Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / Email / Examples

Personal tools

 

Examples

Examples

False Positive

I could be casting false assertions on the following domain in which case the domain owners should contact me.

I received three attempted deliveries in short succession from:

sillandarp@hauriantf.facebookhots.biz
forsythiasc@hazardousnessx.facebookhots.biz
parathormoneq@gushinglyv.facebookhots.biz

These emails passed CheckHelo, CheckSPF and were rejected by Greylisting and have not been seen again. Classic spammers.

But wait. They passed CheckHelo and CheckSPF tests? Does that mean these guys are our worst nightmare, they have a working domain to play with? Let's have a look.

Domain Names

The second level domain name, facebookhots, looks a bit dubious, a classic phishing domain name as we're clearly meant to mistake this for a Facebook-related domain name. A "typo" of hots instead of host and a top-level domain of biz instead of com [1].

whois says:

...
Technical Contact Name:                      Heinrich W.
Technical Contact Organization:              N/A
...
Technical Contact City:                      Dusseldorf
Technical Contact State/Province:            Nordrhein-Westfalen
...
Technical Contact Country:                   Germany
Technical Contact Country Code:              DE
...
Domain Registration Date:                    Sun Jun 14 16:35:23 GMT 2015

ie. registered in Germany only a couple of months ago (at time of writing).

Subdomains

More interesting is the choice of subdomains: hauriantf, hazardousnessx and gushinglyv. You can clearly read hazardousness and gushingly plus a random letter. That suggests that hauriant is a word. Well, it turns out it's a heraldic term:

(of a fish or marine creature) depicted swimming vertically, typically with the head upward

—Mac OS X dictionary (under haurient)

How about that? We learning something new from a spammer! Wonders will never cease!

Note

Merriam-Webster has something similar and gives a pointer to urinant meaning "head downwards, diving".

Usernames

Are we looking at the same thing with our usernames, sillandarp, forsythiasc and parathormoneq? Well, forsythias are an ornamental Eurasian shrub and parathormone is the hormone released by the parathyroid gland. Both of which we already knew. (We did already know those, right?) sillandar, though? That's less obvious, perhaps silladar an irregular cavalryman [from the Urdu and Persian].

Anyway, whomever these guys are we know two things:

  1. they've got some extremely odd users with names like those
  2. they've got access to a really good dictionary!

CheckHelo

They all passed CheckHelo tests which suggests we need to reveal a little more about the connections made and then poke about in the DNS. Here's some PolicyD output:

host=213.108.222.158, helo=hauriantf.facebookhots.biz, from=sillandarp@hauriantf.facebookhots.biz,
host=31.41.117.5, helo=hazardousnessx.facebookhots.biz, from=forsythiasc@hazardousnessx.facebookhots.biz,
host=71.180.95.48, helo=gushinglyv.facebookhots.biz, from=parathormoneq@gushinglyv.facebookhots.biz,

Let's nose about with hauriant (as it's our new favourite word) and the following is similar for all three:

$ host hauriantf.facebookhots.biz
hauriantf.facebookhots.biz has address 213.108.222.158
hauriantf.facebookhots.biz mail is handled by 10 mail.facebookhots.biz.
$ host 213.108.222.158
Host 158.222.108.213.in-addr.arpa. not found: 3(NXDOMAIN)

ie. the HELO string is a FQDN and has an associated A record in the DNS. There isn't a reverse lookup (but that's not checked for by CheckHelo).

Note

gushingly does have a reverse lookup although is only really tells us that it's most likely a compromised machine on a random ISP's DSL

$ host 71.180.95.48
48.95.180.71.in-addr.arpa domain name pointer static-71-180-95-48.tampfl.fios.verizon.net.

As we never saw these hosts again, CheckHelo's multiple HELO string behaviour wasn't triggered.

CheckSPF

What's the SPF record? The mail claimed to be from sillandarp@hauriantf.facebookhots.biz so we need to check that domain, hauriantf.facebookhots.biz, and its SPF record in the DNS:

$ host -t txt hauriantf.facebookhots.biz
...
hauriantf.facebookhots.biz descriptive text "v=spf1 mx a ip4:213.108.222.158/28 ~all"

A couple of things we should note:

  1. The record nominally includes the sending host's IPv4 address within the entry, ip4:213.108.222.158/28.

    Technically, though, the sending host's IP address, 213.108.222.158 is one of the broadcast addresses of the /28 subnetwork. Should CheckSPF have failed?

  2. the default result is a soft fail, ~all. Which means we must pass it.

DKIM

We can't usefully probe for DKIM as we didn't get the body of the email from which we could extract the d tag from the DKIM-Signature header.

As a stab in the dark, it might be directly under the sender's domain, ie. under the _domainkey subdomain in turn:

$ host _domainkey.hauriantf.facebookhots.biz
Host _domainkey.hauriantf.facebookhots.biz not found: 3(NXDOMAIN)

So we can't really say much here.

(The problem being that the d tag in the DKIM-Signature header can be an arbitrary sub domain of the sender domain.)

DMARC

What's the DMARC record?

$ host -t txt hauriantf.facebookhots.biz
hauriantf.facebookhots.biz descriptive text "v=DMARC1\; p=none\; rua=mailto:postmaster@hauriantf.facebookhots.biz"
...

Technically, this is an incorrect record as the DMARC record should be at _dmarc.hauriantf.facebookhots.biz.

Hmm. Given that we're moderately confident the domain is a spam domain then here it is advertising that the recipient should monitor the emails if SPF and/or DKIM fail and that they should send reports to the given email address.

That sounds like the very gaming of the system mentioned before.

dmarcian provides a useful web fronted to much of this.

False Negative

Self-inflicted phishing attacks. Here's a clue: if it's not a subdomain of your branded site then it's functionally no different to a phishing attach.

Finance

Nationwide

I have a bank account with the Nationwide, nationwide.co.uk.

Yet they choose to send me "Your Statement" emails from nationwide-communications.co.uk which contains embedded links to nationwide-service.co.uk.

Are they asking for trouble?

Natwest

Natwest are mostly competent enough to keep everything under natwest.com.

However, one of their card points systems used natwestyourpoints.com.

Commerce

Ebuyer

Ebuyer, ebuyer.com switched their "Special Offers" daily mail to being from specialoffers@e-ebuyer.com.

Third-Party Hosted Mailing Lists

Mailing lists are one of the great banes of email change. In particular, many anti-spam techniques involve just the email envelope, ie. none of the regular email headers.

As an example, I received a legitimate email from a cash back site (I know, I know) which uses a commercial messaging organisation to deliver its emails. PolicyD can see the following envelope information:

host=91.211.243.36, helo=pmta43036.emarsys.net, from=e3-30990275343-c17eii2ea363ii3@e3.emarsys.net,

None of that information allows me, the recipient, to determine if the email is from an expected source. In the body of the email, it correctly states:

From: Cash Back <cashback@e.cashback.com>

But we don't have the body headers in our hands. There's nothing to do but pass it on to later (more expensive) processing. Ultimately, a pair of human eyes.

[1]I'm sure there must be some legitimate businesses using .biz addresses but you don't see them advertised very often.

Document Actions