evict illegitimate users of their services and so on.

Forwarding the email also saves the sending data as it encapsulates the previous message in a new header without removing the old information… Most scam reporting portals advise the user to forward the email to the scam reporting address as the email is then treated as dangerous and handled appropriately.

Forwarding the email also saves the sending data as it encapsulates the previous message in a new header without removing the old information

Ummm…no.

I suspect you are confusing the “From:”, “To:”, “Subject:” and “Date:” information (which you can see at the top of a message you have received and are plainly readable) with Internet mail message headers (which you cannot normally see and which are fairly cryptic).

This blog article describes the differences between them: What are email headers? | Proton

Yes, the “From:”, “To:”, “Subject:” and “Date:” which you (as the recipient of the original message) can see at the top of the message are going to be visible to the person you forward the message to (quoted in the body of the forwarded message), but most of this information can (and often is) forged by the scammer sending the message, so it is of limited use to ScamWatch.

But no, message headers, which are actually useful to ScamWatch in tracking the source of the original message, are discarded when you forward the message to them.

You don’t need to take my word for it; look at the message headers of a message that a friend or family member has sent you, then forward the message back to them, ask them to forward it back to you again, and look at the message headers of the resulting message; they will be different.

Most scam reporting portals advise the user to forward the email to the scam reporting address as the email is then treated as dangerous and handled appropriately.

Yes, but that’s usually because it is far easier for you to forward a suspect email to their scam reporting mailbox than it is for you to go to their scam reporting web page, fill in your contact details, extract the contents of the suspect email and then upload it.

The fact that this thread started with someone asking how they can submit ScamWatch reports with less effort demonstrates that the more difficult they make it to submit a report, the less inclined people are to do so.

As noted in my previous post, if you submit a suspect email and ScamWatch are really keen to investigate further, they will reach out to you and guide you through how to provide all the information they need.

Then just create a new message and include the scam message as an attachment to preserve everything. No need to go to the extent usually of saving the suspect email as another offline email format such as .eml.

Proton may do it differently but most instructions are usually when people want to see the headers themselves, such as with Google the way to read the headers is to follow these steps (courtesy of Google)

Analyze an email header

1. On your computer, open Gmail.
2. Open the email that you want to analyze.
3. Next to Reply , click More Show original.

• In a new window, the full header shows.

4. Click Copy to clipboard.
5. Open Google Admin Toolbox Messageheader.
6. In the box, paste your header.
7. Click Analyze the header above.

Then just create a new message and include the scam message as an attachment to preserve everything. No need to go to the extent usually of saving the suspect email as another offline email format such as .eml.

If your mail client has that capability, great, you’ve saved yourself a step and avoided having to delete the file afterwards.

Unfortunately, not all mail clients provide that capability, and I was attempting to make my instructions as generic as possible.