Examining PayPal Phishing Email Headers

Looking at the phishing email I received the other day telling me that my PayPal account had been suspended the next step in my investigation is to determine how it reached my inbox.

There are many good resources available that describe manual email header analysis.  To start out take a look at this article at Forensic Focus.  This is a short read that is good introduction to reading email headers.

Next I’ll point you at a good article titled “What all the stuff in email headers means—and how to sniff out spoofing” at Ars Technica.  Jim Salter is a good technical writer and he did all his homework writing this article.

I also recommend this article on email forensics by Peter Matkovski on Medium (paywall?).  He said up front that he was going to break the analysis into three parts but doesn’t seem to have gotten to part three, the attachments just yet. Still very good reading.

I’m all for line by line analysis when I have the time.  Problem is I rarely have the time so I often use web based message header analysis tools. I looked at and compared three different web based email message header analysis tools recently.

DNSChecker

DNSChecker

The Trace Email tool at DNSChecker (https://dnschecker.org/email-header-analyzer.php) analyzes based on the IP source where the submitted message came from.  The report includes host information including a threat level assessment and a whois lookup.  The folks at DNS Checker offer a wide variety of tools and this is just one of perhaps 2 dozen.

MXToolbox

MXtoolBox

The ‘Analyze Headers’ capability at MXtoolbox (https://mxtoolbox.com/EmailHeaders.aspx) is more comprehensive.   It takes a little longer to execute but this tool examines the SPF and DKIM information in the submitted headers and presents a more complete report.  A unique feature of this tool is the link at the bottom of the report page ‘Permanently forget this email header’.

Google Admin Toolbox

The Google Admin Toolbox Message Header tool (https://toolbox.googleapps.com/apps/messageheader/ ) is as fast as DNSChecker and provides a pass/fail check of SPF, DKIM, and DMARC information.

Summing up DNSChecker will tell you about the IP source.  MXToolbox provides the most analysis of the header and reports on SPF and DKIM.  The Google Admin Toolbox Message Header tool was the only one here that reported on SPF, DKIM, and DMARC.