Easy Phish / hosaka: 11:59 14/01/2020 / Category: Infosec  


"Customers of have been recieving some very convincing phishing emails, can you figure out why?"


I initially visited the domain but found this to be a GoDaddy parked domain. With no website to explore my next thought turned to enumerating the domain using dig (domain internet groper)

dig ANY

;; ANSWER SECTION: 20  IN  A 3039    IN  NS 3039    IN  NS 3039    IN  SOA 2019032504 28800 7200 604800 600 1212    IN  TXT "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Second Piece

After trying the TXT record HTB{RIP_SPF_Always_2nd and appending } it became clear that this was the first half of a two piece flag.

The clue to the next half is in the first half of the flag SPF.

Detecting E-Mail Forgery

Sender Policy Framework (SPF)

"SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators.[3] The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain."

This authorized host list can be queried with dig


Domain-Based Message Authentication, Reporting & Conformance (DMARC)

As stated in the Wikipedia article for SPF

"Only in combination with DMARC can it be used to detect the forging of the visible sender in emails (email spoofing[2]), a technique often used in phishing and email spam."

And from the Wikipedia article for DMARC

"DMARC extends two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

DMARC is defined in RFC 7489, dated March 2015, as "Informational".[1] "

To query the DMARC record:


;; ANSWER SECTION: 300  IN  TXT "v=DMARC1;p=none;_F1ddl3_2_DMARC}"


Combining the DMARC flag gives the result:


Further useful information:

Query DKIM record:

dig google._domainkey.[hostname].com TXT

google._domainkey.[redacted].com. 300 IN TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs2u2EDO1Lh97aEQWmJAoNQAQ6doPxwfDzyADasSVk+e4zPxpxd842aJgA1WdZoUAxRFXzwI2CHQ+4Gvu7p/IqDdCyaeFZmk5coZZ3OEUYNkonX81SJ0moFvxvorujgIDh2bexO3w+FLDZn2Y4kpnWAJL+MfqOqCzCznfCTeQG2wIDAQAB"

Note: The selector, in this case "google" is arbitrary and must be known