id: mx-service-detector info: name: Email Service Detector author: binaryfigments,rxerium severity: info description: An email service was detected. Check the email service or spam filter that is used for a domain. classification: cwe-id: CWE-200 metadata: max-request: 1 tags: dns,service,discovery dns: - name: "{{FQDN}}" type: MX matchers-condition: or matchers: - type: word name: "Office 365" words: - "mail.protection.outlook.com" - type: word name: "Google Apps" words: - "aspmx2.googlemail.com" - "aspmx3.googlemail.com" - "alt1.aspmx.l.google.com" - "alt2.aspmx.l.google.com" - "aspmx.l.google.com" - type: word name: "ProtonMail" words: - "mail.protonmail.ch" - "mailsec.protonmail.ch" - type: word name: "Zoho Mail" words: - "mx.zoho.eu" - "mx2.zoho.eu" - "mx3.zoho.eu" - type: word name: "ForcePoint Email Security" words: - "in.mailcontrol.com" - type: word name: "E-Zorg NL" words: - "spamfilter02.ezorg.nl" - "spamfilter01.ezorg.nl" - "spamfilter.ezorg.nl" - "spamfilter03.ezorg.nl" - type: word name: "Kerio Cloud EU" words: - "mx1.eu1.kerio.cloud" - "mx2.eu1.kerio.cloud" - type: word name: "Kerio Cloud US" words: - "mx1.us1.kerio.cloud" - "mx2.us1.kerio.cloud" - "mx3.us1.kerio.cloud" - type: word name: "Proofpoint EU" words: - "mx1-eu1.ppe-hosted.com" - "mx2-eu1.ppe-hosted.com" - type: word name: "Proofpoint US" words: - "mx1-us1.ppe-hosted.com" - "mx2-us1.ppe-hosted.com" - type: word name: "Mimecast" words: - "mimecast.com" - type: word name: "Cisco IronPort" words: - "iphmx.com" - type: word name: "Trellix (FireEye)" words: - "fireeyecloud.com" - type: word name: "Symantec MessageLabs" words: - "messagelabs.com" - type: word name: "MailSpamProtection" words: - "mailspamprotection.com" - type: word name: "Retarus" words: - "retarus.com" - type: word name: "Rackspace Email" words: - "emailsrvr.com" # digest: 4a0a00473045022100ae0a84ce7dc6f84e6af73f23f9b5272a459dc4bf88e0338c0fc05ec2b7453e0f022014974e1946fde27ea1124923b5c6acee7df3784c84f6438ca26356c33a635f62:922c64590222798bb761d5b6d8e72950