꿈을꾸는 파랑새

오늘은 계정 변경 이메일로 유포되는 피싱 메일을 악용한 System Notification(2023.7.3) 이메일을 분석을 해보겠습니다. 일단 해당 피싱 메일에서는 링크는 확인되지 않았습니다. 그냥 단순히 보냈거나 아니면 이메일에 링크를 표시하는 것을 잊어버릴 경우가 아닐까 생각이 됩니다.
일단 해당 이메일 내용은 다음과 같습니다.
Notification of pending 5 messages.
Some messages are restrained from delivering to 
Due to low bandwidth we notify you to take prompt actions
Release Messages Review Here 
Message should be moved to inbox.
(보류 중인 5개의 메시지 알림.
일부 메시지는
낮은 대역폭으로 말미암아 신속한 조처를 하도록 알려 드립니다.
여기에서 릴리스 메시지 검토
메시지를 받은 편지함으로 이동해야 합니다.)

System Notification(2023.7.3) 스팸
System Notification(2023.7.3) 스팸

Authentication-Results: w10.tutanota(.)de
(dis=spam; info=dmarc default policy);	dmarc=fail (dis=spam p=quarantine;
aspf=r; adkim=r; pSrc=config) header.from=mail(.)com
Received: from w4.tutanota.de ([192.168.1(.)165])
by tutadb.w10.tutanota.de
with SMTP (SubEthaSMTP 3.1.7) id LJMNPNMU
for ???????@tutanota(.)com;
Mon, 03 Jul 2023 11:26:34 +0200 (CEST),
from erbilsteel(.)com (unknown [185.38.142(.)98])
by w4.tutanota(.)de (Postfix) with ESMTP id 73299106029E
for <????@tutanota(.)com>; Mon,  3 Jul 2023 09:26:34 +0000 (UTC),from [85.208.139(.)206]
(erbilsteel.com [IPv6:::1])	by erbilsteel(.)com (Postfix)
with ESMTP id C6F356630BF	for <????@tutanota(.)com>; Mon,  3 Jul 2023 06:59:46 +0000 (UTC)
Received-SPF: Softfail (mailfrom)
identity=mailfrom; client-ip=185.38.142(.)98; helo=erbilsteel.com;
envelope-from=noreply@mail(.)com; receiver=<UNKNOWN> 
From: "System Notification"<noreply@mail(.)com>
To: ??????@tutanota(.)com
Subject: You have [5] pending incoming messages  
Date: 2 Jul 2023 23:59:46 -0700
Message-ID: <20230702235946.DCD4CC0548CE246B@mail(.)com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: multipart/related;

System Notification(2023.7.3) 스팸 메일 헤더
System Notification(2023.7.3) 스팸 메일 헤더

해당 이메일은 System Notification <noreply@mail(.)com>에서 ??????@tutanota(.)com으로 보내 것임
해당 이메일은 2023년 7월 2일 23시 59분 46초에 보내짐
타임 존은 -7:00 (태평양 표준시, PDT)입니다.
해당 이메일은 인증 결과(Authentication-Results) 헤더와 함께 전달
해당 헤더는 이메일의 인증 결과를 보여주소? 있으며 해당 이메일은 w10.tutanota(.)de 서버를 거쳐 전달되었으며 DMARC(Domain-based Message Authentication, Reporting, and Conformance) 검사에서 실패(dmarc=fail)
SPF (Sender Policy Framework) 검사에서는 소프트페일드(Softfail)로 분류
보내는 이메일 주소인 noreply@mail.com 의 도메인에서는 DMARC의 기본 정책에 따라 이메일을 처리
이메일은 스팸으로 분류(dis=spam)되어 처리
DMARC에 따라 수신자의 스팸 함(quarantine)에 도착
이메일의 내용은 You have [5] pending incoming messages라는 제목을 가지고 있음 이메일은 multipart/related 형식으로 작성
여기서 dmarc=fail 된것은 DMARC 검사에서 메일의 인증이 실패 이메일의 발신 도메인의 DMARC 정책을 만족하지 못했거나 SPF 또는 DKIM 검사에서 실패한 것을 의미
그냥 이런 메일이 온다고 하면 그냥 차단 버튼을 살짝 눌러주고 삭제를 하시면 됩니다.

반응형
그리드형

공유하기

facebook twitter kakaoTalk kakaostory naver band