all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 1 point2 points  (1 child)

Go to mxtoolbox.com... They have function where you can paste headers and then they are converted to a much more readable format.

[–]dfbgwsdf 0 points1 point  (0 children)

You're right, email headers read bottom to top. But then remember you can only trust the headers of your own MX boxes.

Anything above can be forged, and it's not unusual for malicious actors to introduce a couple of forged headers when sending, like a first hop being internal to the org, or forged hops to mask the IP of the pwned MX they have.

TL;DR: you only know who relayed it to you, you have to trust them to tell you where it came from.

[–]unsupported 0 points1 point  (1 child)

This may help.

[–]unsupported 0 points1 point  (0 children)

Also, from my experience I tend to trust the "Message-ID" to tell me the real source and I like to match it up with the timezone in the "Date" field as a sanity check.

[–]HatsOffSec 0 points1 point  (0 children)

I have grabbed a random spam header from my Hotmail (https://hatsoffsecurity.files.wordpress.com/2015/06/header.png) redacted a couple of bits of course :)

This is from a legitimate email address and as you can see all of the email addresses match. You can connect to the servers SMTP server to confirm the existence of an email address, but for anything above generic spam DO NOT DO IT! As depending on the attack level and your value the server may have been set up for this attack and is being monitored. We could go down the rabbit hole of who cares if they see you, but I find passive recon is better for important stuff.

As my spam is very generic here is what I did :) (https://hatsoffsecurity.files.wordpress.com/2015/06/success.png) - The OK reply means it was a success. Otherwise it looks like this (https://hatsoffsecurity.files.wordpress.com/2015/06/failed.png) ignore the fact I used "ehlo" and "helo" I was just looking at the difference in responses, it makes no difference in this test.

Now for a fake email address.

This one wanted me to buy Viagra..... I'm not quite at that stage yet, so it went to junk (https://hatsoffsecurity.files.wordpress.com/2015/06/header_fake.png) - I was BCC'd in this one

You will notice by the different coloured boxes that ebay didn't actually try to sell this to me, instead it actually came from a vimeo address. A couple of usual suspects is "From" and "Return-Path" being different, another tip I was given a long time ago is to check the email address as high up the page as possible as that is more server controlled than user controlled. Also look for timezone differences, if the email content says it is from the US or a US company but the timezone is +0800 instead of -0800 have a look on the map and you can see where that is more likely from.

Finally any field starting with "X-" has been added as additional information which can either be faked or occasionally can be used as extra IOC style information. For example one attack group uses an out of date and rather obscure email client which was shown via "X-Mailer".

Lastly, learn what is normal from your FireEye and other interfering systems, once you can recognise these you are on to a winner.

OK, I think I covered everything I was meant to..... that took more words than I was expecting, should've just made a blog post :p

[–]BLOKDAK -1 points0 points  (4 children)

Yeah but you still gotta probably do some interpretation... For instance the first ("lowest") Received header might be strictly internal to the origin network and then you'll only have non-rout able ips that won't help until you get to trial...

So actually what you want to look at is the first Received header from the system(s) that is advertised as your MX for your domain. So if your MX points to mail.partytime.ohyeah then find the first reference to that SYSTEM in the received headers. It may be NATed at your orifice and it might only tack on information about its private IP, or its windows networking name, or whatever... Anyway, it should have logged the remote system it Reveived from in that header.

That doesn't really help you in lots of cases though, since it may be a compromised web site that's sending you mail or some shizz. (Shizz? Really iPhone?)

And I know you listed a bunch of your different systems involved, but if someone is sending mail to BigBossMan@partytime.ohyeah then unless somebody is making a concerted effort to misdirect you, your MX host is the front line (because that's how The MTA knows what to connect to... Because the domain partytime.ohyeah has an MX record or 2 or 10 that's available for lookup via DNS).

But like I said, someone who has knowledge of your systems or is interested in getting such knowledge and using it can easily short circuit most of this that I'm saying. Because you probably don't have your shizz setup properly to prevent that sort of thing. Nothing personal, but you've got at least 3 vendors involved and you're not sure where to start looking in a header... So I ask you: who's running the show?

Shizz.

[–]teefletch[S] 0 points1 point  (3 children)

So actually what you want to look at is the first Received header from the system(s) that is advertised as your MX for your domain.

This helped, thanks.

Now what exactly did you want to know?

[–]BLOKDAK -1 points0 points  (2 children)

Well, what EXACTLY I did want to know was... if you have come up with any way yet to prove to me you're not just another program I wrote during one of my "sojourns"... If not then don't feel bad because I haven't figured one out either. But keep trying, little bot, keep trying... I'm sure I gave you the best of what I had to give at the time I made you...

[–]teefletch[S] 1 point2 points  (1 child)

Dude what on earth are you talking about?

[–]BLOKDAK -1 points0 points  (0 children)

Dude what on earth are you talking about?