Spam is one of the worst drawbacks of the digital age. To a greater or lesser extent, we have all received spam emails throughout our lives. By definition, spam is unsolicited e-mail that is sent to a large number of recipients for advertising or commercial purposes. But nowadays they are also used for mass sending malware.
Looking for a Spam email
To find spam if we do not want to use the spam folder of our property, we can make use of mailinator.com, a public mail server where anyone can receive messages that are stored in that place and subsequently deleted. Our identity is thus protected.
We chose a name and looked for an email. It must be said that if there is any message in that mailbox it is because it is spam since it has arrived there because someone who uses mailinator.com has put it on some web page.
Shredding the link for spam
That email has several links that lead to a web page. We can make use of the service to check URLS, on the website https://expandurl.net/expand and see where the shortener takes us. In this case, after a short URL, provided by the mailinator itself, the melon opens, and we see that it has 6 redirects and at the end ends up in the URL that is the one we are going to check.
The same website warns you that it is safe, or at least no strange things have been detected on that page. This is a commercial email. The page has no keywords.
Checking who the domain belongs to
The next step is to use the Whois service to find out who has that domain registered. They use tucows as a recording agent and have a contact address in Canada.
Where is the server
Now we trust the IP address, in this case 220.127.116.11. Through the shodan.io service we can know where the server is physically located. In this case the server belongs to AWS (Amazon Web Services) as shown https://www.shodan.io/host/18.104.22.168.
Fraudulent or non-fraudulent spam is one of the biggest problems of the internet today. In this article we have analyzed a spam email and have followed several steps in order to check where the link of the email that came to us, who owns the server, and where the server is hosted.
In the event that it was a fraudulent email, where it takes us to a page that pretends to be that of a bank or similar, we would have to do the first 3 steps and then go a little deeper. You would have to see the structure of the page, if it is a folder, open the event inspector and then the RED tab (or network), etc., to know what we are facing.