Background
In this post, we are going to see how to inspect an email’s header and gather “forensics” data in an attempt to determine whether it comes from the organization it claims to be sourced from.
Our task will be very concide.
We will check the SPF part of the header.
Lineage
- Instagram:- Email – “The email on your Instagram account was changed from”
Date Published:- 2023-Januany-9th
Link
Tools
Outline
- Email
- Email Header
- SPF
- SPF Record Checker
Email header
Outline
Let us review the email message’s header.
Image
Text
Authentication-Results: spf=pass (sender IP is 69.171.232.142)
smtp.mailfrom=facebookmail.com; dkim=pass (signature was verified)
header.d=facebookmail.com;dmarc=pass action=none
header.from=facebookmail.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of facebookmail.com
designates 69.171.232.142 as permitted sender)
receiver=protection.outlook.com; client-ip=69.171.232.142;
helo=69-171-232-142.mail-mail.facebook.com; pr=C
Received: from 69-171-232-142.mail-mail.facebook.com (69.171.232.142) by
BN7NAM10FT096.mail.protection.outlook.com (10.13.157.113) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5986.18 via Frontend Transport; Mon, 9 Jan 2023 21:13:53 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:3EEBA20DF30A6995864CD46517109962CA2A4D48178963BE5F3DB4030017F0DB;UpperCasedChecksum:8A57023CB6D0EC97FDBC3D94F30BD9B38118B4B8CA815579604FD6D7F48229C5;SizeAsReceived:1474;Count:19
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
Explanation
- Authentication-Results: spf=pass (sender IP is 69.171.232.142)
- spf:- pass
- sender IP:- 69.171.232.142
- smtp.mailfrom=facebookmail.com; dkim=pass (signature was verified)
- dkim:- pass
- signature was verified
SPF
SPF Record Lookup
MX – Toolbox ( https://mxtoolbox.com/SuperTool.aspx?action=spf )
Outline
- Enter Domain
- facebookmail.com
Output
Image
Textual
| Prefix | Type | Value | PrefixDesc | Description |
|---|---|---|---|---|
| + | ip4 | 66.220.144.128/25 | Pass | Match if IP is in tde given range. |
| + | ip4 | 66.220.155.0/24 | Pass | Match if IP is in tde given range. |
| + | ip4 | 66.220.157.0/25 | Pass | Match if IP is in tde given range. |
| + | ip4 | 69.63.178.128/25 | Pass | Match if IP is in tde given range. |
| + | ip4 | 69.63.181.0/24 | Pass | Match if IP is in tde given range. |
| + | ip4 | 69.63.184.0/25 | Pass | Match if IP is in tde given range. |
| + | ip4 | 69.171.232.0/24 | Pass | Match if IP is in tde given range. |
| + | ip4 | 69.171.244.0/23 | Pass | Match if IP is in tde given range. |
| – | all | Fail | Always matches. It goes at tde end of your record. |
Explanation
- Listed above are the IP Addresses/Ranges that are confirmed to serve facebook
- The last enty is a wild card that states that if the IP Address does not fit in any of the ranges above, we should consider it failure
Double Back
Here is what our email source reveals:-
- Authentication-Results: spf=pass (sender IP is 69.171.232.142)
- spf:- pass
- sender IP:- 69.171.232.142
- 69.171.232.0
- Our sender’s IP Address ( 69.171.232.142 ) matches the 69.171.232.0/24
- Thank goodness it is a class C for dim ones like me
Terminology
- DKIM
- DomainKeys Identified Mail is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.
- SPF
- Sender Policy Framework is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced
Learning in the Open 