LetsDefend Academy

Online practicing and training platform for blue team members









Information Gathering


Information Gathering



Spoofing



Attackers can send emails on behalf of someone else, as the emails do not necessarily have an authentication mechanism.



Attackers can send mail on behalf of someone else using the technique called spoofing to make the user believe that the incoming email is reliable.



Several protocols have been created to prevent the Email Spoofing technique.



With the help of SPF, DKIM and DMARC protocols, it can be understood whether the sender's address is fake or real. Some mail applications do these checks automatically. However, the use of these protocols is not mandatory and in some cases can cause problems.



  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)


To find out manually whether the mail is spoof or not, SMTP address of the mail should be learned first.



SPF, DKIM, DMARC and MX records of the domain can be learned using tools such as Mxtoolbox. By comparing the information here, it can be learned whether the mail is spoof or not.





Since the IP addresses of the big institutions using their own mail servers will belong to them, it can be examined whether the SMTP address belongs to that institution by looking at the whois records of the SMTP IP address.



An important point here is that if the sender address is not spoof, we cannot say mail is safe. Harmful mails can be sent on behalf of trusted persons by hacking corporate / personal email addresses. This type of cyber attacks has already happened, so this possibility should always be considered.



E-mail Traffic Analysis



Many parameters are needed when analyzing a phishing attack. We can learn the size of the attack and the target audience in the search results to be made on the mail gateway according to the following parameters.



  • Sender Address(info@letsdefend.io)
  • SMTP IP Address(127.0.0.1)
  • @letsdefend.io (domain base)
  • letsdefend (Besides the gmail account, attacker may have sent from the hotmail account)
  • Subject (sender address and SMTP address may be constantly changing)


In the search results, it is necessary to learn the recipient addresses and time information besides the mail numbers. If harmful e-mails are constantly forwarded to the same users, their e-mail addresses may have leaked in some way and shared on sites such as PasteBin.



Attackers can find email addresses with theHarvester tool on Kali Linux. It is recommended that such information should not be shared explicitly, as keeping personal mail addresses on websites would be a potential attack vector for attackers.



If mails are sent out of working hours, the attacker may be living on a different time-zone line. By gathering such information, we can begin to make sense of the attack.