search

gr33nm0nk2802 / mailMeta

An forensics tool to help aid in the investigation of spoofed emails based off the email headers.
MIT License
152 stars 25 forks source link

Couldn't detect/analyze spoofed email #3

Open jepunband opened 2 years ago

jepunband commented 2 years ago

hi, received this spoofed email but tried using mailMeta, it did not give much info on this spoofed email.

mail.txt

Return-Path: james.fernand@travel.com

Delivered-To: jacob.1978@mail.com

Received: from herod.dnsvine.com

by herod.dnsvine.com with LMTP

id gA5JCtpa7mFxeQ4AYzko9Q

(envelope-from <james.fernand@travel.com>)

for <jacob.1978@mail.com>; Mon, 24 Jan 2022 15:52:58 +0800

Return-path: james.fernand@travel.com

Envelope-to: jacob.1978@mail.com

Delivery-date: Mon, 24 Jan 2022 15:52:58 +0800

Received: from mail-eopbgr1300103.outbound.protection.outlook.com ([40.107.130.103]:14955 helo=APC01-HK2-obe.outbound.protection.outlook.com)

by herod.dnsvine.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.94.2)

(envelope-from <james.fernand@travel.com>)

id 1nBu9e-003ylP-F1; Mon, 24 Jan 2022 15:52:53 +0800

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

b=JYIbzZAHAleksvQ0oRj5+CaWTupFy3jvMS4M8IAVSyep4qdUTysei6HYYrdRnlR4LAeTgkb0ySMDXIFrTAPLxuC4wRFLhoI8j+Q1HZg6eqrvojGG5BkGNnYraRLeJfAypf4UftcsXxnjDSzfkOkI0Z3VJpqMR3hh6wph4rczg8HoyEjjfTn6ofe8bASM+NIObFHihFK0QXsy5WKkPIxSuQUo231VbycMtwgNqCLyzSHU/TmdOQL+1mePG1wHyuor6EJXX23i4kdGoy82DrLc4ZeClCZpdQBR8N5LsAvmXH01unN8zY6AjYHTTbed6fK2WqH2LWn7jz1u9hqaYFoTHQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=pj1BvmZvSopomFS5uE7XvJZ1WgKbJ43tIkqpjqwRB9U=;

b=P0LpIS4skVuWmFbtgnX4eFXuj2MZ4LMgtxjY2aO2UiYNFJj2zbBetvXcUUAO9I8zcYlVONjqbTr15tdSi3dWi/HM2oE9AZ4MlcDTH9+6rMvwvwchVRCp5jM4BimUCmgqoLVvjjU+LaB5cprHL+9VjMWv5uLIOQCsDdYjU1MGUUI+heIGDzcrgCsXOSnjLcDOQzQilxagpTJE2f4fQS672YiNmrn7BspCVEVummsC6Pr6sfTi0NhOKQ7uQq6K8Y+ZgYPV1HXtqRH0w527VUJRALD3Stpoibh0rxP3eziCeXyIVhlxwCKL6ccY4BMw916g/WFbI8w1BHrSaNSZPMwDaw==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;

dkim=none; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=travel.onmicrosoft.com;

s=selector2-travel-onmicrosoft-com;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=pj1BvmZvSopomFS5uE7XvJZ1WgKbJ43tIkqpjqwRB9U=;

b=qzjZ7fIvq737g1o/kr8dtQV7Ruzb1lS1bDMd4CsF2KPeKci43zsmN2hsw/xMuDdTwhvxZPZxsIXn0szbDtpUX2uG/jI7/X4MCf8iZwxUHLDwo5BMViaIWzK+tfm+ZB+/uQJ2jetSMECu9pCuZK5Jj5AMiK4Zer6cRsUHlyfAT1k=

Received: from KL1PR03MB4935.apcprd03.prod.outlook.com (2603:1096:820:1c::23)

by HK0PR03MB3074.apcprd03.prod.outlook.com (2603:1096:203:4e::19) with

Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.6; Mon, 24 Jan

2022 07:52:31 +0000

Received: from KL1PR03MB4935.apcprd03.prod.outlook.com

([fe80::6147:e8df:b5a6:6cb3]) by KL1PR03MB4935.apcprd03.prod.outlook.com

([fe80::6147:e8df:b5a6:6cb3%3]) with mapi id 15.20.4930.014; Mon, 24 Jan 2022

07:52:30 +0000

From: Frederick Teng james.fernand@travel.com

Subject:

=?utf-8?B?Rlc6IEpIIFllZSAmIENvIOKAk3x8IFJFOiBQUk9KRUsgTE9KSSBNRU5DVUNJ?=

=?utf-8?B?IFBBU0lSIFNJTElLQSBESSBUQVBBSyBBVEFTIFNFQkFIQUdJQU4gS0FXQVNB?=

=?utf-8?B?TiBUQU5BSCBESSBMT1QgNDI0NSwgS0FXQVNBTiBCVUtJVCBTQUdBLCBQRU5H?=

=?utf-8?B?RVJBTkcgU0VMVUFTIDgwIEVLQVIgKOKAnFByb2playB0ZXJzZWJ1dOKAnSk=?=

Thread-Topic:

=?utf-8?B?Rlc6IEpIIFllZSAmIENvIOKAk3x8IFJFOiBQUk9KRUsgTE9KSSBNRU5DVUNJ?=

=?utf-8?B?IFBBU0lSIFNJTElLQSBESSBUQVBBSyBBVEFTIFNFQkFIQUdJQU4gS0FXQVNB?=

=?utf-8?B?TiBUQU5BSCBESSBMT1QgNDI0NSwgS0FXQVNBTiBCVUtJVCBTQUdBLCBQRU5H?=

=?utf-8?B?RVJBTkcgU0VMVUFTIDgwIEVLQVIgKOKAnFByb2playB0ZXJzZWJ1dOKAnSk=?=

Thread-Index: AdgH/hsPqCsgvw1rSi+pvzRPVZgXEw==

Date: Mon, 24 Jan 2022 07:52:29 +0000

Message-ID:

KL1PR03MB493530C5120256BA382CE231AD5E9@KL1PR03MB4935.apcprd03.prod.outlook.com

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

authentication-results: dkim=none (message not signed)

header.d=none;dmarc=none action=none header.from=travel.com;

x-ms-publictraffictype: Email

x-ms-office365-filtering-correlation-id: 88c0e8cb-2116-4689-0ebc-08d9df0e7966

x-ms-traffictypediagnostic: HK0PR03MB3074:EE_

x-ld-processed: 9606303e-7a90-4753-aea9-1ec019ee766c,ExtAddr

x-microsoft-antispam-prvs:

HK0PR03MB3074311A5DB82CA3EA3952E3AD5E9@HK0PR03MB3074.apcprd03.prod.outlook.com

x-ms-oob-tlc-oobclassifiers: OLM:4125;

x-ms-exchange-senderadcheck: 1

x-ms-exchange-antispam-relay: 0

x-microsoft-antispam: BCL:0;

x-microsoft-antispam-message-info:

MCcRhZEgzzMfYOPOa+GQFCYuDMSocJm7RbyfPXDELPFJZ12hQHUBl9yJGUP6nXlvqhPAdE7P9+8WSl9KOFAewg29zNFTv49GK3Wr+UUJeOSTyjni9jJkw2Rq0DSnDsur5jBs4Z8kwxIa9rfkch2CWpGixvycpzG6qtWg4oztWxg5dgTlhC2dNJKBMgLvmvP/bSfzGwjatKZbUeQavOctUN2Z/vQ83sXH9+/+jJghof+iqfrQ5fSgrm9dSDwhEkmvIw9xa/w/RyxNJSPRtaCAx6+hBU9gfGoda//BVsgYEtklLN5HWUKIhIV84f9p9SMlw4I6NnKTl9zBHXO9JCrqT90rFl3SJQ6C8ZX8Vgzf/DZZWOhF8+5PHLinzuEpr2LChc/WkZhUpbsNi3XIVkjavbSk++Qit5eOFjKfI92ECAwPQwzPrvuHrK7/zfurLN8jT3ryW9dtcqxQ2gydfXw7V/2/YMpv8IZGDiaMc2Qw7fTtcJi0uHrQfWiw092VD9lOiiiSdnrMYLUNM1RiILtYqEWzC3SXOjvWBqbq+CYChMQGaouYRz3uJvnW2XjgsfmZ9A2r0/6BeuXaidQ1AqXjnJoroAj4x3wTiEkNBDVdZ9BhD/8dshZsRx3tuRMCxCLcdXzGkJfqIj++JKEmf51Jyif4YBzdT6xRtBB5+eojYOuhATNdYNsnxe9GlkSj5MAA5mzQ2YNZZW4cCa2NpRMEu0vobaUvr13FbaoU/uxlE86AhlUDOi3y6LCTp4LCSjCbom7mUWtDUSLLdC8WeZ+rhQ==

x-forefront-antispam-report:

CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:KL1PR03MB4935.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(316002)(2906002)(7366002)(7406005)(55016003)(7336002)(5660300002)(33656002)(86362001)(7276002)(7416002)(109986005)(71200400001)(66476007)(166002)(76116006)(122000001)(64756008)(99936003)(38070700005)(52536014)(66556008)(8936002)(66446008)(26005)(38100700002)(6506007)(9686003)(508600001)(7696005)(66946007)(186003)(65686005)(83380400001)(219773003)(20210929001);DIR:OUT;SFP:1102;

x-ms-exchange-antispam-messagedata-chunkcount: 1

x-ms-exchange-antispam-messagedata-0:

=?utf-8?B?dXVPWXlkTlZDS3FQeU04WnUxb1dPSGdxV0g3N1F0ajAzN3FuNWZjaUROcW12?=

=?utf-8?B?Z1pkaGVDc0xrMUhZSStJcUQ0elQ5eXVuRDRSaWtjdkloTWphT283dFFYejlq?=

=?utf-8?B?aUl6U0dtaW9xV1l4UG5ZSWM1WWZjaTBOeDE2T085OHB4NFNrQkVrd0ZUR1JV?=

=?utf-8?B?YlF5MWZsVTJQNUxBSjZWWE51cFRCbmw2TlhITjVmSUJudXRMUzZwdDNtZUNi?=

=?utf-8?B?TldxeDR0eThKUVR4cUtLQ0h4L2RxRk91Vkc5QmU2T3pOK2NoNnl1UXh1R3hz?=

=?utf-8?B?SGx0OVowMGRBVDV0ZmFIbWFrUXpYNzcxQU80dEVQWDdzZTBnK0hVWVk5Mjds?=

=?utf-8?B?WXlDM2wrSUFZdy9GU1I3ZXE1VGFzaU1JVmNMbFBwUkJNemxvaE1GeXJJT1I1?=

=?utf-8?B?dXlZemhkc0JsVkFwcEtzbUNZZ0JOZmtLQ3QxdnVEMUp6NEhSMDRpQUVkN2t5?=

=?utf-8?B?YTZYaStYSEdZWVF4SkQ0NTQ4WmM1Z0I5SmpwWHNsallubjdCL2p6d1dSb0ZB?=

=?utf-8?B?MjB3ZjhjNUl2OXh4b2M1a2c3aHJualplUktoLytQUE14VkRJcC8vY3JJYUow?=

=?utf-8?B?RzljTkNyMWF6VUxXUlQ5SFV5K1g5WVNZVWtqeUhzTFI3MkgyaWRmdVJjeW9L?=

=?utf-8?B?cXJSNXloMndDcWdQV0R3UFpXN1FJNWJ3UFgrdzZhK1VlVDJ0aW1iODNDY0J5?=

=?utf-8?B?ZW0vaVU4YURCTExDMEZIaXFmVWJ0VU05eUdZNk0xaWhLUklDRmw1MFh1NlFt?=

=?utf-8?B?WUE1NThlYmRXZEVBVDUrNTFJSitMZVVKeTZ0WGxad0IzcTBYY1NTcFRjeUJ2?=

=?utf-8?B?N0haYWpwelhkL0RBaUVkSytkay9hKzlFUm9qNzN5ekxnbnVNNm1JdUNseGJi?=

=?utf-8?B?MWZQQjhuQWdIYm4zTW90R1lwYStJUSttZVVpYzdGSGlmZ1FscVdIZ0NWaVg3?=

=?utf-8?B?VExHbFNPakQzVjlHMVJ0Yi85NFQwRWVzVnZ4UXlNZHlZZUlqQ2kyOVVVSWpx?=

=?utf-8?B?WDdVMFI1M0l6WkZYN3B5eHFFTTBOMnJsaFpWZ1NDTDZVTzdLRzdEZXRpV0Vo?=

=?utf-8?B?L3VMYXNRdXVSbjZORXRFeXhsV2J5ekZTcW5pKzZhbFUrRkFzTk9oTXVLZEx6?=

=?utf-8?B?ZmJtY0RaN0hCa2ExLzZWQjhsUm42RnpVYXh5RlZuVUo5d211SmxhVU4xeFdX?=

=?utf-8?B?d0hoSGQrdHA1SWpPNC91MkVQYzVDaGFOaVV5K3BlN093UUJtOVNIVTRBSjR2?=

=?utf-8?B?QzEvaE1wbmkrQXQ5NHdrZ2pHMUtvbmRZQkRzWjUvbkQwNlBKeDZuaXVhYUdB?=

=?utf-8?B?dU41anBuUTl5ZVpyWEYzZjYyeTVrTTNUVGhQNjVnZ2gzSjRPUjdtTlowbCtN?=

=?utf-8?B?Zm1IWGVJMGtkdUt1S0l4U1pjTWcwL2hnYW11Y00zYWp4RzhBRHljVExtNDd2?=

=?utf-8?B?cUFGQlZOdjlJeHpnVldONEZ1UmtHL3UyTkNtOXFKSlFma0M3UzJ6M2ZUYzlW?=

=?utf-8?B?RXA5VjV3Q3A5V1Y0dDlaUG9uMmdpZHpzV0N6Y2Q5Zk1GRCtjNGJ0RmRja1RD?=

=?utf-8?B?b2UzYTUyNDQ3UVBKL1R6VFVFeEJYN3VnRk1rWHBWajVmTXlmUGVWYjFKaG0w?=

=?utf-8?B?cGhyQVBxZDRYeDNYQ1ZuNzJWWVgzZ0FsK0xrNFlwTmRlLysrNUF0Z2R3eWEz?=

=?utf-8?B?TUNLY3dUakNxRUdCUnNDNDNmaFo0L0EyQUFwSjY2djV1TnFGd3d6NDNKLzdM?=

=?utf-8?B?NnVqZFJnQWNtVXBNaWYvU2R4ZU5QYmwyWjEySHFvSERkeGNZWGtGU0FNcUdG?=

=?utf-8?B?SGYvWlNHdzVRbVZ6VzJYVnFlSW1lbTE3RUdpYkVNWmlhT0V3TW9PTFpicUFt?=

=?utf-8?B?WUh4cHFBSGFoeEdVM3BFRDEvQm9FV3YrbVJxQ1hTNVNiZW1qd1hvK3plWEN6?=

=?utf-8?B?Rit5R0dibnlNRHRBcmcrNUtEc1Zkd2wvWmFyWVdwdW9uaTd0VGx6aDFSdU0w?=

=?utf-8?B?Y0dORTBwS0Ezb1hyZVVTcG53L3BMMDdPRXhmQlUzOHU3aVlBY1V4OUhYRnd2?=

=?utf-8?B?TXdoV0VmanJJMUlqNUdudGZQRlJBOU5rbS9oWGRvejhlMFlmTWVrUUUxNmpO?=

=?utf-8?B?d0F5bG55MVI5TDJUc3BDbjYveFMxT0hhdHRHWnNQdS9DTlJRRGVlV1RNeXp5?=

=?utf-8?B?MkE9PQ==?=

Content-Type: multipart/related;

boundary="_005_KL1PR03MB493530C5120256BA382CE231AD5E9KL1PR03MB4935apcp_";

type="multipart/alternative"

MIME-Version: 1.0

X-OriginatorOrg: travel.com

X-MS-Exchange-CrossTenant-AuthAs: Internal

X-MS-Exchange-CrossTenant-AuthSource: KL1PR03MB4935.apcprd03.prod.outlook.com

X-MS-Exchange-CrossTenant-Network-Message-Id: 88c0e8cb-2116-4689-0ebc-08d9df0e7966

X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2022 07:52:29.7342

(UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Hosted

X-MS-Exchange-CrossTenant-id: 9606303e-7a90-4753-aea9-1ec019ee766c

X-MS-Exchange-CrossTenant-mailboxtype: HOSTED

X-MS-Exchange-CrossTenant-userprincipalname: Gtxw+KrQp4ZodPO2RABFEqEFP9eSXrcSA6XwCwk53AzJbgcl7izD8NWh6fH1MbZHM5ZlPzpfvnWbJ87ZSgzgxg==

X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK0PR03MB3074

X-Spam-Status: No, score=1.2

X-Spam-Score: 12

X-Spam-Bar: +

X-Ham-Report: Spam detection software, running on the system "herod.dnsvine.com",

has NOT identified this incoming email as spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

root\@localhost for details.

Content preview: [cid:image003.png@01D8109C.FBE54980]https://travel.deskera.com/wb

Thanks and warmest regards, James Fernand | 陈少秦| Partner [cid:image004.png@01D8109C.FBE54980]

Telephone No. : +500 - 8711 84444 Fascimile No. : +500 - 8711 84443 Address

: KO2-55-03, M Office 5, Sunleeds, Hoolows S [...]

Content analysis details: (1.2 points, 5.0 required)

pts rule name description

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

                         blocked.  See

                         http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

                          for more information.

                         [URIs: deskera.com]

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 SPF_PASS SPF: sender matches SPF record

1.2 MISSING_HEADERS Missing To: header

0.0 HTML_MESSAGE BODY: HTML included in message

-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily

                         valid

X-Spam-Flag: NO