0

I know that it's possible to check the reputation of email address domains, but what does the security community use to find information on the reputation of specific email addresseses?

List of ways to verify domain or IP reputation:

mailfloss https://mailfloss.com
Xverify https://www.xverify.com/
zero bounce https://www.zerobounce.net/
Hubuco https://www.hubuco.com/email-ver...
email list validation https://www.emaillistvalidation....
QuickEmailVerification https://quickemailverification.com/
email list verify https://www.emaillistverify.com/
mxtoolbox https://mxtoolbox.com/blacklists...
MailTester http://mailtester.com/
Pepipost https://pepipost.com/?utm_campai...
MailboxValidator https://www.mailboxvalidator.com/
CaptainVerify https://captainverify.com/

Is there a site similar to www.abuseipdb.com for email addresses? I want to be able to check what other folks around the globe have noted about activity from specific email addresses, not their domains.

But what if I want to find the reputation of a specific gmail.com email address?

schroeder
  • 125,553
  • 55
  • 289
  • 326
beansbeans
  • 43
  • 7
  • Are you looking for a test based on the address itself ( e.g. disbakjx73@gmail being suspect) or are you looking for something that does online lookups and does some automated research on emails? – Daisetsu Oct 23 '18 at 21:28
  • @duskwuff my above reply to Daisetsu may already satisfy your question, but I want to find something similar to https://www.abuseipdb.com/. Community reports on email addresses to verify whether or not the email address in question has been known to send phishing emails/malicious links/malicious ADS files. – beansbeans Oct 24 '18 at 17:32
  • 2
    @beansbeans I doubt there would be any database of abused emails since it takes no effort to use another address. This is why most people use the domain as the reputation since it requires some cost to obtain a domain, and spammers can't generate an unlimited amount for free. A quick check to see how legit an address could be would be heuristic based, I don't have any research off the top of my head though. – Daisetsu Oct 24 '18 at 17:33
  • Makes sense @Daisetsu. It's too easy to spin up a new address and continue dispensing evil. Best practice is just to make sure your email gateways are keeping you as safe as possible OR (for the paranoids) block public/free email domains. Thanks you both! – beansbeans Oct 24 '18 at 17:56
  • While the close reason "unclear what you are asking" is now resolved, the problem is that you are asking for a product/service for a specific use case, which is actually off-topic (it's open-ended). – schroeder Oct 30 '18 at 19:48

2 Answers2

1

What does the security community use to find information on the reputation of specific email addresseses?

Nothing. This isn't a subject of interest.

Email addresses generally fall into two categories:

  • Major webmail providers. Abusive activity from these addresses is best handled by forwarding the emails to the provider's abuse address, not by adding the address to a blacklist. They tend to respond quickly.

  • Private mail providers. If the provider does not follow up on an abuse report, or refuses to take action, the most appropriate response is typically to blacklist the domain, not the address. If the provider is malicious in their own right, they can create a practically infinite number of addresses under a domain they control; there's no point in trying to block individual addresses.

  • Gotcha.Specifically, my organization had a very fishy email from gmail hit a few inboxes. I wanted to see if others out there had seen this strange behavior. It's basically best to let the provider know that there has been potential abuse of their services. Thank you for your time. – beansbeans Oct 24 '18 at 17:58
0

Bigger security research teams have large email corpora and whois DB dumps to search through, but full-address blocklists are extremely rare. The only public one I know of right now is the MSBL EBL, a DNSBL using SHA1 hashes, though I suppose there's also projects like APER (Anti-Phishing-Email-Reply), whose old documentation on Google Code is still better than its Sourceforge hosting.

That said, you can perform a web search for the address in double-quotes (you might be surprised how often that works), or if the username is unique enough, just search for that (in double quotes), which might help defang obfuscations like evil AT example DOT com.

I see in a comment elsewhere on this page, this question is about investigating a GMail account that might be sending phishing attacks. You should tell GMail about its users sending phish. I also highly encourage you to report phishing messages as broadly as possible to help combat them both from the filtering and the law enforcement sides.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48