• caglararli@hotmail.com
  • 05386281520

Comparing DKIM Signature of Spoofed and Genuine email [closed]

Çağlar Arlı      -    38 Views

Comparing DKIM Signature of Spoofed and Genuine email [closed]

As Steffen Ullrich mentioned in my previous post

"An attacker could not replace the body without also replacing the DKIM signature, or the validation will fail (which you need to check if they match). The attacker cannot create their own signature for the domain but could use previous content with previous signature."

What fields in a DKIM signature are indications of a spoofed email?

Genuine :

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=acls01; d=hdfcbank.net; h=Content-Type:Message-Id:To:Subject:Date:Mime-Version:From; i=alerts@hdfcbank.net; bh=RcKDEfBNv89tPUC9kZSZZOOb3W01BLIMjjYskx1Zl9s=; b=Q/ptDCAaNVurAuY2P589GxlBEQxGGWRqG+Vl15jE4F/TLO3ioUKToPEwD8cJ3GjOHdjW3t29q6VY
   Iqi+jqj/97SLyH1JwLLhXmhoUEfUCy6j1cztpN1m2MoT1XnABBf+X+7EOosM/Siz3IDw81xSRYs/
   UZy650JOkMVHIqtGBq1Hiy2WKXnDgHMaIp0Z3aBCCgjPzb4ekMXzvnH0c1FDYtArTNoKjwqLk9DS
   lVeYt+pgJa9VHzjdV6pXSA8no3WKE/+NhgfaAP19FXGD6AiLeUgw0PJc8mMDF0xJvA+IibT+2n8E
   YTp/5lSWbz1WaJJ26vJ4c22BDX/8aYK7Q9Wu8g==

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=5nXKKHgBnyGAcLwvMLZIq; d=aclmobile.net; h=Content-Type:Message-Id:To:Subject:Date:Mime-Version:From; bh=RcKDEfBNv89tPUC9kZSZZOOb3W01BLIMjjYskx1Zl9s=; b=rLEWRJS88eGH1wQ77PdtEPxMRIUXf7eCN6bI+xH0X+kIP/cC/x5XaVLijYFKDv9tabcrH6sV4vjg
   0qZ2GWuoxZeuoRIEN6tax1xHsSceoxTjyTGyRn/y3NmIlEIVa5NQHGos1FHDIDb63SIehGaABIPY
   6hEmEjOFx8qMHtPW4E6Pza4P5WiyOcJqsFFtixMMuCKtFm1WOiOLPTBih9hqKxJFWjUTo0UqkwWm
   JlnjA8JxGwbG8Ky9ZDvvqUwb5Sdw5s/OaFX/yvg7lUUSVVIBdmfAxwVjnPOViA1TvWysIDOk44Iq
   RcJPS0QBI/z/y/bB4c7nPLdYxw9QMHl1dVwDgg==

Spoofed

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=acls03; d=hdfcbank.net; t=1687939176; h=From:Date:Mime-Version:Message-Id:To:Subject:Content-Type; bh=9TMKIEHhgZgO899ES3Y8aDyBGq6JIQtaZAq1xxR5408=; b=USGrCWI97UP+HHNnH4ROKgUBUr/f8E3rcRTgWKu51RoTTy37ymkt8nHgKU4j3TH6 HDvxPDXu4P9S6UHuhQisBoXWAN7S8fv1bycqg3d4LTEGxisIMuVk35rsoMOhBm38ftK c4T4csOq93Zj0QQj90e1R5Rh6m54MccglDmQ0dyagJxvO0aBHJylgSnhqaXkOc2d1Wc oCAiQOg4bQteGSy0wYetvaCSlIxOR/yU1ogVoClAFQ3ZcEpoH4QG1+SNdkverPy2RGm Rd7+3ELuTfD69UBBoVPuvrL7ID8yBlj1R2eqhtv44Fhvyy/iEfu3fY5LlKB4KboIGOE GaJtYgLA2w==

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=rlntogby6xsxlfnvyxwnvvhttakdsqto; d=amazonses.com; t=1687939176; h=From:Date:Mime-Version:Message-Id:To:Subject:Content-Type:Feedback-ID; bh=9TMKIEHhgZgO899ES3Y8aDyBGq6JIQtaZAq1xxR5408=; b=It7rSKHIy7ODe0xMhLNb0ACJ/CDHbqc5UqAZu7mHf1kln4jbLx5b7Mg/iZu6vceV aG8Qn6KHidyF8ZI/3ZXxtjNOCR2RLKcTFXwC2PRMCCKsRATo+1dLVpNT0sI5OAP2/NP veL4LuqquD6FdStKov1SvjPYfD4NtU7b0qmRium4=