Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Identify Spear-Phishing and Fraud

ShmooCon XVI - 2020

Presented by: Josh Kamdjou
Date: Saturday February 01, 2020
Time: 16:00 - 16:50
Location: Build It!

“Is this email address real?” Internet history and age can’t be faked. Legitimate email addresses have social media profiles, Github profiles and commits, LinkedIn accounts, and they’ve been in credential dumps and data breaches. Real people can be differentiated from attacker personas using these internet breadcrumbs.

EmailRep is a system of crawlers, scanners, and enrichment services that collects data on email addresses, domains, and internet personas to predict the relative risk of an email address. It uses OSINT techniques, crawlers on forums, social media sites, and professional networking sites, as well as data points from credential breaches, malicious phishing kits, community reported phishing emails, spam lists, and more.

In this talk I’ll discuss why we built EmailRep, dive in to how Blue and Red teams are using this, and review some shortcomings of this approach that future attackers will seek to exploit. Finally, I’ll deep dive on the technical architecture and implementation, giving an overview of how you could build this yourself.

We’ll invite audience members on stage to query EmailRep, live, for their personal email addresses or attacker email addresses they’ve encountered or used in their work.

EmailRep is free to use via emailrep.io or API.

Josh Kamdjou

Josh Kamdjou (@jkamdjou) has been doing offensive security related things for the past 10 years. He’s spent most of his professsional career breaking into networks and building software for both the public and private sectors. Josh is the Founder of Sublime Security, enjoys staying fit, and loves phishing.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats