Email Header  - Email header GBHackers - Email Header Analysis – Received Email is Genuine or Spoofed

Email is a business critical asset.Altering email header to make the message appear to come from somewhere other than the actual source is a fraudulent email.

If the spam filter is bypassed a receiving the mail to inbox can be the critical impact to the organization.This makes an organization open door to like social engineering, delivering malicious payloads to compromise the internal asset.

Analyzing message headers:

  • Message headers (email header) are used by people which include from, to, cc and subject.
  • The email message headers are contained in the envelope headers.

- 1 - Email Header Analysis – Received Email is Genuine or Spoofed

Also Read : Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

Envelope Headers

  • care used by the simple mail transfer protocol (SMTP).
  • Investigating headers will provide routing .
  • You can look Raw contains in mailbox>more>Show original or View Raw Message.

- Selection 004 - Email Header Analysis – Received Email is Genuine or Spoofed

: Before start investigating the envelope header lets break down the process for better understanding.

Email Header Breakdown

Envelope Header (Email Header) contains many fields, but this are most important to investigate when you think some thing is suspicious.

Return-path

  • Delivery status notices are sent to this address
  • Validation by sender policy framework(SPF)
  • Looks up the domain in the return-path (SMTP envelope sender) and verifies that corresponding IP is authorized to email for the domain.
  • But this does not prevent attackers from spoofing the “From” address.

Reply-To

  • Email address used in message replies
  • overrides the “From” address in replies

Received

  • A single email will have more “Received” entries
  • The bottom “Received” entry will show the initial server to handle the message.

Line beginning with X

  • Added by email servers and security tools.Received & X-Fields are created by your own email services are the completely trustworthy entries.

Header Drill Down

- Selection 005 - Email Header Analysis – Received Email is Genuine or Spoofed

  • In this you can view mail Received from 127.0.0.1 (EHLO emkei.cz) (46.167.245.116)

Malformed SPF

- Se - Email Header Analysis – Received Email is Genuine or Spoofed

  • Received-SPF is permanent error during validation.
  • This is good evidence that the mail is spoofed and sender policy framework failed.
  • As we discussed earlier, does not prevent attackers from spoofing the “From” address.

DomainKeys Identified Mail

- S - Email Header Analysis – Received Email is Genuine or Spoofed

  • Receiver runs DNS query to get the key from the sender domain and Digitally signs .
  • Does not prevent attackers from spoofing the “From” address.
  • Can Validate message integrity
  • In thus dkim=neutral ( no sig) which shows no signatures.

Open Relay Test

  • An open relay is a smtp server configured in such a way that is allows a third party to relay (send / receive email messages that are neither from nor for local ).
  • Therefore, such servers are usually targets for spam senders.

- rep - Email Header Analysis – Received Email is Genuine or Spoofed

  • In Thus Test Passed with error message Replay access is denied.
  • so the attacker is targeting victim to click the link and pay money.

- reppp - Email Header Analysis – Received Email is Genuine or Spoofed

  • Above figure shows that attacker goal is to click and pay amount with legitimate look of source email address.

Threat Intelligence Report

  • Checking the reputation for the malicious IP.
  • You can use your online tools for searching the reputation.Example: VirusTotal or IBM x-force

- Selection 008 - Email Header Analysis – Received Email is Genuine or Spoofed

  • So here we can conclude that attacker has tried communicating with victim with spoofing techniques to show him as legitimate user.
  • Aware of social engineering attacks through technologies.
  • Never click and pay when communicating IP is not Trustworthy.



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here