Sending an Email to an IPv4 Address?

Published: 2022-02-21
Last Updated: 2022-02-21 17:14:23 UTC
by Didier Stevens (Version: 1)
3 comment(s)

Do you recognize the following situation?

For a client, you need to analyze a malicious email.
But it can not be saved to disk, because the filesystem anti-virus will detect and delete it.
And you can’t forward it to another email server, because that server’s anti-virus will block it.
You can create a helpdesk ticket, but that will take a while.

This has happened to me a couple of times, and I have the following solution.

I run my simple SMTP honeypot script on an Internet facing server. I let it listen on port 25.
And then I ask the client to forward that malicious email, to email address anything@12.34.56.78.
12.34.56.78 is the public IPv4 address of my server running the SMTP Python script.
My script will receive the email and write it to disk.
And then I stop the script from running.
Unless I need an SMTP honeypot ;-) Because it will accept and incoming SMTP traffic.

I’ve also tried the following email address format: anything@12.34.56.78:1234.
Where 1234 is the port number where my script listens.
Without much success yet (for the moment, I only tested sending from Gmail).

According to the Wikipedia article, you should surrond the IPv4 address with square brackets, but until now, it always worked for me without square brackets.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords:
3 comment(s)
ISC Stormcast For Monday, February 21st, 2022 https://isc.sans.edu/podcastdetail.html?id=7888

Comments


Diary Archives