Phishing Email Analysis

Most of the cyber attacks are carried out by Emails. About 60% of attacks use email as a medium for hacking. In cyber defense, the most important thing to prevent phishing emails is to analyze the email properly either using a manual method or available third party automation tools

To Know more about email analysis first we have to learn about DNS records.

DNS Records – A database which Maps URL`s IPAddress which is sent to Internet Service Provider (ISP) where its forwarded to dns server and later to corresponding web server.

  • A records – converts domain name to ipaddress IPV4
  • AAAA records – converts domain name to IPV6 hot address
  • TXT records – holds general information about the domain such as who is hosting, one common use is SPF
  • cname – Canonical name is used to map a subdomain to the parent domain
  • PTR – Pointer Records are used for mapping ipaddress to domain name
  • MX– Mail Exchanger records are neccessary to deliver email to your address
Architecture of Mail Services

Mail User Agent (MUA):

  • allows you to send and retrieve email
  • eg: Gmail, Outloook

Mail Transfer Agent (MTA):

  • responsible to sending and receiving email address
  • eg: Mail Exchanger (MX)

Sender Policy Framework (SPF):

  • SPF Categorized under TXT Record of DNS.
  • Sender Policy Framework is an email authentication technique to prevent Email Spoofing such Phishing, spam mails sending on behalf of your domain.
  • SPF Check Performed by Mail User Agent (MUA).
  • Mail receiver will concentrate on Return-Path of an email header. when sender email server isn’t included in SPF record then it is tagged as suspcicious by marking SPF Status Fail.
  • Below architecture explains more about SPF.
Sender Policy Framework Architecture

Drawbacks:

  • SPF will concentrate only on “return path” of an header but not “From” (where the email came from).
  • SPF doesn’t provide reporting this leads to difficulties in maintain.

Create SPF Record:

  • Specify the version of SPF (v).
  • Specify IPaddress (either V4 or V6 or both) that are authorized to send email (ipv4 or ipv6).
  • Specify authorized third party domain by including it (include).
  • Specify the policy
    • -all (Hard Fail) => Servers that are not listed in SPF records are not authorized to send mail
    • ~all (Soft Fail) => unauthorized server mails are marked as spam
    • +all => Allows any server to send email

v = spf1 ipv4:ip ipv6:ip include:thirdpartydomain policy(-all, ~all, +all)

DKIM (Domain Key Identified Mail):

  • DKIM is categorized under TXT Record of DNS.
  • Domain Keys Identified Mail authentication technique to verify the Integrity of the sender Mail.
  • DKIM signature generated by the Mail Transfer Agent (MTA).
  • Entire body content is converted to single hash value and this hash value is encrypted Asymmetrically using RSA Algorithm.
  • Once the receiver end MTA receives the mail it will decrypt DKIM signature using Public key available in DNS records.
  • After decryption it will compare the hash value, if hash value is similar then there is no alteration in the Mail content. Hence Message is valid and not spoofed.
  • DKIM is built on the top of SPF.

The Combination of DKIM and SPF will help to prevent email spoofing and achieve data Confidentiality, Integrity and Availability.

DKIM Architecture

DKIM Record Parameters:

  • Identify the version of DKIM (v).
  • Algorithm used to generate the signature (a).
  • Selector record name (s).
  • Domain name owned by the sender (d).
  • List of headers that will be used in signing algorithm to create hash (h).
  • Hash data of headers listed, this hash is also called DKIM signature and encoded in Base64.

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=news;
c=relaxed/relaxed; q=dns/txt; t=1126524832; x=1149015927;
h=from:to:subject:date:keywords:keywords;
bh=MHIzKDU2Nzf3MDEyNzR1Njc5OTAyMjM0MUY3ODlqBLP=;
b=hyjCnOfAKDdLZdKIc9G1q7LoDWlEniSbzc+yuU2zGrtruF00ldcF
VoG4WTHNiYwG

DMARC (Domain Based Message Authentication Reporting and Conformance):

  • Domain based Message Authentication Reporting and Conformance is an email validation designed to protect company’s email domain being spoofed.
  • DMARC depends on SPF and DKIM for authentication and Integrity but it has an extra feature reporting.
  • With report information domain owner get control over email to prevent spoofing.
  • DMARC Prevents others sending email using your domain.
  • DMARC Policies help organization and protect against
    • Phishing campiagn
    • Brand abuse and Scams
    • Malware and Ransomware attacks
DMARC Architecture

DMARC Reports:

  • DMARC will send domain activities on daily basis.
  • It Provides traffic overview including ipaddress.
  • DMARC report includes original message headers, original message, failed messages and so on.

DMARC Policies:

  • Monitoring Policy (p=none) => It only gives information about who is sending email behalf of a domain.
  • Quarantine Policy (p=quarantine) => If DMARC checks Pass it will be delivered to user inbox, if DMARC checks fail it will delivered to spam folder.
  • Reject Policy (p=reject) => If DMARC Checks Pass it will be delivered to user inbox, if DMARC checks fail it will be rejected.

%d bloggers like this: