An abuse report, in person
This message appeared in my mailbox yesterday:
Hi there! I am a professional HACKER and have successfully managed to HACK your operating system. Currently I have gained full access to your account. (sent the message from inside your e-mail) In addition, I was secretly monitoring all your activities and watching you for several months. The thing is your computer was infected with harmful spyware due to the fact that you had visited a website with porn content previously.
A common extortion threat followed: they had supposedly recorded me through my webcam, and unless $2,780 in Bitcoin reached a wallet within hours, the video would go to all my contacts. Of course, there never was any spyware, nor any video (I hope).
The text was Base64-encoded and contained homoglyphs throughout, possibly to circumvent spam detection or simply to project a 'hackerman' persona. The message was addressed both From and To my own domain: •••••@bonge.rs. After a fleeting moment of self-doubt, I inspected the raw headers for more details.
What the headers (do not) say
Similar to writing a fake return address on a physical envelope, the From address in an email can easily be spoofed and provides no guarantee of identity. By looking at the surrounding headers, the actual origin was revealed:
From: •••••@bonge.rs
Return-Path: hotels@palmview.tours
X-Source-Auth: hotels@palmview.tours
Authentication-Results: dmarc.icloud.com; dmarc=fail header.from=bonge.rs
Authentication-Results: spf=pass smtp.mailfrom=hotels@palmview.tours;
dkim=pass header.d=palmview.tours
The actual envelope sender (Return-Path) turned out to be hotels@palmview.tours. SPF and DKIM both passed, simply because the message did in fact legally originate from the servers authorised by that domain. The responsible mechanism for verifying that the authenticated domain indeed matches the visible From header is DMARC alignment. Since palmview.tours != bonge.rs, it failed, as expected. The DMARC policy for my domain is set to p=quarantine, so my email provider did precisely that and put it in the spam folder.
Another useful header is X-Source-Auth. Service providers typically insert this header to record the authenticated account that was used to send the message. This confirms that the issue stemmed from an unauthorised actor successfully authenticating against a legitimate mailbox, most likely due to a weak or leaked password, rather than an open relay vulnerability.
Whenever I receive spam or phishing emails, I typically run a WHOIS lookup → locate the abuse contact → submit a quick report. Since the headers pointed to HostGator, I forwarded the raw message to them. That sorted, I checked the website out of curiosity and learned it belonged to a small travel agency in Heliopolis, Cairo. Wait a moment! That's the very neighbourhood where I'm currently staying on holiday!
Escalating the incident
Given the proximity, I thought 'Why not?' and decided to surprise them with a visit. I packed my laptop, ordered a taxi, and headed to the address listed on their website.
Once there, I found an English-speaking employee and explained the rather unusual situation: one of their mailboxes had been sending spam, and since I happened to be in the area, I figured it would be easier to inform them in person. He directed me to the owner, who did not speak English, but we managed to communicate through a few back-and-forth exchanges using a translation app.
I showed him the headers on my laptop, he took some pictures of the evidence, and I advised him to change the password straight away and have his regular IT guy scan the server for any infected files (volunteering to poke around his systems myself seemed like a great way to look like a suspicious foreigner). He was friendly and grateful for the heads-up.

Wait! Abort!
When I returned to my accommodation, I was surprised to discover that the hosting provider had already acted on my abuse report:
Thank you for bringing this matter to our attention. I'm Shrilekha, the Abuse specialist. Upon reviewing your complaint, we have notified our customer that they have 48 hours to resolve the spamming complaint in accordance with our terms of service.
Suddenly, I found myself in the slightly absurd position of writing back to advocate for this stranger. I explained that, by pure coincidence, the business behind the compromised email account happened to be around the corner from my holiday accommodation, and that I had just met the owner in person to explain the issue and help him resolve it. I assured her he was on top of it and kindly requested to please give him some time to get it sorted.
Ad hoc tech consulting for a random Egyptian travel agency after an extortion threat, followed by an appeal to their hosting provider for leniency: not quite the kind of activity I had imagined ending up on my holiday itinerary, but a memorable experience nonetheless.