I received an email (text and source below), that looks socially like phishing but looks technically like it will check out. My best guess is that Unicode has been used to copy domain names.

The text of the webpage is:

Action required: Your Google Account is temporarily disabled
Hi, We’ve detected unusual activity in your Google Account jonathan.hayward@pobox.com and locked it to protect your information.

  1. Sign in to your account or to any Google service as soon as possible, to reactivate your account.
  2. Use the Security Checkup to verify and improve your account’s security.

The Google Accounts team

This email can't receive replies. For more information, visit the Google Accounts Help Center.

You received this mandatory email service announcement to update you about important changes to your Google product or account.

© 2017 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

The source is:

Delivered-To: christos.jonathan.hayward@gmail.com
Received: by with SMTP id g10csp342702edj;
        Thu, 7 Sep 2017 09:56:54 -0700 (PDT)
X-Received: by with SMTP id w18mr4723276qkb.163.1504803414371;
        Thu, 07 Sep 2017 09:56:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1504803414; cv=none;
        d=google.com; s=arc-20160816;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@accounts.google.com header.s=20161025 header.b=f6IaG5Yo;
       spf=pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates as permitted sender) smtp.mailfrom=SRS0=jFi5=AI=gaia.bounces.google.com=3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@bounce2.pobox.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=accounts.google.com
Received: from pb-mx14.pobox.com (pb-mx14.pobox.com. [])
        by mx.google.com with ESMTPS id k65si103352qkf.467.2017.
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Sep 2017 09:56:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@accounts.google.com header.s=20161025 header.b=f6IaG5Yo;
       spf=pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates as permitted sender) smtp.mailfrom=SRS0=jFi5=AI=gaia.bounces.google.com=3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@bounce2.pobox.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=accounts.google.com
Received: from pb-mx14.nyi.icgroup.com (localhost []) by pb-mx14.pobox.com (Postfix) with ESMTP id 0BF4F20189 for ; Thu,
  7 Sep 2017 12:56:54 -0400 (EDT)
X-Pobox-Loop-ID: 5f0919ca6722ee2ad126d239e3273c1129427ad0
Delivered-To: jonathan.hayward@pobox.com
X-Pobox-Delivery-ID: E285A2-D270B20187-1504803414-07697135!pb-mx14.pobox.com
Received: from mail-yw0-f199.google.com (mail-yw0-f199.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-mx14.pobox.com (Postfix) with ESMTPS id D270B20187 for ; Thu,
  7 Sep 2017 12:56:53 -0400 (EDT)
Received: by mail-yw0-f199.google.com with SMTP id x144so231194ywd.15
        for ; Thu, 07 Sep 2017 09:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=accounts.google.com; s=20161025;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
X-Gm-Message-State: AHPjjUgzmSZPgCWmHX9MPzCSGSmIw4njupwzCIc0Utr0EXvA0HAYfDgd v46KxhtuxEOCF8zAr4DDITXl097WRldz
X-Google-Smtp-Source: ADKCNb4JVdIC05q1wFsStNjSNVjkYZ1onuhcEX2PMg9EGRKbX5+p6JVMW3HQmMc6Pnw9ANRxDif9hkAW4qhBGJpJG6gdqA==
MIME-Version: 1.0
X-Received: by with SMTP id y81mr2097463ywd.103.1504803413568; Thu, 07 Sep 2017 09:56:53 -0700 (PDT)
Date: Thu, 7 Sep 2017 16:56:14 +0000 (UTC)
X-Notifications: XEAAAAIxDcr8zzNnoAtSR2bobk0A
X-Account-Notification-Type: 68
Feedback-ID: 68:account-notifier
Subject: Action required: Your Google Account is temporarily disabled
From: Google 
To: jonathan.hayward@pobox.com
Content-Type: multipart/alternative; boundary="94eb2c0762b0ec2da405589c58ad"
X-Pobox-Client-Name: mail-yw0-f199.google.com
X-Pobox-Client-HELO: mail-yw0-f199.google.com
X-Pobox-Original-Sender: 3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@gaia.bounces.google.com

Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes
Content-Transfer-Encoding: base64

Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

@media s=
creen and (min-width: 600px) {.v2sp {padding: 6px 34px 0px;}}=
Action required: Your Google Account is temporarily disab=
ve detected unusual activity in your Google Account jonathan.hayward@pob=
ox.com and locked it to protect your information.

1. Sign in to your account or to any Google ser= vice as soon as possible, to reactivate your account.
2. Use the Security Checkup to verify= and improve your account=E2=80=99s security.
The Google Accounts= teamThis email can't receive replies. For more in= formation, visit the Google Accounts Help Center.You received this mandatory email service announcement to= update you about important changes to your Google product or account.= © 2017 Google Inc., 1600 Amphitheatre Parkway, Mountain View= , CA 94043, USAet:68 --94eb2c0762b0ec2da405589c58ad--

How, besides basic social blunders on the attacker's end, can I recognize the phishing?


I started writing the note below as a comment to an answer, then realized I should have put this in the question from the beginning. I wrote:

One comment that I probably should have added: I have a main email address, christos.jonathan.hayward@gmail.com, which can send email through several addresses, including sending email from jonathan.hayward@pobox.com by logging into pobox servers. The second address has no separate Gmail account, just a passport to get in to pobox.com and send emails, if you will. I read the quoted email from the first address, which does not seem impaired in any way.

And more specifically, I've sent test emails to and from jonathan.hayward@pobox.com. All of them have gotten through uneventfully.

Christos Hayward
  • 1,210
  • 8
  • 10
  • 3
    Check here: https://myaccount.google.com what is happening with your account, and change your password as soon as possible, because your email can be found in many public dumps - check - https://haveibeenpwned.com/. – Mirsad Sep 08 '17 at 02:27

3 Answers3


The first indication that this is not a phishing email is that there's no link included, nor are there instructions to navigate to a specific domain or URL. The email only directs you to log in to your account, which you'll do through a URL that you already know to be trustworthy.

Looking into the headers, the receiving server has added these:

Authentication-Results: mx.google.com; dkim=pass header.i=@accounts.google.com header.s=20161025 header.b=f6IaG5Yo; spf=pass (google.com: domain of srs0=jfi5=ai=gaia.bounces.google.com=3vxqxwqgtaoirs-vitpceggsyrxw.ksskpi.gsq@bounce2.pobox.com designates as permitted sender) smtp.mailfrom=SRS0=jFi5=AI=gaia.bounces.google.com=3VXqxWQgTAOIRS-VITPcEGGSYRXW.KSSKPI.GSQ@bounce2.pobox.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=accounts.google.com 

This indicates that the receiving server mx.google.com has validated that the sender is who they claim to be, passing SPF and DKIM checks (as indicated by spf=pass and dkim=pass).

Additionally, this header contains header.from=accounts.google.com, telling us that when Google's receiving server got this email, the From header contained an address at accounts.google.com.

For whatever reason, Gmail appears to have changed this header to simply read Google, presumably to indicate to the user that it's confirmed to be sent by Google itself.

Conclusion: the email is legitimate.

  • 361
  • 1
  • 2
  • Thank you; could you review the update at the bottom of my email? There's something puzzling me in that jonathan.hayward@pobox.com is not a full-fledged Gmail account. – Christos Hayward Sep 09 '17 at 12:42

It is hard to tell if the mail is fake but there are some strange things in it - which might or might due to the way you provided the source code of the mail:

  • The HTML part claims to be quoted-printable UTF-8 and thus should not contain any non-ASCII characters unencoded. But, what you provided contains a clear '©' which would need to be encoded.
  • The DKIM signature does not match the body of the mail. But again, this might be a problem of how you provided the source of the mail.
  • There is no Message-ID given (i.e. empty). Again, this might be a problem how you've provided the source code
  • Similar there is no email in the 'From: ..' header but only 'Google'. Given that other headers claim to have a successful DMARC validation this should not be possible since DMARC requires a valid From header which must match the domain of the DKIM signature.

My guess is that you actually don't provide the full and exact source code of the mail for validation, either because you've tried to remove some information or because of the way this source was provided to you from the mail program you use. In this case the source is not of much use for further analysis.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434

From: Google looks suspicious in this one. Legitimate email will have some sort or sent address, even if it is a noreply@.

Some phishing email is particularly well crafted though, so the advice I always give people is that if you receive an email with a link that you are unsure about, either:

  1. Browse to the organization's site that the email claims to be from yourself. By initiating the communication, you know who you are talking to, rather than risking a possibly dodgy link in an email. In this instance, you'll know quickly if your Google account is locked out.

  2. Contact the vendor. Tricky when that is google, but if it was a bank, for example, they would be able to tell you if the email was legitimate.

Hope that helps.

  • what is in the email that could be a phishing attack? nothing. there are no links, and nothing that directs you to a website or a place that could pretend to be Google. – Keith M Sep 08 '17 at 05:13