Sunday, 4 June 2017

Spam and Phishing Analysis

         Email Header Analysis

X-Originating-IP: [Ip addres from where this mail is coming from]
 Here if the mail is passing through different mail server, them we have different X-Originating IP's in the header. But first one in the list is from where it is originated and passed through other mail server's.

Date: This shows the date and time the email message was composed.

From: This displays who the message is from, however, this can be easily forged and can be the least reliable.

Reply-To: The email address for return mail.

To: This shows to whom the message was addressed, but may not contain the recipient's address.

Subject: This is what the sender placed as a topic of the email content.

X-Spam-Flag: YES ----- It is flagged as spam and will go to spam folder, some time
                                             it may be flag as Phish etc etc.

X-SpamInfo: spam detected heuristically.

Return-path : Some times we can see different return path address instead of sender.  The email address for return mail. This is the same as "Reply-To:".

Here if sender_mail_id(From:) is spoofed, then From: and Reply-To: are different.It has to be same if it is genuine.

Here From: field they can spoof, so when you are checking check for Reply-To: field so we can know to whom mail will go if we reply.

Message-ID: we can search in our email protecting tool to how many user's this particular mail is delivered.

Envelope-To : This header shows that this email was delivered to the mailbox of a subscriber whose email address is

Delivery Date : This shows the date and time at which the email was received by your (mt) service or email client.

Received : The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you. The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.

If there is any links in the mail it will show in header separately and we can check the url reputation in VT, urlquery. In header original URL it will show. But in mail it may be different URL. (This may be depend how you / email security solution providers configure your mail service).

Check this script for easy analysis of above details from an email header,

            How you can check against Spam and Phishing attacks

Email AddressConfirm the sender's e-mail address
                           •Do you know the person or entity?
                           •Are there any misspellings or unusual domains in the address
Links:  Confirm the links are to reputable or known websites
                •Is it recognizable—not a random IP address?​
                •Does it include "https"—indicating it’s a secure site?
Even if the link pointing towards a https:// url then also check to whome that certificate is issued. Because Authority will not issue same certificate to different users. So check for certificate abuse.


Attachments:  Think carefully about opening an attachment from an unknown sender. Is the attachment safe to open? If you open an attachment with macros (for example, file extensions ending with “m”), your device may be infected with a virus or malware, which can compromise sensitive information.

ContentClosely review the content
       •Does it include unusual requests for sensitive information or unrealistic offers?
       •Does it have spelling and grammatical errors?​
       •Does it include inconsistent formatting and images?​
       •Does the message instruct you to break protocol or follow a different process 
           or procedure than you are used to?

Email Header Analysis: 

Report PhishingUse the Report Phishing button to report suspicious e-mails to 
 respective team. Or Send the mail to the respective team as an attachment.

No comments:

Post a Comment