I personally have witnessed live, in-transit, email interception. It was at a technical conference and the session was all about sniffing networks. The instructor just fired her sniffer up on the conference wireless network and within 15 minutes had several POP3/SMTP authentication pairs complete with the retrieved and sent messages. These were laptops out in the conference halls polling their email over unencrypted protocols. Then in the 15-30 minutes after the session the session attendees were doing the same thing once they downloaded the right tools.
I would be very, very surprised if the same kinds of things are not ever done on our Campus WLAN.
As a side note, the instructor also admitted to sniffing her cable-neighbor's traffic. For educational purposes only.
In terms of SMTP processing email is vastly more likely to be intercepted close to the end points. The interested parties are on either end of that conversation. In the middle where the SMTP traffic is flowing over the greater Internet, the interested party is much more likely to be a government than evil hackers.
That said, the biggest interception cases are not grabbing the SMTP transaction in flight, it's grabbing the POP3/IMAP/SMTP/WebMail login which ensures complete interception ability in perpetuity (or at least until the password is changed). This is attempted daily on my network via Phishing. Once credentials are leaked email can be read willy nilly, or more commonly used to send spam by way of our trusted email servers.
To answer your questions, though,
1: Yes, this is a real problem. The biggest exposure is over untrusted (or trusted but unencrypted) wireless networks. And governments.
2: They're out there, but I'd have to google and I'm lazy this Saturday morning. Intercepting actual SMTP transactions not at the endpoint is generally the purview of Governments and corporate security. Hackers generally target mailboxes not the transactions, as they're a much richer target.
3: Sniffing wireless networks for unencrypted email transactions is by FAR the easiest method. Think coffee-shop type setups. Lesser methods like suborning mail servers to grab messages are more theoretical than actual, though much more harmful when they do occur.
Stepping back one step to the topic of password reset emails, hackers who have compromised a mailbox can leverage such emails to compromise other sites. They compromise a gmail account and by looking at messages realize that this person does a lot of business with a certain ecommerce site known to store credit-card information. They go to that site and go through the forgotten-password process (since a LOT of sites now use the email address as the account-name these days) and get the password reset email. They reset the password, which starts the timer on when the account-owner will notice. Evil commences, especially if the ecommerce site is one that displays whole credit-card numbers in the profile.
The sad thing here is that it is entirely possible that the account-owner won't even see the inability to log in as a certain sign that evil has occurred. If they're not using a password-remembering program they could just chalk it up to creeping old age and just reset the password to one they know.
Mailchimp have an excellent article on How To Avoid Spam Filters
Update: Ok, seeing as I got slammed for just giving this link (to be fair its contents probably wouldn't solve your problem here), I've added more specific to what you're sending.
- I suspect its the text you're using. 'Please confirm your email address by clicking the link' - I think you should replace the text with 'Subscribe to this list:'. It may even be as simple as switching from 'please confirm your email' to 'please confirm your subscription' - to indicate you're not trying to get any personal information.
- I've no idea why you're adding the HTML as an attachment - if you send a client a normal email from your email client you wouldn't attach it as HTML you just send it as normal HTML (or text) - so why would you do things differently when you're trying not to appear like a spammer?
- Given how short your email is you could probably just send it as text - in fact you are sending it as text and as base64 encoded - either send the message as html or as text you don't need both.
- When trying to send an email to Gmail they will strip off all the html headers (I found Gmail to be the biggest pain for accepting HTML emails in a correct format)
- If you're still getting problems I'd recommend you start sending emails through something like MailChimp - they'll end up looking nicer and you'll have happier customers
- What you're being accused of is phishing style emails. Here's an example of one from my junk filter:
Dear online service customer,
Access to your account logged in successfully.
To ensure your protection, we've now blocked access to your accounts.
You now need to restore your security details. You won't be able to
gain access to your accounts until you've done this.
To restore Please click the link below to restore your account access.
RESTORE YOUR ACCOUNT ACCESS (in the email this is a link to a dodgy site)
© Shop Direct Limited. All Rights Reserved.
Here's an example of a nice please confirm your email from CopyHackers:
Subject: CopyHackers Newsletter: Please Confirm Subscription
Body:
Best Answer
Hah, 5 minutes after posting the question I found the answer myself. Ever had that happen to you? :-)
https://security.stackexchange.com/questions/48684/help-investigating-potential-website-attack-url-rewriting-and-rot-13-obfuscatio
Essentially: