SPECIMEN: PHISHING EMAIL HEADER — CASE #2024-PH-0042
RAW HEADER
ROUTING CHAIN
AUTH RESULTS
▸ FULL EMAIL HEADER — CLICK HIGHLIGHTED FIELDS TO INVESTIGATE
⚡ Interactive elements highlighted
Received: from mail.farmersmarket-widgets.com (195.178.110.92)
by mx.example.com.au with ESMTP; Mon, 15 Apr 2024 03:17:49 +0000 Received: from smtp.anon-relay.biz (unknown [45.142.212.77])
by mail.farmersmarket-widgets.com with SMTP; Mon, 15 Apr 2024 03:17:44 +0000 Received: from [185.220.101.55] (185.220.101.55)
by smtp.anon-relay.biz with ESMTP; Mon, 15 Apr 2024 03:17:41 +0000 Return-Path: <bounces@commbank-secure.net> From: "Commonwealth Bank" <security-alert@commbank-secure.net> Reply-To: support.help@gmail-accts.ru To: john.smith@example.com.au Subject: =?UTF-8?Q?=E2=9A=A0_URGENT:_Your_account_has_been_suspended_=E2=80=94_Verify_NOW?= Date: Mon, 15 Apr 2024 03:17:42 +0000 Message-ID: <20240415031742.abc123@smtp.anon-relay.biz> Received-SPF: fail (commbank-secure.net: domain does not designate 185.220.101.55 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; d=commbank-secure.net;
s=default; c=relaxed/relaxed; bh=Xk3pzQ...
[SIGNATURE VERIFICATION: FAILED] Authentication-Results: mx.example.com.au;
dmarc=fail (policy=none) header.from=commbank-secure.net;
spf=fail smtp.mailfrom=commbank-secure.net;
dkim=fail header.d=commbank-secure.net X-Mailer: PHPMailer 6.1.4 (https://github.com/PHPMailer/PHPMailer) X-Originating-IP: 185.220.101.55 X-Spam-Status: Yes, score=7.8 required=5.0
tests=BAYES_99,SPOOFED_DOMAIN,MISSING_MID,URIBL_BLOCKED MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="000000000000abc123def456" X-Google-DKIM-Signature: absent — not routed through Google
by mx.example.com.au with ESMTP; Mon, 15 Apr 2024 03:17:49 +0000 Received: from smtp.anon-relay.biz (unknown [45.142.212.77])
by mail.farmersmarket-widgets.com with SMTP; Mon, 15 Apr 2024 03:17:44 +0000 Received: from [185.220.101.55] (185.220.101.55)
by smtp.anon-relay.biz with ESMTP; Mon, 15 Apr 2024 03:17:41 +0000 Return-Path: <bounces@commbank-secure.net> From: "Commonwealth Bank" <security-alert@commbank-secure.net> Reply-To: support.help@gmail-accts.ru To: john.smith@example.com.au Subject: =?UTF-8?Q?=E2=9A=A0_URGENT:_Your_account_has_been_suspended_=E2=80=94_Verify_NOW?= Date: Mon, 15 Apr 2024 03:17:42 +0000 Message-ID: <20240415031742.abc123@smtp.anon-relay.biz> Received-SPF: fail (commbank-secure.net: domain does not designate 185.220.101.55 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; d=commbank-secure.net;
s=default; c=relaxed/relaxed; bh=Xk3pzQ...
[SIGNATURE VERIFICATION: FAILED] Authentication-Results: mx.example.com.au;
dmarc=fail (policy=none) header.from=commbank-secure.net;
spf=fail smtp.mailfrom=commbank-secure.net;
dkim=fail header.d=commbank-secure.net X-Mailer: PHPMailer 6.1.4 (https://github.com/PHPMailer/PHPMailer) X-Originating-IP: 185.220.101.55 X-Spam-Status: Yes, score=7.8 required=5.0
tests=BAYES_99,SPOOFED_DOMAIN,MISSING_MID,URIBL_BLOCKED MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="000000000000abc123def456" X-Google-DKIM-Signature: absent — not routed through Google
The Received: headers tell us each server that handled this email. Read from bottom to top — the bottom entry is where the email originated. Each hop should be a known, legitimate mail server. Unexpected servers are a major red flag.
1
185.220.101.55 — Unknown Origin
IP belongs to a Tor exit node network (AS205100). No PTR record. No legitimate business association.
🔴 TOR EXIT NODE 🔴 NO REVERSE DNS
🔴 TOR EXIT NODE 🔴 NO REVERSE DNS
2
smtp.anon-relay.biz — Anonymous Relay Service
Known bulletproof hosting provider. Frequently used by malicious actors to obscure origin. Registered 3 weeks ago.
🔴 BULLETPROOF HOST 🟠 NEWLY REGISTERED DOMAIN
🔴 BULLETPROOF HOST 🟠 NEWLY REGISTERED DOMAIN
3
mail.farmersmarket-widgets.com — Unrelated Third Party
A legitimate-looking domain for a widget company — completely unrelated to banking. Likely a compromised server used as an open relay.
🔴 DOMAIN MISMATCH 🟠 LIKELY COMPROMISED
🔴 DOMAIN MISMATCH 🟠 LIKELY COMPROMISED
✓
mx.example.com.au — Recipient Mail Server
The recipient's mail server. This is where the email finally arrived. Note that the server did detect issues (see Auth Results tab), but still delivered the message because the DMARC policy was set to none.
🟢 LEGITIMATE MX RECORD 🟠 DMARC POLICY TOO WEAK
🟢 LEGITIMATE MX RECORD 🟠 DMARC POLICY TOO WEAK
⚠ ANALYST NOTE:
A legitimate Commonwealth Bank email would originate from CommBank's own mail infrastructure (e.g. mail.commbank.com.au) and would not be routed through anonymous relay services or third-party servers. The three-hop routing chain through a Tor exit node → bulletproof host → compromised relay is a textbook spoofing pattern.
A legitimate Commonwealth Bank email would originate from CommBank's own mail infrastructure (e.g. mail.commbank.com.au) and would not be routed through anonymous relay services or third-party servers. The three-hop routing chain through a Tor exit node → bulletproof host → compromised relay is a textbook spoofing pattern.
Email authentication protocols — SPF, DKIM, and DMARC — form a layered defence against spoofing. In this specimen, all three have failed, providing strong evidence of a forged sender.
SPF
Sender Policy Framework
● FAIL
Received-SPF: fail (commbank-secure.net: domain does not designate 185.220.101.55 as permitted sender) client-ip=185.220.101.55; envelope-from=bounces@commbank-secure.net
SPF checks whether the sending server's IP address is listed as an authorised sender for the domain. The domain commbank-secure.net has an SPF record, but the IP address 185.220.101.55 is not listed in it — meaning this email was sent from an unauthorised server.
⚠ The domain owner (if this were a real bank) never authorised this server to send email on their behalf. This is consistent with a spoofed sender address.
DKIM
DomainKeys Identified Mail
● FAIL
DKIM-Signature: v=1; a=rsa-sha256; d=commbank-secure.net; s=default; c=relaxed/relaxed; h=from:to:subject:date; bh=Xk3pzQ8...; b=FORGED_SIGNATURE_INVALID...
DKIM adds a cryptographic signature to emails. The receiving server verifies this signature against a public key published in DNS. Here, a DKIM signature header is present — but it cannot be verified. This means the signature is either forged, or the email was tampered with in transit.
⚠ A DKIM signature that fails verification is often worse than no signature at all — it suggests the attacker attempted to forge the header but lacks the private key to produce a valid signature.
DMARC
Domain-based Message Authentication
● FAIL (policy=none)
Authentication-Results: mx.example.com.au; dmarc=fail (p=none sp=none dis=none) header.from=commbank-secure.net
DMARC ties SPF and DKIM together and tells receiving servers what to do when they fail. The p=none policy means the domain owner said: "do nothing if authentication fails — just monitor". This is a critical misconfiguration in real banking domains, but here the spoofed domain intentionally uses none to ensure delivery.
🟡 Despite all authentication failing, the email was still delivered because the DMARC policy is set to none. Real financial institutions should use p=reject to prevent exactly this attack.
ARC
Authenticated Received Chain
● ABSENT
[No ARC-Authentication-Results header present]
ARC preserves authentication results as email passes through intermediary servers (e.g. mailing lists or forwarding). Its absence here is not itself suspicious, but combined with the other failures, it confirms no trusted intermediary has vouched for this message.
🟢 Absence of ARC alone is not a red flag — most direct emails lack ARC headers.
▸ ANALYST NOTEPAD
THREAT CONFIDENCE SCORE
0%
BEGIN ANALYSIS
DISCOVERED INDICATORS
SUSPICIOUS RELAY
ANON RELAY
TOR IP
SPOOFED DOMAIN
FOREIGN REPLY-TO
URGENCY LANGUAGE
SUSPICIOUS MSG-ID
SPF FAIL
DKIM FAIL
DMARC FAIL
PHP MAILER
SUSPICIOUS IP
HIGH SPAM SCORE
Click any highlighted field in the header to reveal its significance,
then add it to your analyst notes.
Build a complete picture of the phishing attempt.
then add it to your analyst notes.
Build a complete picture of the phishing attempt.