Scribd
Upload
353 views

Email Header Analysis - LetsDefend

The document provides an overview of email header analysis in the context of phishing email detection. It outlines key questions to consider, such as verifying the SMTP server and comparing 'From' and 'Reply-To' addresses. The analysis emphasizes the importance of examining header information to identify potential spoofing and phishing attempts.

Uploaded by

memmedovpervin04
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
353 views

Email Header Analysis - LetsDefend

The document provides an overview of email header analysis in the context of phishing email detection. It outlines key questions to consider, such as verifying the SMTP server and comparing 'From' and 'Reply-To' addresses. The analysis emphasizes the importance of examining header information to identify potential spoofing and phishing attempts.

Uploaded by

memmedovpervin04
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

2/8/24, 5:28 PM Email Header Analysis - LetsDefend

HomeLearnPracticeChallengePricing

Phishing Email Analysis


All Lessons Structure Files
Introduction to Phishing

Information Gathering

What is an Email Header and How to Read


Them?

Email Header Analysis

Static Analysis

Dynamic Analysis

Additional Techniques

https://app.letsdefend.io/training/lesson_detail/email-header-analysis 1/6
2/8/24, 5:28 PM Email Header Analysis - LetsDefend

HomeLearnPracticeChallengePricing
Email Header Analysis

In previous sections we talked about what a phishing email is, what header information is
and what it does. Now, when we suspect that an email is phishing, we will know what we
should do and what the analysis process should be like.
Here are the key questions we need to answer when checking headings during a Phishing
analysis:

Was the email sent from the correct SMTP server?


Are the data "From" and "Return-Path / Reply-To" the same?

The e-mail examined in the rest of the article:

password: infected

Download

Was the email sent from the correct SMTP server?

We can check the "Received" field to see the path followed by the mail. As the image below
shows, the mail is "101[.]99.94.116" from the IP address server.

If we look at who is sending the mail ("sender"), we see that it came from the domain
Letsdefend.io

So under normal circumstances, "letsdefend.io" should use, "101[.]99.94.116" to send mail.


To confirm this situation, We can query the MX servers actively used by "letsdefend.io"
"mxtoolbox.com" helps by showing you the MX servers used by the domain you searched.

https://app.letsdefend.io/training/lesson_detail/email-header-analysis 2/6
2/8/24, 5:28 PM Email Header Analysis - LetsDefend

HomeLearnPracticeChallengePricing

If we look at the image above, the "letsdefend.io" domain uses Google addresses as an email
server. So there is no relationship with the emkei[.]cz or "101[.]99.94.116" addresses.

In this check, it was determined that the email did not come from the original address, but
was spoofed.

Are the data "From" and "Return-Path / Reply-To" the same?

Except in exceptional cases, we expect the sender of the e-mail and the person receiving the
responses to be the same. An example of why these areas are used differently in Phishing
attacks:

Someone sends an email (gmail, hotmail etc.) with the same last name of someone working
for Google to LetsDefend, LetsDefend tells the employee that he has issued the invoice and
they must make the payment to his XXX account. It puts the e-mail address of the real
Google employee in the "Reply-to" field so that the fake e-mail address does not stand out
in case of replying to a possible e-mail.

Returning to the e-mail we downloaded above, all we have to do is compare the email
addresses in the "From" and "Reply-to" fields.

https://app.letsdefend.io/training/lesson_detail/email-header-analysis 3/6
2/8/24, 5:28 PM Email Header Analysis - LetsDefend

HomeLearnPracticeChallengePricing

As you can see, the data is different. In other words, when we want to reply to this e-mail,
we will send a reply to the gmail address below. Just because this data is different doesn't
always mean it's definitely a phishing email, we need to consider the event as a whole. In
other words, in addition to this suspicious situation, if there is a harmful attachment, URL or
misleading content in the e-mail content, we can understand that the e-mail is phishing. In
the continuation of the training, we will analyze the data in the body part of the e-mail.

Course Files

Header-Challenge

Password: infected

Questions Progress

Download the email above ("Header Challenge"), are the sender’s address and the address in the “Reply-
To” area different?

Answer Format: Y/N

Answer Format: * Submit

Hint

If I want to reply to this email, which address will it be sent to?


https://app.letsdefend.io/training/lesson_detail/email-header-analysis 4/6
2/8/24, 5:28 PM Email Header Analysis - LetsDefend

Answer Format: ***.****@****.*** Submit


HomeLearnPracticeChallengePricing

Hint

From which IP address was the email sent?

Answer Format: ***.***.**.*** Submit

Hint

Back Next

LetsDefend

Social

Resources

Support

Community

https://app.letsdefend.io/training/lesson_detail/email-header-analysis 5/6
2/8/24, 5:28 PM Email Header Analysis - LetsDefend

Plans
HomeLearnPracticeChallengePricing

Roles

https://app.letsdefend.io/training/lesson_detail/email-header-analysis 6/6

You might also like