Today we announce the addition of a small new set of email-related Transforms to our Maltego Standard Transforms. You can now use Maltego to verify email addresses and return basic fraud indicators for free, powered by IPQualityScore’s (IPQS) email verification API.
Below, you will find a short usage example, but before we begin the walk-through, let’s provide some background.
Maltego Transforms to Verify and Investigate Email Addresses 🔗︎
The Maltego Standard Transforms do contain a Transform “Verify email address exists [SMTP]” that, with some caveats, performs a very similar task. With this Transform, you can verify at least the existence of an email address.
However, the caveats are important: For one thing, SMTP servers will quickly start blocking such requests, meaning you cannot easily verify a large set of email addresses. In addition, for many domains, this functionality no longer works to actually verify whether an email address really exists.
Here is one example where things went wrong:
Using IPQualityScore Transforms to Investigate Email Addresses 🔗︎
Using the IPQS email verification and reputation API, we are able to glean far more reliable and detailed information about a given email address.
The IPQS Transforms can be found in the “Get Email Details” Transform set as part of the Standard Transforms.
Let us start with verification.
The new “Verify and fraud-check email address [IPQS]” Transform lets us easily verify the existence and validity of an email address and displays a fraud score for it in a much more reliable way than by triggering SMTP queries.
What are IPQS Fraud Scores? 🔗︎
IPQS determines fraud scores according to a proprietary algorithm, which, from an investigator’s perspective, means that they should be taken with a grain of salt. Nevertheless, a high fraud score can be a positive indicator that something may be awry about the email address and that you should dig a little further. One way to do this is included in this release.
Digging Deeper into Whether An Email Address is Fraudulent 🔗︎
Along with verifying email addresses, we also added a Transform that uses IPQS to gather different tags and indicators to help you to determine whether a certain email address may or may not be fraudulent, malicious or otherwise suspicious.
Using the “Get tags and indicators for email address [IPQS]” Transform, we can pull in some basic information that gives general insight into factors like deliverability and classification of the email address, as well as into why IPQS might have come up with the fraud score that it did.
For example, we can try out this Transform on a made-up email address from a hosting provider frequently used by anonymous users and bad actors:
Or run both Transforms on a celebrities’ leaked email address:
As you can see, IPQS has provided insightful results for each one.
Of course, being indicators, the information provided is bound to be less than 100% accurate at times, but having the ability to glean some basic intel on just about any email address out there is certainly going to be a valuable asset to any investigator’s toolkit.
Watch this five-minute video to see how an email investigation using Maltego and IPQS works:
Access and Usage Limits of Maltego’s IPQS Transforms 🔗︎
These two new IPQS Transforms are included in the Maltego Standard Transforms Hub item and are free to use for both Community Edition (CE) and commercial Maltego users. CE users will be able to run up to 50 Transforms per month for free, while commercial Maltego users can run up to 500 Transforms.
If you need more Transform runs for IPQS, you can register for an IPQS account and plug in your own API key using the corresponding Transform settings in Maltego.
Note that you may need to click the “Refresh” button on the Standard Transforms Hub item in order to make sure that these new Transforms are installed on your Maltego Client.
We hope you enjoyed this brief walkthrough of the new IPQS Transforms.
Don’t forget to follow us on Twitter and LinkedIn or subscribe to our email newsletter to stay tuned to more such product updates.
Happy investigating!
