analyzing-phishing-email-headers
Email headers contain critical metadata that reveals the true origin, routing path, and authentication status of emails. Analyzing these headers is a foundational skill for identifying phishing attemp
What this skill does
# Analyzing Phishing Email Headers ## Overview Email headers contain critical metadata that reveals the true origin, routing path, and authentication status of emails. Analyzing these headers is a foundational skill for identifying phishing attempts, verifying sender authenticity, and gathering threat intelligence. This skill covers systematic extraction and interpretation of email headers using both manual techniques and automated tools. ## Prerequisites - Basic understanding of SMTP protocol and email delivery - Familiarity with DNS records (MX, TXT, SPF, DKIM, DMARC) - Python 3.8+ installed - Access to email client that can export raw headers (Outlook, Gmail, Thunderbird) ## Key Concepts ### Critical Header Fields 1. **Received**: Chain of mail servers the message passed through (read bottom to top) 2. **From / Return-Path / Reply-To**: Sender identity fields (often spoofed) 3. **Authentication-Results**: SPF, DKIM, DMARC verification outcomes 4. **X-Originating-IP**: Original sender IP address 5. **Message-ID**: Unique identifier; anomalies indicate spoofing 6. **X-Mailer / User-Agent**: Email client used to compose the message ### Red Flags in Headers - Mismatched `From` and `Return-Path` domains - SPF/DKIM/DMARC failures in `Authentication-Results` - Suspicious `Received` chains with unfamiliar relay servers - `X-Originating-IP` from unexpected geographies - Missing or malformed `Message-ID` - Unusual `X-Mailer` values (e.g., mass-mailing tools) ## Implementation Steps ### Step 1: Extract Raw Email Headers ``` Gmail: Open email -> Three dots -> "Show original" Outlook: Open email -> File -> Properties -> Internet Headers Thunderbird: View -> Message Source (Ctrl+U) ``` ### Step 2: Parse Headers with Python Use the `scripts/process.py` script to automate header analysis including IP geolocation, authentication validation, and anomaly detection. ### Step 3: Validate Authentication Chain - Check SPF alignment: Does the sending IP match the domain's SPF record? - Check DKIM signature: Is the cryptographic signature valid? - Check DMARC policy: Does the message pass DMARC alignment? ### Step 4: Trace Mail Route - Read `Received` headers from bottom to top - Map each hop's IP to organization/location - Identify unexpected relays or delays ### Step 5: Correlate with Threat Intelligence - Look up originating IP on AbuseIPDB, VirusTotal - Check sending domain age on WHOIS - Search for known phishing infrastructure patterns ## Tools & Resources - **MXToolbox Header Analyzer**: https://mxtoolbox.com/EmailHeaders.aspx - **Google Admin Toolbox**: https://toolbox.googleapps.com/apps/messageheader/ - **AbuseIPDB**: https://www.abuseipdb.com/ - **VirusTotal**: https://www.virustotal.com/ - **PhishTank**: https://phishtank.org/ ## Validation - Successfully parse headers from 3 different email providers - Correctly identify authentication pass/fail status - Accurately trace email routing path - Detect at least 3 phishing indicators in a sample phishing email
Related in Productivity
gitea-workflow
IncludedOrchestrate agile development workflows for Gitea repositories using the tea CLI. Use when working with Gitea-hosted repos and asking to 'run the workflow', 'continue working', 'what's next', 'complete the task cycle', 'start my day', 'end the sprint', 'implement the next task', or wanting guided step-by-step development assistance. Keywords: workflow, orchestrate, agile, task cycle, sprint, daily, implement, review, PR, standup, retrospective, gitea, tea.
microsoft-graph-gateway
IncludedRoute Microsoft Graph work in this workspace. Use when users want to read or write Outlook mail, calendar events, contacts, OneDrive or SharePoint files, Teams, Planner, To Do, users, groups, directory data, or arbitrary Microsoft Graph endpoints from VS Code. Prefer WorkIQ for common read scenarios. Use Microsoft Graph for write actions and gap-read scenarios that need exact Graph properties, filters, permissions, or endpoints.
copilotkit
IncludedUse when building with CopilotKit — setup, development, integrations, debugging, upgrading, or contributing. Routes to the appropriate specialized skill based on the task.
wordly-wisdom
IncludedProvides calibrated decision analysis using Charlie Munger-style multiple mental models, inversion, incentive mapping, circle-of-competence checks, misjudgment audits, second-order effects, and forecast updates. Use when the user asks for an oracle take, a hard call, a decision memo, a premortem, an outside view, a red-team, a sanity-check, what am I missing, think this through, or wants a strategy, hire, investment, plan, product, partnership, or major life choice analysed. Avoid for simple factual lookups or time-sensitive legal, medical, or market questions without fresh evidence.
swain-session
IncludedSession management and project status dashboard. Owns the full session lifecycle (start/work/close/resume), focus lane, bookmarks, worktree detection, and tab naming. Also serves as the project status dashboard — shows active epics, progress, actionable next steps, blocked items, tasks, GitHub issues, and recommendations. Worktree creation is deferred to swain-do task dispatch (SPEC-195). Triggers on: 'session', 'status', 'what's next', 'dashboard', 'overview', 'where are we', 'what should I work on', 'show me priorities', 'bookmark', 'focus on', 'session info'.
gandi
IncludedComprehensive Gandi domain registrar integration for domain and DNS management. Register and manage domains, create/update/delete DNS records (A, AAAA, CNAME, MX, TXT, SRV, and more), configure email forwarding and aliases, check SSL certificate status, create DNS snapshots for safe rollback, bulk update zone files, and monitor domain expiration. Supports multi-domain management, zone file import/export, and automated DNS backups. Includes both read-only and destructive operations with safety controls.