Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
Network PCAP | Page | Wireshark & tshark, Zeek, and ngrep usage. | |
SMTP email headers | Page | An email object contains an envelope and a content. The envelope is the information that the email client and server use to send the email to the correct recipient(s). The email content is composed of the header section and the email body. A number of email envelope and content headers are common / mandatory for the email lifecycle, and some headers can be of precious forensics value. Additionally, some headers are linked to optional security mechanisms (SPF, DKIM, and DMARC) that can help detect illegitimate / spoofed emails. |
Email sender: Return-Path, From, and Reply-To headers. The Return-Path header can be protected against spoofing with SPF. The From header can be protected using DMARC (with SPF and / or DKIM). Originating server and MTA: Received header(s). Email legitimacy and anti-spoofing mechanisms, with associated headers: SPF: validate that the originating server is authorized to send emails for the sender domain. DKIM header: digitally sign (part of) the email using a public key associated with the sender domain. DMARC: extends SPF and DKIM by indicating to the receiver the actions to follow (block the email and notify an alerting address for example) if receiving an email with no or a failed SPK / DKIM authentication. Additionally, DMARC check the consistency of the domains from the "From" header, the DKIM signature, and the SMTP "MAIL FROM" command. |
View on GitHub