How to check if your recipient is using a FireEye mail product inline.
Prerequisites: Python and SimpleHTTPServer
- Stand up an internet facing server or cloud server.
Shameless plug if you need a web server https://www.linode.com/?r=77675824b7701f904adb8404244f13d2c04cfc89
-
Open port 8080 or some other port that is not in use.
-
Open SimpleHTTPServer via terminal by typing python -m SimpleHTTPServer 8080
-
Send an email to the recipient with the following in the body of the message http://x.x.x.x:8080/VerifyAccount/bob@1.com/data
Note: You will need to swap in your IP address for the x.x.x.x and you can choose to leave bob@1.com or replace it with your recipient email address.
- Once the email as been sent, you will see a 404 response within the terminal. If the email address has been replaced with nobody@mycraftmail.com after the VerifyAccount/ you know they are using FireEye inline.
X.X.X.X - - [19/Feb/2020 22:39:44] "GET /VerifyAccount/nobody@mycraftmail.com/data HTTP/1.1" 404 -
This works as of 2/19/2020 Opensource intel was used to find our if recipients were subscribers of FireEye. 100% of recipients who were subscribers of FireEye made the nobody email call.