文学城论坛
+A-

网络钓鱼电邮剖析 (revised)

其乐农夫 2022-01-28 08:22:06 ( reads)

垃圾电邮主要有二种:Spam 主要是广告,乾脆删掉或过滤掉便是。Phishing 是钓鱼,貌似来自正当商业,和个人帐户有关,要求回应,或点击链接,提供个人信息。

例如下面的截图来自Venmo, 看似正当,其实是骗取个人信息,你一旦回应,轻则证明你的电邮地址存在和active, 重则把敏感的个人隐私信息拱手送给对方。

 

 

 

 

 

 

 

 

 

 

 

 

对付的方法是仔细查阅来信的header, 其中的信息可以证明邮件的来龙去脈(在互联网上走过的路逕)和真正来源。

Header 在哪?每个正当的电邮系统都有header的装置但是位置各异,请参阅:

https://mxtoolbox.com/Public/Content/EmailHeaders/

 

提醒:IT 系统更新变动频仍,上键的信息不一定是current.

以下是找出(笔者常用) Yahoo 电邮header 的步骤 (限于电脑版本。不适用于手机app 版。)

1. 打开邮件。
2. 点击 More …
3. 选择View Raw Message.

Raw Message shows:

 

The email came from postmaster@superbabs.store, not venmo.com. The host was mail-qv1-f102.google.com. The origination IP address 209.85.219.102 is located west of Wichita, Kansas. 

 

Also:

Received-SPF: none (domain of superbabs.store does not designate permitted sender hosts)

dkim=unknown;

spf=none smtp.mailfrom=superbabs.store;

dmarc=fail

 

Explanation:

spf: Sender Policy Framework

dkim: Domain Keys Identified Mail

dmarc: Domain-based Message Authentication, Reporting, and Conformance. 

 

In a legitimate email, all these 3 parameters should show "Pass."

The email asks me to upload ID documents. However, searching the raw message and could not find any key words in the email. Why? The email text was encrypted to hide the origination. 

The email used RSA SHA-256 cryptographic hash algorithm, which cannot be reversed to produce the original data.

 

跟帖(1)

hot_powerz

2022-01-28 10:43:09

可以将这个专业邮件分析利器补充进去