Email Header Analysis and Using Open Source Tools to Detect Spoofing E-Mails

-

Both email spoofing and phishing are commonly used in fraudulent activities, often involving requests for sensitive information or unauthorized payment instructions. Such attacks can lead to significant financial losses or reputational damage for organizations. In this section, we will explore key indicators for identifying fraudulent emails, along with effective methods for detecting them.

Part 1 - Indicators of a fraudulent e-mail:

1- Suspicious company domain

Look out for slight misspellings or unfamiliar domain names that mimic real companies.
Fraudulent emails often come from domains that look legitimate at first glance.

2-An unusual request (whether about payment or your credentials)

Be cautious if you're asked to provide sensitive information or make urgent payments.
Legitimate organizations rarely ask for credentials or payments via email unexpectedly.

Part 2 - Analyzing e-mail header:

In order to detect if received e-mail is suspicious, the following analysis on the e-mail header must be conducted.

1-Detecting if any spoofing activity is in place:

The SMTP email protocol is a communication protocol that enables the connection between the server and the email for email transmission. Today, it is considered the primary method for sending emails; however, due to its structure, it may give rise to certain security vulnerabilities.

If an e-mail spoofing method is used, it would be hard to understand if the sender is genuine or not. As some e-mail servers may generate spoofing alert, some other don’t. Therefore if you are using a mail server which does not have the alert mechanism, an header analysis should be conducted to understand if the sender is genuine.

2-Analyzing sender IP:

Sender IP information can reveal which server was used to send an email.
However, since centralized email servers are commonly used today, the information obtained through IP analysis is typically related to the physical location of the server rather than the individual sender.

3-Investigating if received e-mail is coming from a Relay server:

Relay servers refer to servers used for email delivery.

While the relay function is handled by many popular mail servers in use today, relay servers does not typically do not require a username or password from the user to forward emails.
The use of a relay server can be seen as an activity aimed at masking the IP address of the sender’s primary server.

An indicator of relay server usage would look similar to the following:

4-Checking if received e-mail has proper digital signatures and certificates (SPF Records):

DMARC, DKIM, and SPF are three email authentication methods. Together, they help prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain* they do not own. (*https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/)

e-mails not carrying DMARC, DKIM, and SPF authentication methods might be indication of fraudulent e-mail.

Also, mx checking toolboxes would be useful for checking whether SPF record is existing for fraudulent e-mail. An unproblemmatic e-mail server would have the look of following screenshot or similar:

SPF and other indicators could be detected in e-mail also as follows:

5-Blacklist Checks:

Some e-mail domains or server IP addresses night be already exploited as fraudulent by some other users or institutions. These IP addresses are usually classified as blacklisted, therefore this should be beneficial to check if fraudulent e-mail is already listed in one of blacklisted domain/IP address databases.

 MXToolbox website is considered as a helpful website to check if a website is blacklisted, also could be used to analyze other indicators such as missing signatures etc. Website link: https://mxtoolbox.com/blacklists.aspx

A problemmatic sender would have fail one or more of blacklists as following:


Author: Ilter Lofcali


Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

Setting up FTK Imager on Ubuntu OS installed USB Drive

-
One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...
Devamı

Extracting hash values from MS Office files using John The Ripper on Linux

-
Resim
Part of the series (1 of 2) cracking password protected MS Office files. When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file.  What is hash? Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post. MS Office hashing algorithm formats For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format:  MS Office ⇐ 2003 MD5 + RC4, oldoffi...
Devamı

Cracking password protected MS Office files using Hashcat

-
Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...
Devamı