Sending an Email to an IPv4 Address? - SANS Internet Storm Center

Sending an Email to an IPv4 Address?
Do you recognize the following situation? For a client, you need to analyze a malicious email. But it can not be saved to disk, because the filesystem anti-virus will detect and delete it. And you can’t forward it to another email server, because that server’s anti-virus will block it. You can create a helpdesk ticket, but that will take a while. This has happened to me a couple of times, and I have the following solution. I run my simple SMTP honeypot script on an Internet facing server. I let it listen on port 25. And then I ask the client to forward that malicious email, to email address anything@12.34.56.78. 12.34.56.78 is the public IPv4 address of my server running the SMTP Python script. My script will receive the email and write it to disk. And then I stop the script from running. Unless I need an SMTP honeypot ;-) Because it will accept and incoming SMTP traffic. I’ve also tried the following email address format: anything@12.34.56.78:1234. Where 1234 is the port number where my script listens. Without much success yet (for the moment, I only tested sending from Gmail). According to the Wikipedia article, you should surrond the IPv4 address with square brackets, but until now, it always worked for me without square brackets. Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com	DidierStevens 649 Posts ISC Handler Feb 21st 2022
Thread locked Subscribe	Feb 21st 2022 4 months ago
It depends, where you are trying to forward the mail from, I guess. Most mail servers (I hope so) are only allowed to deliver to the standard ports, otherwise are blocked by a firewall. Port 1234 is not a standard smtp port, but more likely an IOC for malware activity (unless it is just an example port number). Edit: Just re-read and saw the port 25 mentioned. So another possibility, the mail gateway between does not send to IP addresses, but tries to find the responsible MX record for the domain, which is not given with an IP. The square brackets you mentioned, I only saw with IPv6 in the wild, not with IPv4 so far. @Handlers: Although I'm logged in, I'm shown as anonymous.	Ron 17 Posts
Quote	Feb 21st 2022 4 months ago
In the past it was possible to forward messages (with attachments) to scan@virustotal.com, but it appears they quietly discontinued that service. That's too bad, I have relied on their service in the past to analyze email attachments without ever having to save them to disk.	yyz 2 Posts
Quote	Feb 22nd 2022 4 months ago
I have done that too in the past, whenever the client was OK with sending the email to VirusTotal. I was told that this service was discontinued a couple of months ago.	DidierStevens 649 Posts ISC Handler
Quote	Feb 25th 2022 3 months ago