Analyzing Email Headers for Indications of Spoofing

Introduction:

Email communication is a fundamental aspect of our personal and professional lives. Every day, billions of emails are sent and received worldwide, with individuals and organizations relying on them for a myriad of purposes. However, the widespread usage of emails also makes them a common target for malicious activities, including email spoofing. Email spoofing is a deceptive tactic where an attacker sends an email appearing to come from a trusted source. This strategy is often used in phishing attacks, where the aim is to trick recipients into revealing sensitive information. Therefore, it becomes imperative for us to learn how to identify such potentially harmful emails.

Understanding Email Headers:

Email headers are often overlooked due to their complexity and because they are usually hidden from view in most email clients. However, these headers contain valuable information about the email's origin and its journey from the sender's server to the recipient's inbox. Analyzing email headers can provide crucial insights into identifying email spoofing. By demystifying email headers and understanding how to interpret them, we equip ourselves with an important tool to safeguard our online communication.

Step-by-Step Guide to Analyzing Email Headers

Disclaimer:

While the information and tools recommended in this guide can be highly effective for identifying email spoofing, it's crucial to exercise due diligence and caution at all times. Always handle sensitive information with care, especially when using online tools and/or tools which are not under your or your organization's direct control. Never input sensitive or confidential information into online tools unless you're sure they're secure and trustworthy. This is particularly crucial when analyzing a potential phishing or spam source. It's essential to respect privacy and abide by all relevant laws and regulations while conducting any kind of security analysis. Be aware that misusing information or tools can have legal consequences. Lastly, remember that while email header analysis is a valuable tool, it should be used as part of a broader strategy for combating and preventing email spoofing, phishing, and spam.

Step 1: Accessing the Email Header

To effectively analyze an email for indications of spoofing, the first critical step is to access the email header. The process to do this can vary depending on the email client or service you're using. Here are steps for a few common email clients:

Apple Mail:

1. Open the suspicious email.
2. Click on "View" in the menu bar at the top of the screen.
3. Hover over "Message" in the drop-down menu.
4. Click on "All Headers" from the side menu.

Gmail (Browser):

1. Open the email you want to investigate.
2. Locate the three vertical dots (More Options) next to the reply button on the top right of the email pane.
3. Click on "Show Original" from the drop-down menu.

Microsoft Outlook:

1. Double-click on the email to open it in a new window.
2. Click on the "File" tab.
3. Select "Properties" from the drop-down menu.
4. The email header can be found in the "Internet headers" box in the Properties dialog box.

Thunderbird:

1. Open the email you want to investigate.
2. Click on "View" in the menu bar at the top of the screen.
3. In the drop-down menu, hover over "Headers".
4. In the side menu, click on "All".

Yahoo Mail:

1. Open the email in question.
2. Click on the "More" button (three horizontal dots) near the top right of the email.
3. In the drop-down menu, select "View Full Header".

After following these steps, you should have a block of text starting with something like "Delivered-To:" or "Return-Path:". This is the email header, which contains all the details about the email's journey from the sender to your inbox. We'll break down how to read this information in the next steps.

If you're using an email client or service not listed here, you may need to search specifically for how to view email headers on that platform. Most modern email clients, however, do provide a way to access this information.

Step 2: Understanding the Email Header

Email headers are packed with information, but not all email headers are the same. They can contain different fields, and not all listed fields will be present in every email header. This is due to factors such as varying email clients, servers, and transit paths. So while understanding each field is beneficial, don't be concerned if some fields are missing in the header you are analyzing.

Authentication-Results

This field contains the results of authentication checks such as SPF, DKIM, and DMARC.

Content-Type

Specifies the type of content in the email, such as text or HTML.

Date

The date and time when the email was sent.

Delivered-To

The final recipient of the email.

DKIM-Signature

This field contains the DKIM signature of the email, which is used for email authentication.

DKIM Alignment

DKIM Alignment involves comparing the DKIM Signature field (d=domain.com) with the "From" field. If they don't match, it suggests a potential spoofing.

DKIM Authentication

DKIM Authentication verifies the DKIM Signature field (b= .......) to ensure that the email has not been tampered with.

From

The sender of the email. Be aware that this can easily be spoofed.

Message-ID

A unique identifier for the email.

Received

Tracks the path an email took. There can be multiple entries as the email traverses multiple servers.

Received-SPF

Shows the result of SPF checks.

Reply-To

Indicates the address that should receive replies to the email.

Return-Path

The bounce address, which indicates where non-delivery receipts (or bounce messages) should be sent.

Subject

The subject line of the email.

X-Priority

This is an optional field indicating the priority of the email. Values can range from 1 (Highest) to 5 (Lowest), with 3 being the default.

Step 3: Understanding ARC Headers

Authenticated Received Chain (ARC) is a crucial email authentication system that provides an encrypted standard for tracing the path of an email message from its origin to its destination. It enables a sequence of trusted intermediaries to share information about message authentication assessments.

Understanding ARC is fundamental as it helps preserve the email authentication results across all the intermediaries in the email delivery chain. This is particularly valuable when a message goes through multiple "hops" where the DKIM signature may be broken, but the ARC chain remains unbroken, helping to verify the message's authenticity.

Each component of the email header serves a unique purpose in preventing email spoofing, and ARC headers play a crucial role in this process. In this step, we will discuss the structure of ARC headers and their importance in analyzing email headers.

ARC Authentication Results

The ARC Authentication Results contains email authentication results, including SPF, DKIM, and DMARC.

ARC-Message-Signature

The ARC-Message-Signature is a DKIM-like signature that encapsulates a snapshot of the message header information.

ARC-Seal

The ARC-Seal contains a signature, including the ARC-Message-Signature and the ARC Authentication Results header information.

Step 4: Understanding SPF, DKIM, and DMARC

Email security hinges on the effective implementation of SPF, DKIM, and DMARC - three key elements in the fight against spoofing and phishing.

Before delving into these, it's crucial to understand SMTP (Simple Mail Transfer Protocol), the main protocol used for sending emails. SMTP defines how mail servers connect, communicate, and ultimately move email data from one point to another. During the SMTP transaction, one critical command is 'MAIL FROM', which defines the envelope sender or return path. This is used for sending bounce messages and is often the target of spoofing attacks.

Now, back to SPF, DKIM, and DMARC which are essential email authentication mechanisms and understanding these protocols is crucial in identifying email spoofing.

SPF

SPF (Sender Policy Framework) is a method used by receiving mail servers to verify that incoming email from a domain was sent by a host authorized by that domain's administrators.

DKIM

DKIM (DomainKeys Identified Mail) is a method for validating the authenticity of an email message. It uses a digital signature linked back to a domain name to verify that the message was not modified in transit.

DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol that uses SPF and DKIM to determine the authenticity of an email message. DMARC requires both SPF and DKIM to fail before it acts on a message.

Step 5: Analyzing Key Header Fields

This step involves the careful examination of the key fields in the email header, to detect email spoofing. Each field carries unique information about the email and its journey. Here are some of the key fields and what they represent.

Authentication-Results

This field contains the results of SPF, DKIM, and DMARC checks. It provides information on how well the email conforms to domain-based security policies.

Content-Type

The Content-Type specifies the MIME type of the content in the email, such as text/plain, text/html, etc. This information may be useful in cases where malicious content types are utilized.

Date

The date and time when the email was sent. Large discrepancies between this and the Received fields' timestamps may indicate suspicious activity.

Delivered-To

Delivered-To specifies the final recipient of the email. Anomalies in this field might suggest BCCing or indirect delivery paths.

DKIM-Signature

This field holds the DKIM signature of the email. It is a means of verifying if an email was indeed sent by the listed sender and that it wasn't modified in transit. An invalid DKIM signature could be a sign of tampering or spoofing.

DKIM Alignment

Compare the DKIM Signature field (d=domain.com) with the "From" field. If they don't match, it suggests a potential spoofing.

DKIM Authentication

If the DKIM Signature field (b= .......) isn't verified, it may mean that the email has been tampered with.

From

This header is used to display the username or email from which email is sent.

Note: that spoofed emails often manipulate this field to appear to come from a known source.

Message-ID

The Message-ID is a globally unique identifier for the email, which is set by the server sending the message. A mismatch between the domain in the Message-ID and the rest of the header may suggest spoofing. Check the "Message-ID:" field for any discrepancy with the "From" field.

Received

This field is added by each mail server in the delivery chain, and it traces the path an email took. You can read them in reverse order to trace the email's journey. A suspicious Received field could suggest the email was rerouted maliciously. Check for multiple "Received from:" fields.

Received-SPF

Received-SPF shows the result of the SPF check, i.e., if the sending server is authorized by the domain of the sender's email address. A 'fail' result here may indicate spoofing.

Reply-To

This is the email address that will be used when the recipient clicks 'reply'. If it is different from the From field, it could be a sign of a scam.

Return-Path

This is the email address where bounces are sent. If it differs from the From address, it could be a sign of spoofing, but there are legitimate reasons for this discrepancy. Check for mismatched "Return-Path:" and "From:" fields.

SPF Alignment

If the "Return-Path" and "From" domain aren't the same, the SPF alignment may be flagged as FAIL, indicating a potential spoofing.

SPF Authentication

If SPF authentication fails, it suggests that the sender's IP isn't authorized to send emails on behalf of the claimed domain.

Subject

The subject line of the email. It's not often used for analysis, but drastic differences between the subject and the email's content could indicate phishing or other malicious emails.

X-Priority

This is an optional field indicating the priority of the email. Values can range from 1 (Highest) to 5 (Lowest), with 3 being the default. This field

Additionally, pay close attention to the "From" field. The visible name might be someone you know, but the associated email address may be different, suggesting potential spoofing.

Step 6: Understanding SCL and BCL Scores

SCL (Spam Confidence Level) and BCL (Bulk Complaint Level) scores can indicate the likelihood that an email is spam or grey mail. Emails with higher SCL or BCL values are more likely to be spam and are more likely to be automatically filtered into Junk or Quarantine folders.

Spam Confidence Level (SCL)

The SCL is a score that Exchange Online assigns to a message as part of the processing of mail. This score is stored in the SCL property of a message and is used to determine what to do with the message. The SCL score determines if a message should be marked as spam or not.

The SCL score is a number from -1 to 9. A high value (e.g. 9) suggests that the message is very likely to be spam. A lower value (e.g. 0 or 1) suggests that the message is unlikely to be spam. A special value of -1 is used for messages that are considered absolutely safe, such as those from internal senders in an organization.

Bulk Complaint Level (BCL)

The BCL is a measure of the probability that the recipient will complain about the email. It is similar to the SCL but is specifically geared towards bulk mail. The BCL is calculated using several data points, including the reputation of the sender and the feedback from recipients about previous emails from that sender.

The BCL score ranges from 0 to 9, similar to the SCL. A low BCL score (e.g., 0 or 1) suggests the recipient is unlikely to complain about the email, whereas a high BCL score (e.g., 9) suggests the recipient is very likely to complain.

Both of these scores are calculated based on a variety of factors, including the sender's IP reputation, the content of the email, the subject line, the presence of attachments, and more. Depending on these scores, messages might be directed to the recipient's inbox, the spam folder, or may be blocked entirely.

It's important to mention that these scores are part of a more complex filtering process that also considers many other factors to determine the final disposition of a message. For instance, users can set up custom filtering rules that could override the default behavior based on the SCL and BCL scores.

As email systems continue to evolve, these scores and their calculations may also evolve to improve spam and bulk email detection accuracy.

Step 7: Email Body Analysis

This step involves looking beyond the email header and analyzing the content of the email itself — specifically, the sender, the subject, the body of the email, and any embedded URLs or attachments.

Sender and Subject

Check the subject of the email to understand what it is about. Compare this to the sender information — is it a match, or is it suspicious?

You can check the sender domain with tools like:

DomainTools

The DomainTools Iris Investigate product provides comprehensive data about a domain, including current and historical domain registration records, server information, and a risk score.

MX Toolbox

MX Toolbox is a free tool that provides a comprehensive analysis of domains including a DNS check, blacklist check, SMTP diagnostics, and more.

Urlscan.io

Urlscan.io is a free service to scan and analyze web pages and their associated domains. It provides insights on various aspects like associated IPs, web technologies in use, the webpage's behavior, and more.

VirusTotal

VirusTotal provides a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware. It includes a feature to analyze URLs, which can give you information about the domain in question.

WHOIS Lookup

Several online services provide free WHOIS lookup. This service provides information about who registered a domain, their contact information, when it was registered, when it expires, where the DNS is hosted, and more.

Examples include ICANN WHOIS and Whois.net.

Analyzing the email content

Analyze the tone and content of the email body. Phishing emails often create a sense of urgency or use fear tactics to encourage the recipient to act without thinking.

Handling embedded URLs or attachments

If there are any links (URLs) or attachments embedded in the email, be very careful not to interact with them directly. Instead, extract the URL or attachment by copying it (Right-click -> Copy Hyperlink / Copy) and paste it to test in a sandbox environment like:

Any.Run

An interactive online malware analysis sandbox, Any.Run lets you investigate suspicious files or URLs in a secure and isolated environment. You can observe malicious behaviors, network interactions, and changes made to a system in real time.

Hybrid Analysis

Hybrid Analysis is a powerful, free-to-use sandbox service provided by CrowdStrike. This service uses Falcon, CrowdStrike's proprietary, AI-powered platform, to generate detailed reports about a submitted file's behavior.

Joe Sandbox

Offers a free tier of their deep malware analysis tool. Joe Sandbox detects and analyzes potential malicious files and URLs, providing comprehensive and detailed analysis reports.

Windows Sandbox

If you're running Windows 10 Pro, Enterprise, or Education, you can use Windows Sandbox. It's a lightweight virtual machine built into Windows that lets you run potentially unsafe software in isolation from your main system.

Or specific online URL scanner such as:

Sucuri SiteCheck

Sucuri SiteCheck is a free website security scanner. While primarily focused on scanning websites for malware and vulnerabilities, it also offers a URL scanning feature. You can use it to check the reputation of a URL and identify potential threats.

URL Risk Analyzer

URL Risk Analyzer is a free tool provided by Zscaler. It analyzes URLs and provides insights into potential security risks associated with the website. It checks for indicators of phishing, malware, and other malicious activities.

URLVoid

URLVoid is a free online service that allows you to scan a URL and check its reputation across multiple security databases. It provides information about potential threats, blacklisting status, and other security-related details associated with the URL.

Urlscan.io

Urlscan.io is a free service to scan and analyze web pages and their associated domains. It provides insights on various aspects like associated IPs, web technologies in use, the webpage's behavior, and more.

VirusTotal

VirusTotal provides a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware. It includes a feature to analyze URLs, which can give you information about the domain in question.

Remember, always perform these actions in a secure environment, and never on a live production network or on your main computer system.

In addition, you can use the "Inspect Element -> Network" option in your web browser to examine any redirected URL activity and understand the real intent of the Base/original URL.

Step 8: Utilizing Online Tools

While manual analysis of email headers can be insightful, there are also various online tools available that can simplify and automate this process. These tools can parse the headers and provide a human-readable form of the information, which can be especially useful when dealing with complex or multiple headers. Here are a few recommended tools:

MXToolBox

This is a popular tool that provides a free header analyzer. It interprets the email headers and returns an easy-to-read report, making it simpler to identify potential issues.

Google Admin Toolbox Messageheader

This tool by Google is also effective at analyzing email headers. It provides a simple user interface where you can paste your header for analysis.

WhatIsMyIP.com Email Header Analyzer

This tool parses the email header and displays the hops an email takes as it traverses the internet.

Remember, each of these tools can offer different insights, so it might be beneficial to use more than one when analyzing suspicious emails.