Email Header Forensics — Catch the Spoof

Medium Phishing · 25 min

Flag submissions require login via tc_sso. Reading instructions does not.

Email Header Forensics — Catch the Spoof

Scenario

Your CFO got an email that *looks* like it's from the CEO (ceo@acme-corp.example) asking for an urgent wire transfer. The CFO forwarded it to you. The raw email header is in the right pane.

Find the SPF result line that proves the message did NOT actually come from a mail server authorized for the CEO's domain.

Objective

Submit the single-word SPF verdict that appears in the Received-SPF: header.

Answer format

Lowercase, single word:

fail

(Possible verdicts per RFC 7208: pass, fail, softfail, neutral, none, temperror, permerror.)

Tips

Email auth has three layers: SPF (sender IP allowed?), DKIM (signature valid?), DMARC (alignment of From: with SPF/DKIM domain?). Any one failing is a strong phishing signal.
The Received-SPF: header is added by the receiving MTA.
Spoofers can usually get dmarc=none or dkim=none (just don't sign), but SPF often catches them because they can't fake the source IP.

Hints

Hint 1 (−10 pts)

Scroll the header to find a line starting with `Received-SPF:`. The first word after that is the verdict.

Hint 2 (−10 pts)

The `Received-SPF:` line says: `fail (acme-corp.example: domain of ceo@acme-corp.example does not designate 45.77.X.X as permitted sender)`.

Hint 3 (−10 pts)

Answer: fail

Lab environment · sandboxed iframe · auto-resets every 60 min