February 5, 2015
Recently there has been the buzz over phishing emails that mimicked the Government Portal address. Today a friend shared a screenshot (of an email) on Facebook and asked if he could trust the message. I requested him to forward me the header details. He did. Thank you Vrijnesh :-)
Above is a screenshot from the email footer that Vrijnesh received. It looks good? Let’s analyze the header.
Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=202.123.xx.xxx; Authentication-Results: mx.google.com; spf=none (google.com: [email protected] does not designate permitted sender hosts) [email protected] X-AuditID: ca7b1b68-b7f8b8e0000071f4-68-54d277c1f0ca Received: from C9A-GP-SVR-IAS2.gov.mu ( [192.168.x.xx]) by mxmail.gov.mu (**) with SMTP id D3.04.29172.1C772D45; Wed, 4 Feb 2015 23:49:21 +0400 (GST)
Received-SPF: none but well, I am not going to comment on the SPF issue, I wrote about SPF and DKIM last year when the Government Online Centre implemented it.
Beginning of the week S. Moonesamy wrote about the wrong deployment of DKIM.
Let’s look at something else which is intriguing. In my previous article about *.govmu.org phishing emails I highlighted that Government of Mauritius email addresses end with govmu.org. Phishing attacks were on the other hand perpetrated using sub-domains of govmu.org (like psc.govmu.org) which had no MX records; therefore not associated with mail servers.
What we know so far is that the previous emails (of the Government Web portal) ended with mail.gov.mu. When migration was done on the new domain this mail naming convention was changed; why? No one knows. Could it lead to security flaws later? I guess someone must have been advising them from inside, right?
In the email header that Vrijnesh provided for analysis, we can clearly see the email ends with mail.govmu.org. Does that domain have an MX record?
; <<>> DiG 9.8.3-P1 <<>> MX mail.govmu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23516 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.govmu.org. IN MX ;; AUTHORITY SECTION: govmu.org. 544 IN SOA pdns05.domaincontrol.com. dns.jomax.net. 2015012001 28800 7200 604800 600 ;; Query time: 481 msec ;; SERVER: 220.127.116.11#53(18.104.22.168) ;; WHEN: Thu Feb 5 22:12:56 2015 ;; MSG SIZE rcvd: 105
Nada. There is no MX record for mail.govmu.org
The last line kind of trolls people too, why does it send an answer from mxmail.gov.mu when technically that address should not even exist on the Internet right now?
Whom should I report these observation to? NCB, GOC or CERT-MU… I no more know. Last year I alerted one of the local bodies regarding two domain names that could be potential phishing threats. No one ever replied me. Today those domains are like orphans at GoDaddy.
Oh! Have a look at the whois record please :-)