Reading email headers for phishing detection

When we get a suspicious email, we make a copy of the headers and then look for questionable email addresses and ip addresses in the route.  If we find something we think is a spam source, we block the incoming email address and ip address as needed.  Now I'm questioning that practice.

Here's why.  If you look at the portion of the header below, the email went through a server named VULTR-GUEST.local at ip 209.250.235.52.  Checking the ip, it's registered to a server in Frankfurt Germany - not what we expect.  BUT, my question is, it left that server and went through a couple more registered to outlook.com (Office365 I assume) before finally delivered to our mail server.  

Does it matter that the path took it through that German server, or is the last server before delivery to our system the only one we need to look at and be concerned about?

Here's a little of the middle portion of the header:
(2603:10b6:405:39::24) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.407.1 via Frontend
Transport; Wed, 10 Jan 2018 20:43:08 +0000
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (52.41.248.36) by
BY2NAM05FT032.mail.protection.outlook.com (10.152.100.169) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_GCM_SHA384) id
15.20.345.12 via Frontend Transport; Wed, 10 Jan 2018 20:43:07 +0000
Received: from VULTR-GUEST.local (209.250.235.52) by
CY1PR05MB2331.namprd05.prod.outlook.com (10.166.192.153) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.407.1; Wed, 10 Jan 2018 20:43:00 +0000
From: =?utf-8?B?RHJvcMyDYm94?= <username@domain.com>
To: <username@domain.com>
Date: Wed, 10 Jan 2018 20:43:00 +0000
MIME-Version: 1.0
Message-ID: <8861457e94341de4d4f497a5....

TIA
Roger
si-supportAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
The issue is not in the headers per se. It is in the See This ___Link___ in the body.

The best way, by far, to stop this is to install top notch spam control. This will catch 99% of the emails. Doing this yourself by headers will not help much (in my experience).
0
Dr. KlahnPrincipal Software EngineerCommented:
All except the very last header can be spoofed when the email is spam.  It's my own experience that they generally cannot be relied upon for anything useful.

The only one you can trust is the last one which indicates where it came from when it arrived at your server.

... we block the incoming email address and ip address as needed.  Now I'm questioning that practice.

It's well that you should do so, as when header information is spoofed you block systems that had nothing to do with the spam.  And there's generally no point in blocking the system that forwarded the email to your server unless it was a one-hop transmission, because in a multi-hop transmission the system that forwarded the email to your server wasn't the one that generated it.

As John says, content-based filtering is the way to go for most sites.  Now I'll admit that I have entire countries banned on my server (Russia, China, pretty much everything in APNIC except Australia) via iptables - but that just stops the script kiddies and dumb ones; it doesn't stop them forwarding spam out through an intermediate system outside APNIC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Spammers know that we will apply exactly this tracing procedure in the email header to uncover their whereabouts. Hence to fool us, they may insert forged Received: lines that point to somebody else sending the message.

Since every mail server will always put its Received: line at the top, the spammers' forged headers can only be at the bottom of the Received: line chain.

We simply compare who a server claims to be with what the server one notch up in the chain says it really is. If the two don't match, the earlier Received: line has been forged.

And in your case the Microsoft SMTP Server are correctly positioned hence unlikely a tamper in the header. But I did notice VULTR-GUEST.local 209.250.235.52 is blacklisted by SPAMCop https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=a1f8e809-7e52-44a7-84b4-792f4920211e
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

JohnBusiness Consultant (Owner)Commented:
Hence to fool us, they may insert forged Received: lines that point to somebody else sending the message.

That is why a Spam control application is vital. It looks at headers, IP addresses AND body and assesses based on all.

I see emails from myfriend@domain.com coming to me when they are legitimate emails and going to spam when someone has spoofed the sender and sent a link to a virus or ransomware.  Same email address.
0
masnrockCommented:
You have to pay very careful attention. Like that IP address you listed is for a cloud hosting provider (Vultr). Now, there is a good chance that abuse is occurring, and I've actually been in touch with them a few times to shut down what appears to be abuse accounts. But like already stated, it can possibly be spoofed information, which doesn't do you much good at the end of the day.

John is right from the standpoint that the better a spam filter you have, the better a job at catching the junk will be done. So it would be worth asking what mail filter you have in place now.
0
si-supportAuthor Commented:
Thank you all for your responses.  All were appropriate and well done.  I wrote a nice explanation of our anti-spam devices, other protections, etc this morning - but it didn't get attached to this case.??  We have off-site and on-site anti-spam filters, done user phishing education and have a NGFW in place at the perimeter.

In short, Dr. Klahn most directly answered the question about the various hops in the email chain and which ones are important.  I didn't consider the fact the addresses could be spoofed along the way - making the last hop the only one we need to check on.  btan added some additional info that was useful.

Roger
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.