IMCAFS

 Home

"exploration" triggered by a fake email (involving phishing, spf, dkim, etc.)

Posted by santillano at 2020-04-16
all
    v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmMPX+sFtBSSBaQENMXIY0kMoU xwpjsktTkjlsrdErh8WKSdRqNEZCE7e5/i9qT/rot5WikkyLoO9nWactl5u5rXli Nqy4eGq3aSQAo0J1/prrL9ZP/NWVo2j6lcSgkMgVCdw7gSIxObfvmp6PIb4edNzP nRBnpjey8xWFTDBzvQIDAQAB

The format is similar to this, and the specific public key information may be inconsistent, where V represents the version of dkim; K represents the asymmetric encryption algorithm; P represents the public key information after Base64

How to query the dkim public key of the mail domain:

Windows:

    nslookup -qt=txt mail._domainkey.mail.vpgame.net 

The first mail is the selector of the above-mentioned mail domain, and "domainkey" is a fixed format (dkim is based on the technology development of domainkeys). Mail.vpgame.net is the mail domain

Linux:

    dig -t txt mail._domainkey.mail.vpgame.net

Add a Gmail:

Dkim signature information analysis

This is an email sent by Gmail to my Tencent enterprise email:

Let's take a look at the contents of dkim signature:

Where V is the version of dkim

A = rsa-sha1, indicating algorithm. There are rsa-sha1 and rsa-sha256

C = relaxed / relaxed, indicating the standardized method, which is used for both the header and the content. You can also use simple to indicate that no changes can be made, including spaces

D = gmail.com, the sender's domain name, that is, the so-called "signature domain" in Gmail's received e-mail message. This "signature domain" needs to be configured in the dkim settings of the e-mail server. It can be different from the e-mail domain (for example, the one after [email protected] @ is the e-mail domain) (generally the same)

S = 20161025, which means the selector of domain name. Through this selector, you can allow multiple public keys for a domain name, so that different servers can have different keys.

H=... , is the header list, indicating which fields in the header are signed.

Bh=... , is body hash. That is, the hash of the content.

B=... , is the signature of the header. That is to say, take out all the fields and their values in H = and add the header of dkim signature (except for B = because it doesn't exist yet). Hash them together and then encrypt them with RSA.

0 × 03. Notes on famous sendcloud configuration in China

1. Sending prompt caused by inconsistency between the sending domain and the mail domain (@ after) showing the sender (from)

ESP (e-mail service provider) will check whether the e-mail domain of "from" and "from" is consistent when receiving the e-mail, and prompt the e-mail agent to send the inconsistent e-mail

That's what Gmail does

If the sending domain you configured on sendcloud is inconsistent with the mail domain of the sender shown in the message, the message sending agent will be displayed in Gmail mailbox

The actual sending domain is mail.vpname.net, while the displayed sender's mail domain is mail.vpname.cn, which is inconsistent. Gmail prompts to send on behalf

The following is an email sent to my Gmail mailbox by a code weekly. There is no prompt to send it on my behalf, because the actual sender's email domain is the same as the one showing the sender

2. Use non encrypted port to send substitute mail

For example, an email sent by mail.vpgame.net is shown to be unencrypted, which may be sent directly by calling the unencrypted port of sendcloud

Sendcloud.org does not encrypt this message because Gmail received it from sendcloud

0 × 04. Mail sent on behalf of others in disguise

1. Foxmail can be configured to display other accounts (email account will be displayed by this email)

2. Send an email to yourself (the actual account in the figure above) with the configuration in the figure above

It will be displayed here

3. If wechat receives email (wechat can receive email after Tencent enterprise email binds wechat)

Don't pay attention to it. I really think it's the mail sent by the displayed sender

4. Send a letter to Gmail

Gmail didn't prompt to send

But when we check the original email of Gmail, we can see that this email is not from the sender

5. Let's see if we can see the greasiness in reply to this email

Reply from Gmail to show sender

    

Foxmail's reply is also the reply to the display recipient

Foxmail's quick reply to the actual sender

Note: if the reply is all, the actual sender is included

0 × 05. Some tips to identify forged mail

1. The actual sender is inconsistent with the displayed sender

At this time, you need to be careful to confirm that the email is really sent by a legal third party, such as sendcloud, a famous email forwarding service provider. If not, it is usually forged email

How do I know the actual sender of a message?

Generally, it is to check the original content of the email, but there is another trick: when receiving the email, the actual sender is displayed in the email prompt

2. In general, the normal sending server will be configured with SPF, and some will be configured with dkim. If SPF is not configured in the mail domain of the sender of the received mail, it may be forged mail

3. General mail service providers will have the corresponding anti spam mechanism. For mail with safety tips, you should be careful not to believe them easily, and do not click on the pictures, links and attachments

As shown in the figure above, it's all forged mail, and it shows that the addressee is also forged

0 × 06. Supplement

The email sent by Tencent enterprise is encrypted by default

The general body content of e-mail is the result of base64-utf8 encoding, which can be decoded or encoded by K8 web encoding conversion tool

The from or to part of the email header supports Chinese alias display (subject also supports Chinese), so you need to write code to code the Chinese content

    #!/usr/bin/env python     # -*- coding:utf8 -*-               import sys     from email.header import make_header                    if __name__ == '__main__':               reload(sys)          sys.setdefaultencoding('utf8')          content = repr('访问下邮件中的链接,看看不能访问')          print make_header([('\xe8\xae\xbf\xe9\x97\xae\xe4\xb8\x8b\xe9\x82\xae\xe4\xbb\xb6\xe4\xb8\xad\xe7\x9a\x84\xe9\x93\xbe\xe6\x8e\xa5\xef\xbc\x8c\xe7\x9c\x8b\xe7\x9c\x8b\xe4\xb8\x8d\xe8\x83\xbd\xe8\xae\xbf\xe9\x97\xae', 'utf-8')]).encode()       

For example, if you want to modify the subject content when you construct the original content of e-mail (instead of calling XXX Library), you need to first pass the Chinese hexadecimal code content into the parameters of make u header with repl, and the result is the original content of e-mail subject (Chinese)

Note here that content cannot be directly passed into the make u header, otherwise an error will occur. Instead, first print the value of the repr ('subject Chinese content ') and then copy it to the make u header

*The author of this article: knpewg85942, reprinted from freebuf.com

© 2023