You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By monitoring the email delivery and inspecting the e-mail headers
Information includes
IP address of the recipient
Geolocation of the recipient
Delivery information
Visited links
Browser and OS information
Reading time
Can track emails using various email tracking tools
E.g. notifies sender of the email being delivered and opened by the recipient
Used by marketers, sellers etc.
Email header analysis
Helps to determine an e-mail contains something malicious or not
Email-headers include
Sender's name
IP/Email address of the sender
Mail server
Mail server authentication system
Send and delivery stamps
Unique number of the message
Authentication protocol headers
Allows you to detect forged sender addresses.
The goal is for sender to identify itself to the receiver.
E-mail headers include information about their pass status
SPF: Sender Policy Framework
E.g. 'PASS' with IP 209.85.220.69 or 'NEUTRAL' ...
Verifies if the domain of the e-mail owned by the sending server.
If not passed, many e-mail providers just block it.
Based on e-mail servers who publish records and says "here's the IP addresses we'll send e-mails"
DKIM: DomainKeys Identified Mail
E.g. 'PASS' with domain accounts.google.com
Allows the receiver to verify that an email claimed to have come from a specific domain was authorized by the owner of that domain using a digital signature on the domain.
DMARC: Domain-based Message Authentication, Reporting and Conformance
E.g. PASS or FAIL
Combination of two protocols SPF + DKIM
It builds on them and adds more policy
Verifying email legitimacy
Double check FROM
Check the spelling in domain name so it's coming from the domain of the company
If it's random e-mail check if it's from one of the biggest domain providers or if something legit.
Check IP of the domain
It can be someones computer (home router IP) or a private server
Major mail service providers checks to determine if domain of the e-mail is tied to the source IP of the e-mail (e.g. have a record)
🤗 You can tie a public WiFi (e.g. coffee shop) IP to domain and send the e-mails from there.
E-mail policies
Different e-mail service provider have different policies regarding to their SMTP
💡 Once hacker recognizes e-mail servers then then he/she can create accounts there, send e-mails back and further to figure out what the rules are.
E.g. google does not allow you to see the IP address of the sender
They proxy it behind one of their servers
Workarounds are not so efficient.
Each have own ruling list
Determines e.g. what kind of files that can be send
Getting an IP address from an e-mail
You can then get IP and a lot from browser headers including
browser information, OS info, device types
Revealing your IP is not safe as even home routers have pretty static IP addresses
Last usually 30 days up to 3 months
💡 You can still release DHCP lease in your home router settings to get a new IP from the ISP.
You can send an image from a back-end server that you own
Some e-mail providers request it and hide users IP
You can send a direct link
No e-mail provider can protect you from that
🤗 Can be done through social engineering e.g.
You know from social media that Bob was celebrating yesterday. You send an e-mail stating "Hi Bob, crew and I had a great time last night, you're never going to guess what Sam did in toilet, threw himself up, check out his pictures"
E.g.
Install apache yum install httpd
Start apache systemctl start httpd
Create a file: cd /var/www/html/ then touch <RESOURCE_NAME>;