Email Header Analysis

If we go to the Spam mails, we will find an email for instance the email that sent by banks. Then it required us to update user credentials such as username and password. That email usually was contained a link so that once the user clicked, it directed to the update page. It was a phishing or fraudulent email that sent by attacker to steal the credentials. 

 There are several types of phishing attacks but for this entry, I would like to talk about how to analyze the email header. If you are using Gmail, we can get the email header by click Show Original. An email consists of 3 elements: the envelope, the header(s), and the body of the message. Sample fraud email:


Email Header
---------------
The header contains the "name" and "address" of the sender, recipient and anyone who is being copied, the "date" and "time" the mail is sent and the "subject" of the mail. The header exists mainly for the computer to route mail to you. The "received:" item indicates the mailers. It shows what mailers the mail is routed through before it goes to the recipient. Usually, over the internet, the mail will go through several mailers before it finally reaches the recipient. This information will help in tracing the source IP address of the sender.

 How to read an email header?
---------------------------------
Email headers should be read from bottom to top. Sample header as follows:

Line by line analysis
----------------------------

 The Return-Path line mean the address in which the reply for this mail will be sent to. This is the same as "Reply-To:”. Attackers use the different real address to deceived the target.  


The preceding lines were the routing information which told where the mail went and the time it arrived to the respective mailer. In order to follow the flow, they had to be read backwards. So, the particular mail originated from gs-press.com.au and mailed to mx.gmail.com. Further, it went to xxx@gmail.com which was the recipient's Internet host. So, if your mail bounced, this part
in the header showed how far the mail went and which machine rejected it.


The message-Id line was intended mainly for tracing mail routing and uniquely identified each mail.

The 'From' line showed who sent the mail and his/her email. 'From' information can be easily be faked/forged.


 The 'To' line listed the email address/es of the recipients of the mail. There might be also a Cc line which listed all the people who received copies of this mail. This address could also be a hidden list of emails; thus your email may not appear in here even though you received the mail.

The subject line gave some idea of what the mail is about.

The Date line lists the date and time this mail was originally sent. It was sent on the sender's local time zone.

 That's all for now. Chow!

Comments

Post a Comment

Popular posts from this blog

Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Image
Motivated from the following article, http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf Then, I’ve setup Virtual Lab to see how to analyze the different type of scanning on packet and IDS perspectives. Kali Linux as an attacker machine that will running Nmap for scanning activities and capturing traffics by using Wireshark. I’ve installed Snort on Ubuntu 12 LTS Server as IDS and enable portscan configurations and store log in /var/log/snort/portscan.log.   Metasploitable Linux as a victim machine. Portscan detection.   For more information, see README.sfportscan preprocessor sfportscan: proto   { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log } Configurations of my Virtual Lab:    Kali Linux                  Snort IDS               Metasploitable Linux [192.168.197.209] --->   [192.168.197.217]  --->     [192.168.197.216]             
Read more

Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

{Requirements:} ———————— All Machines Running on VM 1. Kali Linux (172.16.66.193) 2. Windows XP SP2 (172.16.66.193) 3. IDS - Suricata {Scan for open ports:} ———————————- root@fikri:~# nmap -n -sV 172.16.66.199 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT Nmap scan report for 172.16.66.199 Host is up (0.11s latency). Not shown: 918 closed ports, 79 filtered ports PORT    STATE SERVICE      VERSION 135/tcp open  msrpc        Microsoft Windows RPC 139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:D1:55:23 (VMware) Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds {Exploit:} ————— msf > use exploit/win
Read more

Malware Analysis Part 2: Using RemNux

Malware Analysis  Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan} ———————————————————————————————————————————————————— remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe  Short information ------------------------------------------------------------ File Name          Lab01-02.exe File Size          3072 byte Compile Time       2011-01-19 11:10:41 DLL                False Sections           3 Hash MD5           8363436878404da0ae3e46991e355b83 Hash SHA-1         5a016facbcb77e2009a01ea5c67b39af209c3fcb Imphash            096aa05b8a2e1f2dc66fc73a1a978a7b Detected           Packer Directory          Import Packer matched [1] ------------------------------------------------------------ Packer             UPX -> www.upx.sourceforge.net Suspicious API discovered [8] ------------------------------------------------------------ Function           CreateServiceA Function           ExitP
Read more