Email Forensics: What to Look For, and How to Avoid Email Phishing
One of the most widely used techniques for performing a scam is phishing. This is usually done by tricking a user into providing personal information or clicking a link to a webpage, which is fraudulent.
Two very common examples:
- The one where the user supposedly won the lottery, or someone wants to donate money, so the sender asks for personal information, just to play the game, and then requests a deposit for processing payment. Once payment is done, the scam is over. 2) Using the name of a well-known company, like a bank, the scammer requests the user to provide account information, such as a password for security reasons. Or the request is to click the link to the allegedly valid bank site, but it's a copy. A naive user will not notice that and will just enter the information. And with that, end of the story.
There are more complex scams, like the file attachment, which contains an exploit that provides an attacker with useful information or establishes a remote connection.
This article will show where to look to detect a scam email and how to avoid email phishing, though this latter technique is for mail server admins. Here, let's first see a little combination of email forensics and an ethical hacker when analyzing the technology infrastructure's security.
Email Forensics: Detecting phishing emails.
The most basic form of a scam email is simply when a user receives an email from an allegedly known sender. Noticing that the email is fraudulent is pretty simple, it only takes looking at the sender address. The following example is an email apparently from PayPal. But by looking at the sender address, notice that this does not contain paypal.com or mail.paypal.com, but rather firstname.lastname@example.org, which has nothing to do with a paypal domain account.
What can be tricky in this email is that the sender's name is email@example.com, which may cheat a naive user into believing that is the address. But this one is right next to the name, and there, the scam will be detected by noticing that the address does not belong to the paypal domain.
Recommendation for a user: when receiving these types of emails, ignore and delete, and, if possible, block it. This is not always efficient, though, because the scam email addresses vary each time to continue reaching the end-user.
A more advanced form of phishing is when the sender email address appears to be valid and contains a trusted domain like paypal.com or any other domain known by the user.
The difference here is that the user - or, in this case, a digital forensics investigator analyzing the context of the message with a detective-like eye will notice something unusual. It's here that the email forensics work begins.
What to look for in a message to verify its authenticity.
The Digital Forensics Investigator has to go to the email headers (message source) and look for headers like X-Sender-IP or X-Originating-IP. Other headers that show sender and mail server information are also valid.
First of all, it is important to check other headers. One of the main headers is:
The header "From" in the image above is the alleged sender, but this is not the main header to be analyzed. Scrolling through the message source, the important headers will appear. The two headers of the image below show X-Sender-IP. If the reader wants to find out from its information about that IP, it can simply be done by opening a terminal or the Windows cmd and executing the command "whois" and the IP which, in the case of the image below, will show that the IP is from one of the Amazon AWS servers. This can also be verified by using an online service to retrieve information about an IP address; nevertheless, by looking in the message source, the Amazon DNS will likely appear there as well.
The other header X-SID-PRA is a header that identifies the actual sender. If this header does not match the "From" header, it is a spoofing case.
The spoofing attack is more technical than phishing. The latter relies more on social engineering, while spoofing involves more technical work to send an email on behalf of an address.
The figure above shows, by the end, that the "From" header is from the hotmail.com domain, but at the top of the image, there is a header "Received." That shows the real domain sender, which is emkei.cz. There is not an actual rule or precise header name to identify a spoofing email. The investigator, such as a detective, will have to look at the whole message source. Similar headers will appear, and the forensics investigator will see either the same address (valid) or different address (spoofed).
The real mail sender can be either an application or service that sends fake emails or also a compromised server with a lack of security.
A more critical security issue is possible in phishing emails, and this is simply when a domain account has been hacked, and that account is used for a scam. Detecting this depends on the user and if this user has technical support available to check for any irregularities.
How to avoid Email Phishing.
To make it more general, here are three key points that will help stop email phishing and/or spoofing.
"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance," is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author ("From:") domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor the protection of the domain from fraudulent email." 1
"The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF, an organization can publish authorized mail servers. With the DMARC related information, the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send an email on behalf of your domain." 2
"DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically, DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication." 3
Remediation for email spoofing
To reduce email spoofing, it is important to configure DKIM and/or SPF correctly, although this may not be sufficient. One technique to mitigate spoofing is to create a DMARC record with the value np=reject policy. Of course, this has to be correctly validated and set up properly to avoid problems when sending emails.
This is a "must-do" for Ethical Hackers or Pentesters. Check what email service the application uses, and then check the records mentioned above. An excellent tool for checking email security is MX Toolbox.4
IT professionals, and people in general, usually ask themselves why they receive strange emails that seem to come from their company, friends, etc. They wonder how they can stop receiving fake emails. If they look in the wrong direction, they will probably harden servers and implement user and password policies, while overlooking the configuration of SPF, DKIM, or DMARC. Once these three flags are correctly set up, spoofing is gone. Unfortunately, phishing will still be possible; its success relies more on human nature rather than on technical expertise, and an attacker will always be able to create a Gmail or Outlook-like template and send it from a fake address to fool a user into visiting a link, or provide sensitive information. If the user is aware or cautious about scams, there will not be any problem. If not, bad things may happen.
- (2020). DMARC. Domain-based Message Authentication. Retrieved May 20, 2020 from: https
- (2020). SPF. Sender Policy Framework. Retrieved May 21, 2020 from: https
- (2020). DKIM. DomainKeys Identified Mail. Retrieved May 21, 2020 from: http
- (2020). MX Toolbox. Network Tools. Retrieved May 22, 2020 from: https