Today four emails were received by four different email accounts with the subject “RNP002673A5A8F3” and sender “network.scanner@senderDomain.com.au”#. This was not normal and something was obviously phishy about it, so I thought I would investigate further.
[Since writing the original post, a similar email has been spreading from “DocuCentre-V C6675 T2” with the subject of “Scan Data from FX-D6DBE1”]
Step 1: Check message options
Showing Message Options can help you find, among other things, information about
- servers that the email passed through, as well as
- the type of content that the email carries.
The Message Options on the suspect email mostly looked fine except that I was not expecting any emails from a network scan account and the original email computer was labelled ‘unknown’.
Received: from [188.8.131.52] (unknown [184.108.40.206])
by myMailHost ([myDomainHost Mail System]) with ESMTP id C9D5416481E5
for <myemail@myDomain.com.au>; Wed, 21 Oct 2015 19:25:09 -0400 (EDT)
Checking the Message Options of the other emails that were received at the same time showed that they were also sent from an ‘unknown’ host, but what was unusual was that the host addresses were different for each.
Received: from [220.127.116.11] (unknown [18.104.22.168])
Received: from host-181-199-77-199.senderDomain.net.ec (unknown [22.214.171.124])
Normally senders use one email server to send their emails because it saves them setting up new accounts for each server and they do not intend to abuse the service. However, because some might intend to use their email server for illegal or harmful purposes e.g. for phishing, a hoax, or spreading viruses, they tend to use different hosts to make tracing who they are harder.
As a result, some might delete emails like these, from different hosts, straightaway. But because a valid scan report could come from different computers that they scanned, I decided to investigate further.
Step 2: Save attachments and check with VirusTotal
VirusTotal is a tool to help 1) check for viruses, worms, trojans and other kinds of malicious content and 2) detect false positives. So how do you get VirusTotal to check files in your email?
Save the file in a folder:
In Outlook 2013 select the email in your Outlook message list.
- Click the tab labelled File on the Outlook top menu.
- Click Save Attachments
- Save the attachments by clicking OK and on the ‘Save As’ screen save the file to a folder, such as desktop.
Then upload the file to VirusTotal:
Go to the VirusTotal website at https://www.virustotal.com/en/
Click choose file and on the browse file screen select the file from the desktop. Then click the ‘Scan It!’ button.
A message will indicate the file is uploading and depending on whether your scan was the first or not, you will have the option to check out the previous scan or analyse your file (in case it is different).
When the results screen appears look at the information provided to find out more. For example, the number of times the file was scanned, information via the file-related menu, feedback from virus scanners and the voting image (highlighted by black boxes below).
Reading this information should help determine how trustworthy the file is and for the RNP002673A5A8F3 email, that triggered the writing of this blog, you might come to the same conclusion as me. That the email and the saved file that was loaded in to VirusTotal should be deleted.
# Domain and host names have been changed to fictitious names at the time of writing.
## All trademarks and IPs are owned by their respective owners.