6

Lets say you're the target an advanced phishing attack, meant to look like it came from Amazon.com. It shows @amazon.com in the sender field, but you're suspicious. You can call Amazon and find out, but lets imagine that you couldn't. Is it possible to look at the header of the email and verify with any level of certainty that the email did or did not come from Amazon?

Here's a header from an email I received which Amazon support verified was not from them:

 From security - update @amazon.com Wed Jun 15 05: 35: 15 2016
 X - Apparently - To: ***** @yahoo.com;
 Wed, 15 Jun 2016 05: 35: 16 + 0000
 Return - Path: < 2016061505351500688 fd1d5684edabf9d32ee87d0p0na @bounces.amazon.com >
   Received - SPF: pass(domain of bounces.amazon.com designates 54.240.13.30 as permitted sender)
 YW5kIHByaXZhY3kgdmVyeSBzZXJpb3VzbHkuIEFzIHBhcnQgb2Ygb3VyIHJv
 dXRpbmUgbW9uaXRvcmluZywgd2UgZGlzY292ZXJlZCBhIGxpc3Qgb2YgZW1h
 aWwgYWRkcmVzc2VzIGFuZCBwYXNzd29yZHMgcG9zdGVkIG9ubGluZS4gV2hp
 bGUgdGhlIGxpc3Qgd2FzIG5vdCBBbWF6b24tcmVsYXRlZCwgd2Uga25vdyB0
 aGF0IG1hbnkgY3VzdG9tZXJzIHJldXNlIHRoZWlyIHBhc3N3bwEwAQEBAQN0
 ZXh0L3BsYWluAwMy
 X - YMailISG: bvKKjZcWLDuqAP4uJx5EzWqDZs4AGZltJxwsTWfKWTo3MpLP
 RRAOPYJ0kEPrw4uT_S5NxE1XUyrqTYMpgofwIq41BJ0ZeIqhv5jhgkOcTT3f
 iwxX2SoomtBJ.ueo90kdV4tTSihP0_Igz8dlfJb4tSARevolMmcQ2dvAWbNs
 not5nyJJkw9rvBxeLa38H_diZewKRWfDi_pVCnd8tw9a0o9uxwsB1KMu5Sxf
 81 SekEnsOZdct9N0SXP_DCg0_xNBS33DybGyj9PDcwrsQp5yBHE3mnFwBz2a
 yXlyJ88Hw6BLyXAFWCrnb3JyBV1eTg2TrTJvRHLsXcVimTAIhGAYO6a5Yt8D
 yl9HIJ..V33ir0l7nUeA19KkacDYEnSPfOzgGrBP5ChAB7RQ0FlabG_xgVB_
 SmGw4QGJqruH7Gsa5vT9v15phcwEbvGZQTkEVPFNZc.kvPrX3wTgbhCB7qHI
 vAZKPdIDloLiA10qmW0J1.sxdMApofO1EVi0AncLnXOb9Y6ZArYLomqTtjeq
 TF1AE9QFzTDIAmGHZQlRTpSZHgoOFKMt8PrFw7nuCxjft_.zgg4X2nEl2WfP
 vwwm7_t4wpoX_GkTEAepUL..F5lLKaJg4w36T5qzMxFx3.eiqYy00Bda_Io2
 TjX._44ji3VCVYIWHPAm_Q08iVFjXUHRIW69rp2A4n7gkAo_9NaY_m_zvSju
 ctYuA4TEe7L8XyK.1 Ah0kPmAFbXAYgB74HluZ4GxKONxK33kJkkrUkNTcp7d
 2 CyNppWJ2gBJ.xb8_OnuFuGtzfvAn7i3CkluWZt.uLLliwGZo86W.s6J5HYS
 4 mvCm3cHR5Zg16UFxH5Qyw_iDGePt8EgMLhjV2rKGdYBF0bOu2TSZb1AcT5n
 JRwjJMa8i7KqxsuiwzKhDJOaYXfGaBC2M13N6QeggiO7FKHXXMUplnK3.gtP
 KzrvBVTVVYQdoWFL7mB6lJK7rG5ZJV.SduOUyAsDC.3 JUg86MwPwuGpC1sLe
 sIsNU_zF1cZiQEXcD2DlHJxniCxn74BEGgyF8dO1oh6.SkKIHNjud2bnmqDx
 lqvSL7NzUsJwclMvxPY3UtmLs95cvUcBvIOVZR9ovhgSD_g9joPYVLE0.3 zu
 _dDuD07BSJtT.ICNzqQcg4VJ.CzTQWH0Eb78qC0QCui0KA_USNINQXT.ZWho
 CsLIyorUTUtTWdgtbltDb9dhUxf9vs6cgGHFtlBBWyWUi_Y8MxxhdTwwjW.l
 ErgFJ4WDsKVSZqE0MqMQJij7g3t5Qf4UNcx7dVFIknpL3.k.gsz8nMEyA.6 k
 nEvz45gD2nXSU1JVFQXwXnwaqlBBu6AaTXsuz_9snKkMkwJJKbfxew.yuI49
 SbDEnYnH_1kqdD6Dsh9mhlTTZIx4EnD2vO3TV_vQGdJaZSm1Jy2wn0etnCi4
 JprcFP9MsQIrULrsdBDTAdwa_3qC_FC7Zo.Hxh91sL3cHnRLRwybhD0jTbqP
 TdzqqnMe8rzhGk3QfnyTPO.I3YR7rx8HDh743dY -
   X - Originating - IP: [54.240.13.30]
 Authentication - Results: mta1509.mail.gq1.yahoo.com from = amazon.com;
 domainkeys = neutral(no sig);
 from = amazonses.com;
 dkim = pass(ok)
 Received: from 127.0.0.1(EHLO a13 - 30. smtp - out.amazonses.com)(54.240.13.30)
 by mta1509.mail.gq1.yahoo.com with SMTPS;
 Wed, 15 Jun 2016 05: 35: 16 + 0000
 DKIM - Signature: v = 1;
 a = rsa - sha256;
 q = dns / txt;
 c = relaxed / simple;
 s = eaxkvsyelrnxjh4cicqyjjmtjpetuwjx;
 d = amazon.com;
 t = 1465968915;
 h = From: To: Message - ID: Subject: MIME - Version: Content - Type: Date;
 bh = 6 MBHnat6TXZGDjYr8xS + fQIKeGWNo2gEkiV7HI92Lgk = ;
 b = GhJgCJCM6N1IksIdk3YMJAN01Rs / 5 i5Qo8V / DW / exZk / lv0n00lRSgx + H6GgJ0Cm
 6 VOi0o848HKD6ozzXuOrtw0NqRVHFUEG9 / 37 yBfhYMW9nt5 + fa3jqL4PaA4kqhsH52a
 70 SEPkxxhqZGjN4kmR2lLyYs9LWPo0Zmc0jdjx3I =
   DKIM - Signature: v = 1;
 a = rsa - sha256;
 q = dns / txt;
 c = relaxed / simple;
 s = 6 gbrjpgwjskckoa6a5zn6fwqkn67xbtw;
 d = amazonses.com;
 t = 1465968915;
 h = From: To: Message - ID: Subject: MIME - Version: Content - Type: Date: Feedback - ID;
 bh = 6 MBHnat6TXZGDjYr8xS + fQIKeGWNo2gEkiV7HI92Lgk = ;
 b = sg9kv2564IQpHZ9P5fjZzgo43k1OQT1Q / 8 u2FSyhaLfrRVtjvAQdkLfhMMyupVu3
 70 VavyNthdmQEmawWGHM0dnviOPxUCOAF4KxrYi1s22vecoNEvjjDBy1xiGBzzeXtM6
 YRutkI3NrIG / A3ylPGub8So0H1MoQ90uSmZdFiT8 =
   From: security - update @amazon.com
 To: ***** @yahoo.com
 Message - ID: < 01000155528e74 f4 - b61f49db - 5 a99 - 47 f0 - 8220 - de3d790e7100 - 000000 @email.amazonses.com >
   Subject: Your Amazon password has been changed
 MIME - Version: 1.0
 Content - Type: multipart / alternative;
 boundary = "----=_Part_435506_288452969.1465968915690"
 X - AMAZON - MAIL - RELAY - TYPE: notification
 Bounces - to: 2016061505351500688 fd1d5684edabf9d32ee87d0p0na @bounces.amazon.com
 X - AMAZON - METADATA: CA = C34L8ES1N9UV8E - CU = AYTEASIHBL0P9 - RI = A1BTPRBNF2RGB1
 X - Original - MessageID: < urn.rtn.msg.2016061505351500688 fd1d5684edabf9d32ee87d0p0na @1465968915691.rtn - svc - na - us - east - 1e- i - 5 a3634e4.us - east - 1. amazon.com >
   Date: Wed, 15 Jun 2016 05: 35: 15 + 0000
 X - SES - Outgoing: 2016.06.15 - 54.240.13.30
 Feedback - ID: 1. us - east - 1. ZHcGJK6s + x + i9lRHKog4RW3tECwWIf1xzTYCZyUaiec = : AmazonSES
 Content - Length: 1794

Is it possible to verify that the email was not from Amazon just by looking at this header?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
J.Todd
  • 1,300
  • 1
  • 10
  • 20

2 Answers2

7

The header you show is not the original mail header but has spaces where they don't belong, has lost spaces where they belong, has added line breaks and is missing several Received Headers.

But, even if one would have the original header it will be impossible to verify the real sender, because too much can be faked. Using the DKIM signature shown in the header would help a lot, but since the signature includes parts of the header and also the body one would also need the body to verify the signature. But even the DKIM signature does not prove the sender, it only proves that the mail was sent using a specific mail server which signed the mail. And if the domain part of the signature matches the senders email domain one could at least assume that the senders domain is correct. But DKIM does not give any information about the sender itself.

Apart from that one might try to detect differences in the delivery path or other features of the header if one has enough proven valid headers from the same sender. But again - an attacker could fake almost everything in this header.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

The headers can be spoofed as well. You need to check the Received: headers and see if there is any provider that you do not trust, then there might be a phishing attempt. Headers can be spoofed for legitimate purposes in some cases. Related to this particular amazon e-mail you might want to check: Is this "security update" from security-update@amazon.com an advanced phishing scam or a real security measure from Amazon?

Community
  • 1
Stefan Iancu
  • 11
  • 2