| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| public:emai:malware [2023-03-09 09:41] – vesely | public:emai:malware [2023-03-09 09:42] – [Monitoring and filtering agenda] vesely |
|---|
| |
| * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__ provided by domain's owner and the domain owner asks for message blocking. | * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__ provided by domain's owner and the domain owner asks for message blocking. |
| * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - | * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. |
| <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. | * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. |
| * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - | * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. |
| <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. | * [[:public:emai:malware#bad_dmarc|Bad ARC]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - bad ARC]</font> - the sender's email has ARC Seal but it's validation did not succed (e.g. invalid calculated email hash). |
| * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - | |
| <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. | |
| * [[:public:emai:malware#bad_dmarc|Bad ARC]] - | |
| <font inherit/inherit;;#f39c12;;inherit>[Suspicious - bad ARC]</font> - the sender's email has ARC Seal but it's validation did not succed (e.g. invalid calculated email hash). | |
| * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - | * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - |
| <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. | <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. |
| **Example of spoof email:** | **Example of spoof email:** |
| |
| MAIL FROM: **johndoe2 <font inherit/inherit;;#2980b9;;inherit>@gmail.com</font> ** \\ | MAIL FROM: **johndoe2 |
| From: **john.doe <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** \\ | <font inherit/inherit;;#2980b9;;inherit>@gmail.com</font> ** \\ |
| To: **jane.dow <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** | From: **john.doe |
| | <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** \\ |
| | To: **jane.dow |
| | <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** |
| |
| Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\ | Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\ |
| </code> | </code> |
| |
| https://en.wikipedia.org/wiki/Authenticated_Received_Chain | [[https://en.wikipedia.org/wiki/Authenticated_Received_Chain|https://en.wikipedia.org/wiki/Authenticated_Received_Chain]] |
| |
| https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf | [[https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf|https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf]] |
| |
| ===== Reputation databases - Blacklists ===== | ===== Reputation databases - Blacklists ===== |
| Certain sort of newsletter senders wants to track recipients clicks (to monetize and/or monitor recipient behavior) so they conceal the target URL behind their own hash. It is then undecidable whether the redirected URL is OK or not (phishing). | Certain sort of newsletter senders wants to track recipients clicks (to monetize and/or monitor recipient behavior) so they conceal the target URL behind their own hash. It is then undecidable whether the redirected URL is OK or not (phishing). |
| |
| **Example** | **Example** <font inherit/inherit;;#c0392b;;inherit>**Obfuscated/unresolvable link**:</font> If you get the newsletter from **bostonglobe.com** with links in the form [[https://bostonglobe.us11|https://bostonglobe.us11]].**list-manage.com/track/click?u=90f9e490a86&id=0c98f5&e=e8fef** , it cannot be said what is the targeting URL. Hence the ** <font inherit/inherit;;#c0392b;;inherit>warning about uncertain content is added</font> **. |
| <font inherit/inherit;;#c0392b;;inherit>**Obfuscated/unresolvable link**:</font> If you get the newsletter from **bostonglobe.com** with links in the form [[https://bostonglobe.us11|https://bostonglobe.us11]].**list-manage.com/track/click?u=90f9e490a86&id=0c98f5&e=e8fef** , it cannot be said what is the targeting URL. Hence the ** <font inherit/inherit;;#c0392b;;inherit>warning about uncertain content is added</font> **. | |
| |
| ** <font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font> **: If the newsletter from **newyorker.com** contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d** , it may be tracked down to the target URL and **is considered safe**. | ** <font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font> **: If the newsletter from **newyorker.com** contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d** , it may be tracked down to the target URL and **is considered safe**. |
| //Added subject tag: [Suspicious - header analysis]// | //Added subject tag: [Suspicious - header analysis]// |
| |
| //Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"// | //Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"// <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font> [[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] |
| <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font> [[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] | |
| |
| Deepheader analysis examines the entire message header for spam characteristics. | Deepheader analysis examines the entire message header for spam characteristics. |