Guide to Spam/Spoofed Email Analysis

Spam email is an unsolicited and unwanted junk email sent out in bulk to an indiscriminate recipient list. Typically, spam is sent for commercial purposes. However, it can be sent in massive volume by botnets, networks of infected computers to bring down a mail server or block a user out of his mailbox.

Spam email can be dangerous. It can include malicious links that can infect your computer with malware. Dangerous spam emails often sound urgent, so you feel the need to act. Email spams try to get you to give up your bank details so that the fraudsters can either withdraw money, or steal your identity. Spam emails can also lead to unintentional installation of spyware, phishing or ransomware on your PC!

However, you can check yourself whether an email is a spam or a spoofed email. Below are the steps to look for those signs and clues that can ascertain if the email is legitimate or not.

The Checks

Check the email header for these signs:

1. SPF, DKIM, DMARC Status

Check for “PASS” message with the same domain name from which the email was received. Any FAIL/Soft-FAIL message in any of these three fields should raise a doubt. A legitimate email header should be looking like the one shown below:

Subject: Transaction alert for your ICICI Bank credit card
SPF: PASS with IP 203.27.235.122 Learn more
DKIM: ‘PASS’ with domain icicibank.com Learn more
DMARC: ‘PASS’ Learn more

Further, check the IP shown in SPF corresponds to the domain shown in DKIM. IN the above case, IP ‘203.27.235.122‘ should correspond to some mail server of ‘icicibank.com‘. A quick IP trace shows us that IP ‘203.27.235.122‘ points to ‘mlxmail4.icicibank.com‘, which is a good news!

A spam/spoofed email header may look like as shown below:

Subject: US Unlocked is Running a Giveaway!
SPF: PASS with IP 135.84.83.3 Learn more
DKIM: FAIL with domain usunlocked.com Learn more
DMARC: FAIL Learn more

In this example, the IP ‘135.84.83.3’ points to ‘senderb3.zcsend.net’ (traced using IP Tracker). But the domain mentioned in DKIM is ‘usunlocked.com’. This mismatch and absense of a key for signature triggered the FAIL flag for DKIM and subsequently DMARC too.

2. ‘Received:’ field

The ‘Received:’ header fields are most important for tracking the origin of an email. They usually have the syntax as

Received: from XXX by YYY via ZZZ with AAA id BBB for CCC; date-time

where ‘from, 'by', 'via', 'with', 'id' and 'for' are all tokens with values within a single header-value, which may span multiple lines. Every time an email moves through a new mail server, a new ‘Received’ header line is added to the beginning of the headers list. This means as we read through the ‘Received’ headers from top to bottom in an email header, we are gradually moving closer to the sender! Consider the email ‘Received:’ header shown below:

Third Hop: Received: from mlxmail4.icicibank.com (mlxmail4.icicibank.com. [203.27.235.122])by mx.google.com with ESMTPS id t3si9531442pgg.54.2020.05.23.06.02.07for <example@gmail.com>(version=TLS1_2 cipher=AES128-GCM-SHA256 bits=128/128);Sat, 23 May 2020 06:02:08 -0700 (PDT)

Second Hop: Received: from MLXMASSSMTP01.icicibank.com () by mlxmail4.icicibank.comwith ESMTP id 04ND26aK019502 for <EXAMPLE@GMAIL.COM>; Sat, 23 May 2020 18:32:06 +0530 (IST)

First Hop: Received: from HYDIOPTAPPFB () by MLXMASSSMTP01.icicibank.comwith ESMTP id 04ND26hH021619 for <EXAMPLE@GMAIL.COM>; Sat, 23 May 2020 18:32:06 +0530

Now, we are more interested in the details available in first hop of the email as it may give us an idea about the originating point of the email. In this example, the email was received from user HYDIOPTAPPFB by the mail server MLXMASSSMTP01.icicibank.com . If an IP address is shown in (), then we should trace the IP to find its source. The time of receiving the email is 18:32:06 +0530 which essentially shows that the email is generated either from India or Sri Lanka. Further analysis shows it is IST (as mentioned in second hop).

In the second hop, mail server MLXMASSSMTP01.icicibank.com delivers the mail to mlxmail4.icicibank.com whose IP as shown in third hop is 203.27.235.122 . This is the same IP which is verified as PASS in the header information (SPF) and we know that tracing this IP led us to ‘mlxmail4.icicibank.com’. This completes the check and we know that the email is valid and sender is the legitimate sender of this email.

Comparing with a SPAM Recevied header:

Let us see a spam email Received header and analyse the details as shown:

Second Hop: Received: from senderb3.zcsend.net (senderb3.zcsend.net. [135.84.83.3]) by mx.google.com with ESMTPS id k2si984452edh.267.2020.04.30.21.41.38 for <example@gmail.com (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Apr 2020 21:41:38 -0700 (PDT)

Received-SPF: pass (google.com: domain of bounce_708883333+a.18fa5ff4741ca67e_139dbe335f75e_v1@zcsend.net designates 135.84.83.3 as permitted sender) client-ip=135.84.83.3; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@usunlocked.com header.s=24923 header.b="BIe/jmtt";
spf=pass (google.com: domain of bounce_708883333+a.18fa5ff4741ca67e_139dbe335f75e_v1@zcsend.net designates 135.84.83.3 as permitted sender) smtp.mailfrom=bounce_708883333+a.18fa5ff4741ca67e_139dbe335f75e_v1@zcsend.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=usunlocked.com

First Hop: Received: from 172.30.235.68 (172.30.235.68) by senderb3.zcsend.net id hlek8422174g for <example@gmail.com>; Thu, 30 Apr 2020 21:18:11 -0700
(envelope-from <bounce_708883333+a.18fa5ff4741ca67e_139dbe335f75e_v1@zcsend.net>)

Here, this email was received from IP 172.30.235.68 by the mail server senderb3.zcsend.net. The IP shown belongs to private IP address range and not for Internet usage. However, this may also signify it as a local, or internal address (perhaps the LAN) which generated and sent the email to senderb3.zcsend.net .

After the second hop, gmail identifies senderb3.zcsend.net as a legitimate sender with IP 135.84.83.3 . This IP leads to ‘senderb3.zcsend.net’ which is OK but it does not resolve to usunlocked.com for which no key exists for DKIM signature verification. This leads to DKIM and DMARC FAIL flags. The email generation time is 21:18:11 -0700 which is the Mountain Standard Time (MST) or Pacific Daylight Time (PDT). The IP 135.84.83.3 shows the same location. So, we can assume that the email is valid but not completely as the header fails in DKIM and DMARC checks.

3. Delivery Time of email

In over 95% of cases, the moment a sender clicks the ‘Send’ betton to the time an email gets delivered to a receiver takes less than a minute. Email is typically very fast, but there are several reasons it can be legitimately delayed for hours, or perhaps even days! The second email header which has been analysed shows that the email was generated at  21:18:11 -0700. But, in the header information below, it can be seen the same email was received almost 23 minutes (1407 secs) later!

Message ID <zcb.27218d28c96aa859ee80d69b41a60c7771185618fa5ff4741ca67e.1588306691526@zcsend.net>
Created on: 1 May 2020 at 09:48 (Delivered after 1407 seconds)
From: US Unlocked <info@usunlocked.com>
To: example@gmail.com
Subject: US Unlocked is Running a Giveaway!
SPF: PASS with IP 135.84.83.3 Learn more

Email delivery can be delayed due to several reasons. But among the reasons, there are spam email checks which cause delays on purpose. Techniques like ‘greylisting’ and showing busy mail server to spam emails are some of them. So, a delay of more than 23 minutes does ring some bell!

Finally..

Thus, it might be a spam! While checking usunlocked.com, we find it an online virtual debit card/prepaid card service website to shop in US online stores. Whereas zcsend.net resolves to Zoho which explains that they use ‘zcsend.net’ as a root domain for links used in all Email Campaigns. So, this email example is a commercial advertising spam.

It can be difficult to stop spam emails as they can be sent from botnets. The steps mentioned above do not guarantee a full-proof spoofed email detection, but these analysis can bring out many important results which as an end-user one must know. However, there are many online email spam/spoof checkers. You can use any of them. Additionally, you can also make use of the above details to find it yourself. I guess that will quite be some fun!

Leave a Reply

Your email address will not be published. Required fields are marked *