2

I've received an email to my gmail account from FCMB, a bank in Nigeria (flashing warning lights already). It's not addressed to me (i.e., the email starts off "Dear Daniel," [not my name]). But the email address is mine.

When I look at the headers in Google, it really does look to me like Google received it directly from FCMB.com. Here's the relevant bit (I think):

ARC-Authentication-Results: i=1; mx.google.com;
   spf=pass (google.com: domain of ebusiness@fcmb.com designates 41.223.147.112 as permitted sender) smtp.mailfrom=ebusiness@fcmb.com;
   dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fcmb.com
Return-Path: <ebusiness@fcmb.com>
Received: from lin-smtp.fcmb.com (lin-smtp.fcmb.com. [41.223.147.112])
    by mx.google.com with SMTP id n5si1099097wmi.93.2019.09.04.11.31.49
    for <XXX@gmail.com>;
    Wed, 04 Sep 2019 11:31:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of ebusiness@fcmb.com designates 41.223.147.112 as permitted sender) client-ip=41.223.147.112;
Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of ebusiness@fcmb.com designates 41.223.147.112 as permitted sender) smtp.mailfrom=ebusiness@fcmb.com;
   dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fcmb.com
Message-ID: <5d700316.1c69fb81.8dceb.fbc9SMTPIN_ADDED_MISSING@mx.google.com>
Received: from INTRANET (unknown [172.27.15.3]) 
   by lin-smtp.fcmb.com (Postfix) 
   with ESMTP id 69410875FC 
   for <XXX@GMAIL.COM>;
   Wed, 4 Sep 2019 19:43:36 +0100 (WAT)
MIME-Version: 1.0
From: FCMB <ebusiness@fcmb.com>

How can I tell if this really being sent to me legitimately? Is this being faked in a way that I am missing things? In which case I want to better understand it since if not for all the red flags, I would have concluded that this email is legitimate.

P.S. This is the third email I've received in the last 2 months from FMCB that is addressed to "Daniel".

schroeder
  • 123,438
  • 55
  • 284
  • 319
Joel
  • 123
  • 4
  • Re: "Daniel". I get tons of emails destined for other people because they used my email address by mistake when they signed up. The misaddressed part is not enough to determine legitimacy. – schroeder Sep 05 '19 at 08:50
  • Do you have an account with that bank? If not, I don't see any reason to look into that. Usually, business is not conducted between (new) customers and banks (ofc that depends on your location as well...) - so I guess the best case is, that it's spam. – mhr Sep 05 '19 at 08:52
  • 2
    I'm editing this question to focus on "how" to determine if the headers are legitimate. We can't be a site that combs through random email headers. – schroeder Sep 05 '19 at 08:53

3 Answers3

3

To be honest this looks fine. It would be helpful to see the mail itself.

The whole fcmb.com domain is valid. They are not listed on any blacklist. Those IPs are all valid. They use emailprotection by trendmicro. They have valid certs by GlobalSign issued for the hostingprovider of their website, Incapsula Inc.

Here is some information on the bank:

https://en.wikipedia.org/wiki/First_City_Monument_Bank

This is the procedure:

I start with those "received" fields and check the "from" values. In your case there is only one field.

We find lin-smtp.fcmb.com and 41.233.147.112 this is correct as lin-smtp.fcmb.com actually resolves to 41.233.147.112. You can check this with a reverse DNS lookup. In spoofed mails they sometimes add false values here like a nonexistend domain or ip. But typically they only adjust the "Return-Path"

"Received-SFP" indicates they have a SPF record set on their domain. This technique is used to determine which sending addresses are allowed to send mails in the name of said domain. Its whole purpose is to avoid spoofing.

The IP we found can be check for blacklist entries (i used Cisco Talos reputationcheck/ MXToolbox Blacklist lookup). Usually spoofed addresses are only used for a short period because they get discovered. We can make sure this IP has been associated with said domain for long enough, if we check passive DNS databases(Risk IQ).

as lin-smtp.fcmb.com is a subdomain of fcmb.com we can go on with that. It brings up a web page that looks plausible. I searched for them and found their Wikipedia article.

I followed with another reverseDNS lookup against fcmb.com:

a records: 45.60.1.138 / 45.60.1.138 both belong to Incapsula Inc with ASnumber 19551 (the same company that issued the websites SSL certificate) they are actually known for webhosting and protection.

Maybe you should contact them.

Kingflomb
  • 118
  • 8
  • 1
    Very often even a good spoof fails to get the timestamps right. Here 04 Sep 2019 11:31:50 -0700 (PDT) and 4 Sep 2019 19:43:36 +0100 (WAT) is a very reasonable 12 minutes between servers. – user10216038 Sep 05 '19 at 20:34
0

SPF is the first test in the headers and passes. It proves the domain sender by using the return-path from the email and finding a key in the DNS records. In theory the DNS records are not easily tampered with by anyone except the owner.

DMARC also passes. DMARC policies are published in the DNS as text (TXT) resource records (RR) and announce what an email receiver should do with non-aligned mail it receives if they fail SPF or DKIM tests.

There is no DKIM signature which is surprising but not necessarily an issue on its own.

he next thing to look at to see if there is 'funny business' is the IPs. The intranet IP 172.27.15.3 is what it says on the tin - a private IP address. 41.223.147.112, which is listed as the IP from which the mail was received, does indeed belong to FCMB.

Depending on the content of the email it would be hard to definitely trust it, but if there are no attachments, no external links except to FCMB, no request for credentials or identifying info, and no strange reply-to address, I can't see how there could be an attack.

LTPCGO
  • 965
  • 1
  • 5
  • 22
-1

An important place to look is the return email address. If they are not trying to get you to follow a link, when spoofing a trusted email address a common aim is to get you to reply to them without realising that it's not the trusted email address that supposedly sent you the email. It's obviously useless to them if you actually reply to the bank.

TJK
  • 27
  • 2