The queries I’ve been getting lately requesting checks on whether a particular email is spam or not, has been enlightening. It’s clear there’s a problem. Somewhere. Email users are not seeing the “wood for the trees” no matter the fact that spam has been an entrenched part of our lives for a couple of decades now.
I think there are 2 main issues:
- IT folk are not teaching email users the ins and outs of spam
- email users are not learning the ins and outs of spam
Both of these are not for lack of relevant material. I alone have had a Security Awareness Training (SAT) course for a number of years, but I’m not having clients take up this opportunity as much as I think they should be doing. There are a lot of other resources out there too, both commercial and free that can advise email users on the best way to keep safe in their use of email.
Do email users think they know all they need to in the fight against spam?
IT folk should also be putting information out there, making it easy for email users to learn and understand the issues. Along with the many other blog posts I’ve done on email, I’m putting together a list of checks that email users should know off the bat in their fight against spam. Note this is a fairly lengthy article however I recommend patience and a full reading at your leisure.
Some information before we start:
80% of ransomware infections start with phishing emails. That means that no matter the technical preventions in place to protect users from spam, those users are still getting spam and falling for phishing attacks. Education then is an absolute must as the user is the last link in the chain …
Breaking it down
The first step is to identify the different parts of any email – this is a very important part of identifying spam and all email users should be aware of these. There are 4 primary parts:
headers
Headers are the fields at the top of an email which define the addressing and other structural information for that email and include:
- from = the sender of the email
- to = the recipient of the email
- received = a server that the email has passed through on its path to the recipient, there can be multiple received entries
- date = the date and time of receipt of the email (at the final server)
- User-Agent = the email, web or other client that was used to send the email
- X-* = any non-standard additional field added for further information
subject line
The subject line is in fact part of the email headers but for the purposes of spam, should be treated independently. It’s basically a title for the email.
body
The body is where the content of the email is provided.
attachments
Attachments are files that may be sent along with the email.
links
Many emails contain links that will redirect to content on websites. These are sometimes indicated in highlighted wording and other times as specific addresses (email or URLs).
Identification of spam – looking at the pieces
We need to start with the individual components of the email as listed in the preceding section and check each for tells that would identify the email as spam.
Headers
Headers are a critical part of identifying whether emails are valid or spam/fake.
A very important fact about headers, is that some of them can be faked or spoofed. Especially the from and to fields.
I can set my ‘from’ address to anything I’d like in my email client even if it’s different from my actual email address. As an example, my real email address may be:
user@domain.co.za
But I can set my ‘from’ address as:
notuser@notdomain.co.za
Keep this in mind as we proceed.
Let’s take a look at the ‘from’ field to start – it’s normally listed in the format:
Name – <email address>
Most people will only look at the name and not the email address itself. In terms of spam, the name may be something recognisable while if you look closer, the email address is not.
Many email programs will also put less emphasis/focus on the email address and more on the name for usability purposes, meaning that users have less visual weight on the email address aspect. Here are some examples:
Above is the subject view of an email from the Mozilla Thunderbird email client. The second field indicates the ‘from’ address, and in this case, Thunderbird is only showing us the name. If we were to take this at face value, then we might assume this is a valid email from Sanlam.
Above is the top of the content/body view in Thunderbird for the same email, which shows a few headers in basic format – in this case, the sender name and email address.
We can see that the email address is loan.financialonline.co.sa@outlook.com.
There are 2 primary tells here that indicate this is not a valid email:
- the ‘from’ domain is ‘outlook.com’ – Sanlam (or any other commercial company) would never send email from an outlook.com address – it should always come from their corporate domain, in this case it should be address@sanlam.co.za
- the user portion of the ‘from’ address, loan.financialonline.co.sa, is a clear attempt at creating confusion in the user’s mind and is fake too
Here is another example, this time from a bank:
These are very common, and attackers will craft fake emails like this for all banks. There’s an initial tell here in the subject view – Ned Bank is not a valid name whereas Nedbank would be. But we need to dig deeper.
Ok, now this looks quite formal and correct, doesn’t it? We have what would normally be assumed to be the correct format in the email address – statement@nedbank.co.za.
However we can’t take this in isolation so let’s continue with some other aspects of the email.
Subject line
The subject line for the email in the previous example is:
The date on the end is in American format (year-month-day) and this format would never be used by a South African company. The same applies for other countries as well as other types of information. Incorrect values for regional settings can be a very important tell.
The above subject line is a mix of seemingly valid and obviously invalid information.
- The first obvious clue is that smiley face 🙂 – I don’t think a bank would ever put something like that in an email as it’s unprofessional
- The 2nd tell is that a bank would also not ask you to adjust an account because it is “in excess”
- An attempt at legitimacy is provided by the formal-looking financial certification details at the end (FSP3071 + NCRCP)
But on balance, this email is clearly spam.
Body
The body of an email is where spammers are putting a lot of effort lately in an attempt to lend legitimacy to their spam emails. It’s also where legitimate senders are failing, as will be explained later.
The body of the previous FNB example is as follows:
This is a fairly formal and professional-looking body – the logos and visuals lend a certain level of importance to the email, leading one to assume this might be valid. Many spam emails use this technique, in fact to the point where they outright copy valid details, information and graphics from the original websites in an attempt to confuse email users into thinking the email is valid.
But the details in this body are copied directly from the subject line and are a clear tell that something is not right here.
The above type of emails, appearing to come from IT Support or other seemingly “approved” sources, are common. Clicking on the link would lead you to a phishing site requesting your login information.
Other bodies may only have text in them but where there is a request for urgent information or an offer to provide something (like money or services), then be immediately suspicious. Some samples:
All of the above are offering something, either money directly, or something in response to payment from your end, and are clearly all spam.
Attachments
Attachments are probably the most critical part of spam emails as this is where malicious code (eg. ransomware) is normally included. This along with links, is where email users struggle the most. It’s also where there is confusion between valid and invalid information.
There are cases where there is an obvious tell in the name of an attachment. From the FNB example:
The filename in the above is designed to mimic the account no. for the target user(s). But there are 2 tells that indicate this is fake:
- the date is using the incorrect regional format (as per the subject line)
- the file extension (html) is not one that would/should normally be used for email attachments
In fact, the attachment is a web file that will open in your browser and most likely take you to a site that, for all intents and purposes, looks like the FNB website along with a login form asking you for your internet banking credentials. If you were to login here with your internet banking login details, the attackers would now have your credentials, and they would be able to login to your online banking account and transfer money or perform other functions.
This is a classic phishing attack.
Another example:
pdf files are more commonly sent in emails for business purposes and one might assume these are safe, but pdf files can contain malicious code which could infect your machine. Note the formal looking titles to the attachment files.
It should becoming clear now that, where a single aspect of an email can not be used to identify an email as spam or not, multiple aspects of the email will need to be checked so that in total, you will be able to make a decision on that email.
It’s important to become familiar with attachments that are obviously problematic as opposed to those that can straddle the line. If you see the following then be sure not to open these at all:
- html
- htm
- lnk
- bat
- msi
- cmd
- reg
- jar
Note that files used in productivity applications like Word, Excel and others can also contain malicious code and macros, so be careful with those.
Links/URLs
Links in the bodies of emails are an important part of the arsenal used in phishing attacks. Repeat after me:
Do not click that link!
Do not click that link!
Do not click that link!
But links are also used by many valid and commercial companies to direct users to their websites for information related to the email. They may include some basic information in the email but then use a link to take the user to their website where extended information would be provided.
The first step in checking links is to hover your mouse over the link (do not click it) and see the address that is shown.
The links in the body of the above email look genuine. But every single link listed in fact goes to the following real link which is clearly fake.
There are times however where a valid company will make use of links in their emails that are not directly related to their domain. This is because the links are generally tied to the newsletter mailers that these companies use.
Here is a screenshot from a Getaway Weekly mailer:
The address when hovering over the Read More link is shown as:
Not knowing anything about Getaway Magazine, one could only assume that the link is fake. However the publisher for Getaway Magazine is in fact Ramsay Media which now lends credence to the link.
So some investigation may be required on your part to get to the bottom of things. If in doubt, don’t click. Rather go to the site directly in your browser and look for the information there.
It’s also important that those sending out mailers, need to make their emails more user-safe in that links should reflect the domain of the sender.
As another example, I’d like to refer back to the Nedbank email from earlier.
Every link in this email is valid and points to locations on the real Nedbank website … however the attachment is suspicious so taken on balance, this email is fake.
Other headers
Other header entries can provide more details allowing one to decide whether an email is fake or not. First we need to find out how to get to our headers.
Once we have access to our headers, we can now see detailed information about the email including:
- the sender and recipient
- the path the email took
- any spam headers
Let’s look at these in more detail. I’m going to use the Nedbank example from above where the body looked fine but there was a dodgy attachment.
Return-Path: <statement@nedbank.co.za>
X-Spam-Status: No, score=-0.1 required=5.5 version=3.3.1
Received: from host.8projects.es (8projects.es [82.223.69.144])
by virtualmin2.silvagroup.co.za (Postfix) with ESMTPS id A6F57649DA2
for <rpedrica@xstore.co.za>; Mon, 10 Aug 2020 21:45:32 +0200 (SAST)
Received: from [116.203.96.133] (static.133.96.203.116.clients.your-server.de [116.203.96.133])
by host.8projects.es (Postfix) with ESMTPA id CD7BF1B69B6;
Mon, 10 Aug 2020 20:32:10 +0200 (CEST)
Authentication-Results: host.8projects.es;
spf=pass (sender IP is 116.203.96.133) smtp.mailfrom=statement@nedbank.co.za smtp.helo=[116.203.96.133]
Received-SPF: pass (host.8projects.es: connection is authenticated)
Subject: Nedbank Account Statement 20-08-10
To: Recipients <statement@nedbank.co.za>
From: Ned Bank <statement@nedbank.co.za>
Date: Mon, 10 Aug 2020 11:32:09 -0700
There is quite a bit of information here so let’s break it down line by line.
Return-Path
This shows the request return address that was included in the email and it’s not necessarily the real sender address.
X-Spam-Status
This indicates that there is an anti-spam system running on the receiving system however it did not identify this email as spam.
Received
There are 2 Received from entries:
[116.203.96.133] (static.133.96.203.116.clients.your-server.de
host.8projects.es (8projects.es [82.223.69.144])
The most important part of the information in these specific Received fields, is that they have nothing to do with Nedbank. And this is critical to recognizing (above any other indicators) that this is spam.
Authentication fields
Authentication-Results: host.8projects.es;
spf=pass (sender IP is 116.203.96.133) smtp.mailfrom=statement@nedbank.co.za smtp.helo=[116.203.96.133]
Received-SPF: pass (host.8projects.es: connection is authenticated)
These 2 fields indicate that an SPF check was done and completed successfully – meaning that the sender server is who they say they are – they’re just not Nedbank.
Email authentication solutions like SPF and DKIM are designed to flag emails from senders that actually come from someone else. If someone sent an email from a server masquerading as a Nedbank server, then this SPF check would’ve failed.
But in this case, the sender server is saying that they are who they say they are (host.8projects.es) so SPF passes.
Be careful to understand the intent and results of SPF/DKIM checks.
Note that spammers can send spam from their own spam servers but also from completely valid servers, where accounts have been compromised. This is important in understanding the Received field.
Here are some headers from the Linked email referred to earlier.
ARC-Authentication-Results: i=1; mx.google.com;
spf=fail (google.com: domain of fenealy@lowetillson.com does not designate 88.198.57.141 as permitted sender) smtp.mailfrom=fenealy@lowetillson.com
Return-Path: <fenealy@lowetillson.com>
Received: from server5.dn-server.com (server5.dn-server.com. [88.198.57.141])
by mx.google.com with ESMTP id s15si5029745oov.35.2020.08.02.02.55.44
for <rpedrica@gmail.com>;
Sun, 02 Aug 2020 02:55:45 -0700 (PDT)
Received-SPF: fail (google.com: domain of fenealy@lowetillson.com does not designate 88.198.57.141 as permitted sender) client-ip=88.198.57.141;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of fenealy@lowetillson.com does not designate 88.198.57.141 as permitted sender) smtp.mailfrom=fenealy@lowetillson.com
From: LinkedIn <fenealy@lowetillson.com>
ARC-Authentication-Results
Received-SPF
The sender server has clearly failed SPF checks.
Return-Path
From
These 2 fields clearly indicate a sender other than what you would expect from Linkedin.
There are many other headers fields that one can check, as well as a number of fields starting with X-
These are custom fields added by the sender server that allow for further troubleshooting.
Conclusion
This post is a starting point for your journey to identifying spam, phishing emails and other email nasties. It’s important to know what to look for so that you can protect yourself effectively when using email.
There are a lot of systems and software available to assist in keeping you safe, however more often than not, you are the last, and sometimes weakest, link in the chain. You need to become familiar with the methods that spammers use so that you can protect yourself from malicious intent.
A quick summary:
- know the various components and structure of an email
- know what tells to look for in each component that could indicate spam
- understand that multiple checks in different components of the email may need to be checked to get a bigger picture
- do not click on links
- do not respond to urgent requests or requests for payment/offers of money
- be careful about emails that come from “trusted” sources
- confirm trusted sources and their servers
- lower the trust value for emails sent from public domains (gmail.com, outlook.com, etc.)
- Compare the sender name to the sender address
- look for misspellings or poor grammar
- look out for suspicious links and attachments
- if it’s too good to be true, then it probably is
- legitimate companies won’t ask you to provide sensitive information via email
- don’t provide any more information than you need to
- use security software that provides for email protection
Using the above information should put you in a much better position to protect yourself against spam email.
If you need further assistance, we provide Security Awareness Training (SAT) which can improve your knowledge of security threats and provide ways to protect yourself against these.
We also offer security solutions that can better assist you in protecting yourself from spam. Speak to us for more information.
