DNS is a good source

In the Prime Minister's Sunday address (5 April 2020) someone noticed the back of the paper he was reading from. There was an email addressed to him, subsequently forwarded to a third party (working for the company Imoba). I was curious about which email domain the Prime Minister uses. With a little OSINT I managed to find it — the domain is e-babis.cz.

Let's go step by step — what does DNS tell us about this domain?

The A record points to Active24, as no website exists. The interesting part is the MX records — servers slunce10 and slunce20.e-babis.cz are worth investigating further.

![DNS record for e-babis.cz](Screenshot 2020-04-07 at 17.50.33.png)

The subdomains are also interesting — specifically those managed by O2.

![Subdomains of e-babis.cz](Screenshot 2020-04-07 at 17.54.35.png)

MX records slunce10 and slunce20.e-babis.cz

Looking at what's behind these addresses reveals that they are mail servers belonging to Agrofert.

![slunce10](Screenshot 2020-04-07 at 17.59.11.png) ![slunce20](Screenshot 2020-04-07 at 17.58.59.png)

The next images show that these are servers mail30 and mail40.agrofert.cz

![mail30](Screenshot 2020-04-07 at 17.59.21.png) ![mail40](Screenshot 2020-04-07 at 17.58.50.png)

According to historical DNS data this situation has been in place since at least 27 October 2018.

![DNS history for slunce10](Screenshot 2020-04-07 at 18.07.33.png)

Subdomain ms1.e-babis.cz

Looking at the IP address behind this domain leads straight to Agrofert — its own IP range.

![Agrofert IP range](Screenshot 2020-04-07 at 18.09.56.png)

What does it all mean?

When an email arrives to ab@e-babis.cz, because mail for this domain is handled by Agrofert's servers, that email ends up there. Agrofert is effectively acting as the Prime Minister's email "provider". Or more precisely, everything points to all things connected to the domain e-babis.cz being managed by Agrofert.

Other Related Posts: