In my first Infosec role, a part of my job was to manage quarantine queues, adding mail domains to any white or black lists based on their reputation.  While I could just go to sites like Virustotal or Senderbase and manually enter the URLs in, that would just take the fun out of it.  The idea of the tool came from me wanting to sharpen my Python skills, and get some experience scraping useful public information on the Internet.  I’ve written pretty simple scripts in the past and wanted to learn more than just the basic provide input–>get output.

So why am I making this tool?

Aside from the obvious of getting better at code, I wanted to make a relatively useful tool.  Interesting enough, I recently received one of those suspicious emails this morning and while it seemed innocent, as I was looking for jobs, something about it seemed off.

Take a closer look

As I read the email above I was already skeptical because it was coming from a gmail address, but even if I didn’t there were a couple red flags, namely the job being something I’m not in the market for, but $1.500/month (yes, that is one dollar and 50 cents per month, not 1500.00/month.

The contact information was rather vague with a generic “HR Department”, and at first I didn’t see links in the email until I scrolled to the bottom of the page and found an Unsubscribe link.  The link ended up being more annoying than harmful as this ended up being a marketing email that likely targeted my resume amongst many others but enough red flags to make me not want to go to the link, but in the future I will once I start diving into malware analysis and make sure my lab is set up properly to mitigate any risks  For now, I wanted to be able to get some information about a questionable domain name.

What this tool does:

The tool gathers basic information about a domain from a couple of sources

  • Whois information (particularly when the domain was created as potential phishing attempts come from domains recently created.
  • Virustotal (Using the virustotal API).  I’ve also used similar sites such as malwr, and will add a couple more resources for the tool to query as I progress
  • Senderbase: I’ve used this resource for many of my previous roles as it used multiple honeypots to gather information on different domains.

Resources:

GitHub Repository for the tool

Virustotal

Senderbase