mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
43 lines
2.2 KiB
Markdown
43 lines
2.2 KiB
Markdown
# Standards & References: Analyzing Phishing Email Headers
|
|
|
|
## RFC Standards
|
|
- **RFC 5321 (SMTP)**: Simple Mail Transfer Protocol - defines how email is transmitted and the structure of Received headers
|
|
- **RFC 5322 (Internet Message Format)**: Defines the syntax of email header fields including From, To, Date, Message-ID
|
|
- **RFC 7208 (SPF)**: Sender Policy Framework - mechanism for validating email sender IP against domain policy
|
|
- **RFC 6376 (DKIM)**: DomainKeys Identified Mail - cryptographic authentication of email messages
|
|
- **RFC 7489 (DMARC)**: Domain-based Message Authentication, Reporting and Conformance
|
|
- **RFC 8601 (Authentication-Results)**: Message Header Field for Indicating Message Authentication Status
|
|
|
|
## NIST Guidelines
|
|
- **NIST SP 800-177 Rev.1**: Trustworthy Email - comprehensive guide to email security including header authentication
|
|
- **NIST SP 800-45 Ver.2**: Guidelines on Electronic Mail Security
|
|
|
|
## MITRE ATT&CK References
|
|
- **T1566.001**: Phishing: Spearphishing Attachment
|
|
- **T1566.002**: Phishing: Spearphishing Link
|
|
- **T1566.003**: Phishing: Spearphishing via Service
|
|
- **T1534**: Internal Spearphishing
|
|
|
|
## Industry Standards
|
|
- **M3AAWG Best Practices**: Messaging, Malware and Mobile Anti-Abuse Working Group email authentication recommendations
|
|
- **DMARC.org**: Industry consortium for DMARC deployment guidance
|
|
- **Anti-Phishing Working Group (APWG)**: Phishing Activity Trends Reports
|
|
|
|
## Key Header Fields Reference
|
|
|
|
| Header Field | RFC | Purpose |
|
|
|---|---|---|
|
|
| Received | RFC 5321 | Records each SMTP hop |
|
|
| From | RFC 5322 | Display sender address |
|
|
| Return-Path | RFC 5321 | Envelope sender (bounce address) |
|
|
| Authentication-Results | RFC 8601 | SPF/DKIM/DMARC results |
|
|
| DKIM-Signature | RFC 6376 | Cryptographic signature |
|
|
| Message-ID | RFC 5322 | Unique message identifier |
|
|
| X-Originating-IP | Non-standard | Sender's IP (provider-specific) |
|
|
| X-Mailer | Non-standard | Email client identification |
|
|
|
|
## Compliance Frameworks
|
|
- **PCI DSS 4.0**: Requirement 5 - Protect All Systems and Networks from Malicious Software
|
|
- **ISO 27001:2022**: A.8.23 - Web filtering; A.5.14 - Information transfer
|
|
- **SOC 2**: CC6.1 - Logical and Physical Access Controls
|