SPAM/Phishing Analysis

Foreword

Special thanks to my ex-colleague Tanya Swift G. This article meanly talks about how to use dig command to help analyse a SPAM/Phishing email. Some examples have been given for better understanding.

Introduction of dig command

You may use the dig command below on a command shell, in order to identify MX/TXT records that may help your SPAM/Phising investigation.

Example 1: Google TXT record

1
2
3
4
5
$ dig google.co.nz txt @8.8.8.8 +noall +answer

; <<>> DiG 9.10.6 <<>> google.co.nz txt @8.8.8.8 +noall +answer
;; global options: +cmd
google.co.nz. 299 IN TXT "v=spf1 -all"

Example 2: Google MX record

1
2
3
4
5
6
7
8
9
$ dig google.co.nz mx @8.8.8.8 +noall +answer

; <<>> DiG 9.10.6 <<>> google.co.nz mx @8.8.8.8 +noall +answer
;; global options: +cmd
google.co.nz. 599 IN MX 10 aspmx.l.google.com.
google.co.nz. 599 IN MX 40 alt3.aspmx.l.google.com.
google.co.nz. 599 IN MX 20 alt1.aspmx.l.google.com.
google.co.nz. 599 IN MX 30 alt2.aspmx.l.google.com.
google.co.nz. 599 IN MX 50 alt4.aspmx.l.google.com.

Please note that this command can also be used to check any other DNS records available for that specific domain.

Example 3: Google any DNS record

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ dig google.co.nz any @8.8.8.8 +noall +answer

; <<>> DiG 9.10.6 <<>> google.co.nz any @8.8.8.8 +noall +answer
;; global options: +cmd
google.co.nz. 299 IN A 216.58.199.35
google.co.nz. 299 IN AAAA 2404:6800:4006:803::2003
google.co.nz. 599 IN MX 30 alt2.aspmx.l.google.com.
google.co.nz. 299 IN TXT "v=spf1 -all"
google.co.nz. 599 IN MX 10 aspmx.l.google.com.
google.co.nz. 21599 IN NS ns3.google.com.
google.co.nz. 21599 IN NS ns4.google.com.
google.co.nz. 599 IN MX 40 alt3.aspmx.l.google.com.
google.co.nz. 21599 IN NS ns1.google.com.
google.co.nz. 21599 IN NS ns2.google.com.
google.co.nz. 599 IN MX 20 alt1.aspmx.l.google.com.
google.co.nz. 599 IN MX 50 alt4.aspmx.l.google.com.
google.co.nz. 59 IN SOA ns1.google.com. dns-admin.google.com. 195609348 900 900 1800 60

Checking SPF record

Checking email SPF records may help identify that whether a received email has been spoofed or not. This is usually hinted if the email comes from a Sender’s Reverse DNS Record (Hostname) or IP Address which is not permitted by the domain to send an email on its behalf.

Meanwhile, not all domains have TXT record in place, which also makes it easy for attackers to use in bad faith. For instance, the one below was observed in one of our phishing emails.

Example 4: Identify the email sender

1
2
3
4
$ dig mailplease.com txt @8.8.8.8 +noall +answer

; <<>> DiG 9.10.3-P4-Ubuntu <<>> mailplease.com txt @8.8.8.8 +noall +answer
;; global options: +cmd

Domain mailplease.com does not specify any TXT record which is easily to be leveraged for spoofing purpose. Also, in the Email Header below, we can see spf=none.

1
2
3
Authentication-Results: spf=none (sender IP is 173.203.187.120)
smtp.mailfrom=mailplease.com; gen-x.co.nz; dkim=none (message not signed)
header.d=none;gen-i.co.nz; dmarc=none action=none header.from=mailplease.com;
1
2
3
Received-SPF: None 
(protection.outlook.com: mailplease.com does not designate
permitted sender hosts)
1
2
3
4
5
6
Received: from smtp120.iad3a.emailsrvr.com (173.203.187.120) by
ME1AUS01FT014.mail.protection.outlook.com (10.152.232.114) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.567.16 via
Frontend Transport; Tue, 20 Mar 2018 20:43:45 +0000
X-Sender-Id: akhoury@toggold.com
X-Mailer: Microsoft Outlook 16.0

After checking X-Sender-Id in this email header field, we know that the real initiator of the email is the toggold.com which uses emailsrvr.com in it’s MX records and that has the sender IP listed in their records. This can be confirmed by using dig command below.

1
2
3
4
5
6
$ dig toggold.com  MX @8.8.8.8 +noall +answer

; <<>> DiG 9.10.3-P4-Ubuntu <<>> toggold.com MX @8.8.8.8 +noall +answer
;; global options: +cmd
toggold.com. 1799 IN MX 10 mx2.emailsrvr.com.
toggold.com. 1799 IN MX 10 mx1.emailsrvr.com.

Blow dig result is to confirm that IP 173.203.187.120 (smtp120.iad3a.emailsrvr.com) is from the TXT record of emailsrvr.com.

1
2
3
4
5
6
7
$ dig emailsrvr.com txt @8.8.8.8 +noall +answer

; <<>> DiG 9.10.3-P4-Ubuntu <<>> emailsrvr.com txt @8.8.8.8 +noall +answer
;; global options: +cmd
emailsrvr.com. 16 IN TXT "v=spf1 ip4:108.166.43.0/24
ip4:146.20.86.8 ip4:146.20.161.0/25 ip4:161.47.34.7 ip4:173.203.2.16/29
ip4:173.203.6.128/27 ip4:173.203.187.0/25 ip4:184.106.54.0/25 ip4:204.232.172.40 ~all"