Question: Was the "From" address in the Podesta-Wikileaks-probablynotaboutScalia email spoofed?
Conclusion: I'm not qualified to make one. All the servers seem legitimate... Microsoft, Georgetown, Google.
More analysis is needed to understand what happened to the email on it's path from "Send" to "Received"
---------------------------------------------
So the email failed DMARC testing. One of the reasons that can happen is because the from address of the message is spoofed. Is that what happened here? Let's follow along with a tutorial
III. How to I analyze the e-mail headers?
Let's review a real life example: The following e-mail headers are from an e-mail that supposedly arrived from Chase Bank, and is a clear example of phishing attack (click for larger image)
Gosh, I wish I had seen this earlier!
Our From field says:
From: Joe Patterson <viejojoe@outlook.com>
and there's also a Resent-From in a different part of the header:
Resent-From: <podesta@law.georgetown.edu>
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0054.outbound.protection.outlook.com. [157.56.111.54])
by mx.google.com with ESMTPS id c196si28806261qkb.1.2015.11.16.21.41.03
for <john.podesta@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Mon, 16 Nov 2015 21:41:04 -0800 (PST)
Received: from SN1PR0701CA0016.namprd07.prod.outlook.com (10.162.96.26) by
BLUPR07MB529.namprd07.prod.outlook.com (10.141.204.141) with Microsoft SMTP
Server (TLS) id 15.1.325.17; Tue, 17 Nov 2015 05:41:01 +0000
Received: from BN1BFFO11FD048.protection.gbl (2a01:111:f400:7c10::1:107) by
SN1PR0701CA0016.outlook.office365.com (2a01:111:e400:5173::26) with Microsoft
SMTP Server (TLS) id 15.1.325.17 via Frontend Transport; Tue, 17 Nov 2015
05:41:01 +0000
Received: from mail.law.georgetown.edu (141.161.191.75) by
BN1BFFO11FD048.mail.protection.outlook.com (10.58.145.3) with Microsoft SMTP
Server (TLS) id 15.1.325.5 via Frontend Transport; Tue, 17 Nov 2015 05:41:01
+0000
Resent-From: <podesta@law.georgetown.edu>
Received: from na01-bn1-obe.outbound.protection.outlook.com (141.161.191.14)
by LAW-CAS2.law.georgetown.edu (141.161.191.21) with Microsoft SMTP Server
(TLS) id 14.3.248.2; Tue, 17 Nov 2015 00:41:00 -0500
Received: from BLUPR07CA082.namprd07.prod.outlook.com (10.160.24.37) by
BLUPR07MB529.namprd07.prod.outlook.com (10.141.204.141) with Microsoft SMTP
Server (TLS) id 15.1.325.17; Tue, 17 Nov 2015 05:40:58 +0000
Received: from BL2FFO11FD014.protection.gbl (2a01:111:f400:7c09::110) by
BLUPR07CA082.outlook.office365.com (2a01:111:e400:8ae::37) with Microsoft
SMTP Server (TLS) id 15.1.331.15 via Frontend Transport; Tue, 17 Nov 2015
05:40:58 +0000
Received: from SNT004-OMC1S4.hotmail.com (65.55.90.15) by
BL2FFO11FD014.mail.protection.outlook.com (10.173.160.222) with Microsoft
SMTP Server (TLS) id 15.1.325.5 via Frontend Transport; Tue, 17 Nov 2015
05:40:58 +0000
Received: from SNT150-W75 ([65.55.90.9]) by SNT004-OMC1S4.hotmail.com over TLS
secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 16 Nov 2015
21:40:57 -0800
X-TMN: [dTeiFt+mIlzCgMdOmxQpdxSi3rWYMV/J]
X-Originating-Email: [viejojoe@outlook.com]
None of the stuff from the bottom box - not sure why that would be.
Let's do an analysis like the one the tutor did:
ANALYSIS:
- The message claims that it was sent from Joe Patterson <viejojoe@outlook.com>. This information can be very easily forged, so NEVER trust that information.
- The useful information is in the "Received:" lines. Each of these lines represents a hop between two mail servers on the path from the sender to the recipient. These can also be forged, but there is a catch: A malicious mail server can forge the current headers, and at the end will have to send the mail to legitimate mail servers. The legitimate mail servers WILL RECORD the IP address of the sending e-mail server, and this information will ALWAYS BE TRUE.
- So, the malicious sender has no control over the Received lines of the header.
- The "Received:" lines are stacked on top of each other, so the first hop will be the lowest, and the last hop will be the first in the header. Therefore, to properly follow the path, read the lines bottom up.
- So, reading our e-mail header, this e-mail was sent from an ADSL IP address registered to an ISP in Warszawa - Poland, and then had 2 more hops in the protection systems of the delivery ISP. Visually, this was the path of the mail:
User hit "Send":
From: 65.55.90.9
NetRange: 65.52.0.0 - 65.55.255.255 CIDR: 65.52.0.0/14 NetName: MICROSOFT-1BLK NetHandle: NET-65-52-0-0-1 Parent: NET65 (NET-65-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Microsoft Corporation (MSFT) RegDate: 2001-02-14 Updated: 2013-08-20 Ref: https://whois.arin.net/rest/net/NET-65-52-0-0-1 OrgName: Microsoft Corporation OrgId: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US RegDate: 1998-07-10 Updated: 2016-06-30Received by: SNT004-OMC1S4.hotmail.com IP: 65.55.90.15
NetRange: 65.52.0.0 - 65.55.255.255 CIDR: 65.52.0.0/14 NetName: MICROSOFT-1BLK NetHandle: NET-65-52-0-0-1 Parent: NET65 (NET-65-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Microsoft Corporation (MSFT) RegDate: 2001-02-14 Updated: 2013-08-20 Ref: https://whois.arin.net/rest/net/NET-65-52-0-0-1 OrgName: Microsoft Corporation OrgId: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US RegDate: 1998-07-10 Updated: 2016-06-30
-------------------------------
Then sent from the server above to: BL2FFO11FD014.mail.protection.outlook.com (10.173.160.222)NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED NetHandle: NET-10-0-0-0-1 Parent: () NetType: IANA Special Use OriginAS: Organization: Internet Assigned Numbers Authority (IANA) RegDate: Updated: 2013-08-30 Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address. Comment: Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers Comment: Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at: Comment: http://datatracker.ietf.org/doc/rfc1918 Ref: https://whois.arin.net/rest/net/NET-10-0-0-0-1 OrgName: Internet Assigned Numbers Authority OrgId: IANA Address: 12025 Waterfront Drive Address: Suite 300 City: Los Angeles StateProv: CA PostalCode: 90292 Country: US RegDate: Updated: 2012-08-31 Ref: https://whois.arin.net/rest/org/IANA
-----------------------------
Then sent from the server above to: BLUPR07CA082.outlook.office365.com (2a01:111:e400:8ae::37)
inet6num: 2a01:110::/31 netname: UK-MICROSOFT-20060601 country: GB org: ORG-MA42-RIPE admin-c: DH5439-RIPE tech-c: MRPA3-RIPE status: ALLOCATED-BY-RIR mnt-by: RIPE-NCC-HM-MNT mnt-by: MICROSOFT-MAINT mnt-lower: MICROSOFT-MAINT mnt-routes: MICROSOFT-MAINT created: 2006-06-01T08:53:35Z last-modified: 2016-07-12T17:06:10Z source: RIPE organisation: ORG-MA42-RIPE org-name: Microsoft Limited org-type: LIR
-----------------------------------
Then sent from the server above to: BLUPR07MB529.namprd07.prod.outlook.com (10.141.204.141)NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED NetHandle: NET-10-0-0-0-1 Parent: () NetType: IANA Special Use OriginAS: Organization: Internet Assigned Numbers Authority (IANA) RegDate: Updated: 2013-08-30 Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address. Comment: Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers Comment: Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at: Comment: http://datatracker.ietf.org/doc/rfc1918 Ref: https://whois.arin.net/rest/net/NET-10-0-0-0-1--------------------
Received: from na01-bn1-obe.outbound.protection.outlook.com (141.161.191.14)
NetRange: 141.161.0.0 - 141.161.255.255 CIDR: 141.161.0.0/16 NetName: GEORGETOWN-NET NetHandle: NET-141-161-0-0-1 Parent: RIPE-ERX-141 (NET-141-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Georgetown University (GEORGE-8) RegDate: 1990-07-31 Updated: 2008-07-01 Ref: https://whois.arin.net/rest/net/NET-141-161-0-0-1 OrgName: Georgetown University OrgId: GEORGE-8 Address: 37th and O Streets, NW City: Washington StateProv: DC PostalCode: 20057 Country: US RegDate: 1990-07-31 Updated: 2010-06-08 Ref: https://whois.arin.net/rest/org/GEORGE-8
-------------------
Then to: LAW-CAS2.law.georgetown.edu (141.161.191.21)
NetRange: 141.161.0.0 - 141.161.255.255 CIDR: 141.161.0.0/16 NetName: GEORGETOWN-NET NetHandle: NET-141-161-0-0-1 Parent: RIPE-ERX-141 (NET-141-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Georgetown University (GEORGE-8) RegDate: 1990-07-31 Updated: 2008-07-01 Ref: https://whois.arin.net/rest/net/NET-141-161-0-0-1 OrgName: Georgetown University OrgId: GEORGE-8 Address: 37th and O Streets, NW City: Washington StateProv: DC PostalCode: 20057 Country: US RegDate: 1990-07-31 Updated: 2010-06-08 Ref: https://whois.arin.net/rest/org/GEORGE-8
---------------------
Another gap where names don't seem to match
Then to: mail.law.georgetown.edu (141.161.191.75)NetRange: 141.161.0.0 - 141.161.255.255 CIDR: 141.161.0.0/16 NetName: GEORGETOWN-NET NetHandle: NET-141-161-0-0-1 Parent: RIPE-ERX-141 (NET-141-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Georgetown University (GEORGE-8) RegDate: 1990-07-31 Updated: 2008-07-01 Ref: https://whois.arin.net/rest/net/NET-141-161-0-0-1 OrgName: Georgetown University OrgId: GEORGE-8 Address: 37th and O Streets, NW City: Washington StateProv: DC PostalCode: 20057 Country: US RegDate: 1990-07-31 Updated: 2010-06-08
NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED NetHandle: NET-10-0-0-0-1 Parent: () NetType: IANA Special Use OriginAS: Organization: Internet Assigned Numbers Authority (IANA) RegDate: Updated: 2013-08-30 Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address. Comment: Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers Comment: Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at: Comment: http://datatracker.ietf.org/doc/rfc1918 Ref: https://whois.arin.net/rest/net/NET-10-0-0-0-1-----------------
Received from: BN1BFFO11FD048.protection.gbl (2a01:111:f400:7c10::1:107)
inet6num: 2a01:110::/31 netname: UK-MICROSOFT-20060601 country: GB org: ORG-MA42-RIPE admin-c: DH5439-RIPE tech-c: MRPA3-RIPE status: ALLOCATED-BY-RIR mnt-by: RIPE-NCC-HM-MNT mnt-by: MICROSOFT-MAINT mnt-lower: MICROSOFT-MAINT mnt-routes: MICROSOFT-MAINT created: 2006-06-01T08:53:35Z last-modified: 2016-07-12T17:06:10Z source: RIPE organisation: ORG-MA42-RIPE org-name: Microsoft Limited org-type: LIR descr: Microsoft Corporation AS8075
By: SN1PR0701CA0016.outlook.office365.com (2a01:111:e400:5173::26)
inet6num: 2a01:110::/31 netname: UK-MICROSOFT-20060601 country: GB org: ORG-MA42-RIPE admin-c: DH5439-RIPE tech-c: MRPA3-RIPE status: ALLOCATED-BY-RIR mnt-by: RIPE-NCC-HM-MNT mnt-by: MICROSOFT-MAINT mnt-lower: MICROSOFT-MAINT mnt-routes: MICROSOFT-MAINT created: 2006-06-01T08:53:35Z last-modified: 2016-07-12T17:06:10Z source: RIPE organisation: ORG-MA42-RIPE org-name: Microsoft Limited org-type: LIR descr: Microsoft Corporation AS8075
---------------
Received from: SN1PR0701CA0016.namprd07.prod.outlook.com (10.162.96.26)
NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED NetHandle: NET-10-0-0-0-1 Parent: () NetType: IANA Special Use OriginAS: Organization: Internet Assigned Numbers Authority (IANA) RegDate: Updated: 2013-08-30 Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address. Comment: Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers Comment: Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at: Comment: http://datatracker.ietf.org/doc/rfc1918 Ref: https://whois.arin.net/rest/net/NET-10-0-0-0-1
By: BLUPR07MB529.namprd07.prod.outlook.com (10.141.204.141)
NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED NetHandle: NET-10-0-0-0-1 Parent: () NetType: IANA Special Use OriginAS: Organization: Internet Assigned Numbers Authority (IANA) RegDate: Updated: 2013-08-30 Comment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address. Comment: Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers Comment: Comment: These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at: Comment: http://datatracker.ietf.org/doc/rfc1918 Ref: https://whois.arin.net/rest/net/NET-10-0-0-0-1
--------------
Received from: na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0054.outbound.protection.outlook.com. [157.56.111.54])
NetRange: 157.54.0.0 - 157.60.255.255 CIDR: 157.56.0.0/14, 157.60.0.0/16, 157.54.0.0/15 NetName: MSFT-GFS NetHandle: NET-157-54-0-0-1 Parent: NET157 (NET-157-0-0-0-0) NetType: Direct Assignment OriginAS: AS8075 Organization: Microsoft Corporation (MSFT) RegDate: 1994-04-28 Updated: 2013-08-20 Ref: https://whois.arin.net/rest/net/NET-157-54-0-0-1 OrgName: Microsoft Corporation OrgId: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US RegDate: 1998-07-10 Updated: 2016-06-30
By: mx.google.com with ESMTPS id c196si28806261qkb.1.2015.11.16.21.41.03
No comments:
Post a Comment