EmailRep – Squeezing actionable info from malicious email addresses

Yes, I know it has been quite a while since I have posted anything to the old blog, but I do have an excuse… in mid April, I finished up 15 wonderful years (and a bit) with Liquidnet and took on some new challenges as the CISO of Endava. I’ve been busy settling in to the company and learning how to CISO at a global, publicly traded firm in a very strange time for which we have no playbook. Anyhow, I need to get writing again, so here goes…

One of the nice things about being stuck inside all the time is the chance to get caught up on videos from various security conferences. I just watched an interesting talk from BSides NoVA 2020 and thought I would share it with you. The topic? Email reputation.

The speaker was Josh Kamdjou of Sublime Security and his talk was called “Voight-Kampff For Email Addresses.” If you don’t get the reference, go watch Blade Runner again.

At a time when many attacks on organizations are starting with a malicious email, being able to make judgements about the relative risk of a particular message is a valuable tool for the security professional. We all know that email addresses are very spoofable, but is there anything we can learn from the (apparent) sender of a questionable email?

Apparently, yes. If you take a trip over to EmailRep.io, you can get a demo. Given an email address, this service will run all sorts of checks to see if the address:

  • Exists
  • Has any associated social media profiles
  • Is from a free email service
  • Is from a domain with a good or bad reputation
  • Has any track record of legitimate use
  • Has been reported as a malicious email source recently
  • Has been included in credential dumps

That last one is really interesting – an address that has been included in a number of credential dumps in the past has a good chance of being legitimate, while presence in a recent credential dump could flag an account takeover. Pretty clever!

The service checks a plethora of other indicators as well asn returns a risk rating for the address you enter. API access is available for free (with a limit of 50 queries per day) and you can contact Sublime Security for pricing for higher levels of access. The API is simple to use and wrappers for Python and Powershell are available. While there is a web interface available, it is severely rate limited, and the API is really the primary way to access the service.

Once you have an API key, you can also report known malicious email addresses to help the community and make the service better.

I had just about given up on getting any useful information from email addresses before seeing this tool – hats off to Sublime Security for making this available!