Email Header Analysis

29/12/2020
Chưa phân loại
Analyzing email headers is one of the most common tasks in computer forensics, and it can help us if we doubt the authenticity of an email sender. An example of professional practical use of a mail header analysis may be the assurance an indicated player in court was the sender or receiver of an email, by reading the header computer forensic experts can audit the authentication keys to realize if an email sender was forged.This tutorial shows how to read a regular GMAIL header in plain text, online there are many free tools to make it human readable in a friendly format such as https://mxtoolbox.com/EmailHeaders.aspx , reducing all the content shown in this tutorial into something like  this image

If you want to go more professional you can check some of the tools described at  Live Forensics Tools.

Reading and understanding an email header (Gmail):

The following piece of weird text is a mail header of an email sent from the account editor[at~]linuxhint.com to ivan[at~]linux.lat. Some irrelevant parts were removed but it is completely fidel to the original header.

Below each part of the e-mail header will be explained:

The first segment isolated below is very intuitive and reveals the e-mail was delivered to ivan[at~]smartlation.com and received by a server identified by its IP address (IPv6) and an SMTP id, detailing the date and time of the delivery:

  Delivered-To: ivana[at~]smartlation.com  Received: by 2002:a05:620a:1461:0:0:0:0 with SMTP id j1csp966363qkl;  Wed, 3 Apr 2019 19:50:15 -0700 (PDT)    

The following fragment shows the email is being processed through gmail’s SMTP.

    X-Google-Smtp-Source: APXvYqxLebBy88ASD/5vqLYdg+NGLv+sNymPjuOU6aQy3H1LyRbx4  8E4I9ojHNsM4Bvpa2lApZKJ    

The X-Received header is applied by some email providers, in this case it is added by Gmail’s SMTP.

    X-Received: by 2002:a62:52c3:: with SMTP id g186mr3128011pfb.173.1554346215815;    Wed, 03 Apr 2019 19:50:15 -0700 (PDT)    

The next segment shows the ARC (Authentication Received Chain). This protocol assures the authentication validity when passing through different intermediating devices. In this case the email is sent from editor [~at]linuxhint.com to ivan[~at]linux.lat which forwards the email to ivan[~at]smartlation.com.

 

    ARC-Seal: i=1; a=rsa-sha256; t=1554346215; cv=none;    d=google.com; s=arc-20160816;    XqUX87SmR3Jca4GHtIdCAxrd8eJ67gNu6n    uxeDPBzWo1i5j+vITRp+1f6CgJTUZANERNNh8zd9UedBhGk11dYTHzmsx9J+iJJLvcZn    0m1A==    

And here is the first appearance of the DKIM (DomainKeys Identified Mail), an authentication method which prevents mail forgery by validating the sender domain name.  The previously detailed protocol ARC helps both DKIM and SPF (which will be shown below) to remain valid despite the route. This extract shows the given credentials.

  ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;    h=to:subject:message-id:date:from:mime-version:dkim-signature    :dkim-signature:dkim-filter;    bh=SGSL8wJRA7+YflVA67ETqxpMCMuzIg+Fe1LKVzldnbA=;    b=1HC5cATj9nR43hdZxt0DMGhRgMALSB    k2DlfvqlLlfDB02pCvTZTDCWIBYhudlurDwsyhj+OQC/YxOaGu7OsD06nnzhEFtlEYgN    ibTg==    

Here you can see the result of the authentication, as you see it succeeded, additionally to the DKIM you can see SPF (Sender Policy Framework), another authentication method to let the receiver know the sender is authorized to use the domain name shown in the “FROM” section.
In this case DKIM and SPF passed the authentication phase.

  ARC-Authentication-Results: i=1; mx.google.com;  

    dkim=pass header.i=@registrar-servers.com header.s=default header.b=oY3SGJai;    dkim=pass header.i=@linuxhint-com.20150623.gappssmtp.com header.s=20150623  header.b=udLEKRXT;    spf=pass (google.com: domain of srs0+gms5=sg=linuxhint.com=editor@eforward1e.registrar-  servers.com designates 162.255.118.246 as permitted sender)   smtp.mailfrom="SRS0+GMs5=SG=linuxhint.com=editor @eforward1e.registrar-servers.com"    

Below there is a section called “Return-Path”  and here is defined the bounce email address, which is different from the “From” section for  bouncing messages to be processed by the mail server administrator.

  Return-Path: <SRS0+GMs5=SG=linuxhint.com=editor@eforward1e.registrar-servers.com>    

Finally below, information on the mail server, (Postfix), DKIM version and encryption strength are displayed,

  Received: from se17.registrar-servers.com (se17.registrar-servers.com [198.54.122.197])  by eforward1e.registrar-servers.com (Postfix) with ESMTP id 9060A4207A2 for   <ivan@linux.lat>; Wed,    3 Apr 2019 22:50:14 -0400 (EDT)    DKIM-Filter: OpenDKIM Filter v2.11.0 eforward1e.registrar-servers.com 9060A4207A2    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=registrar-servers.com;   s=default; t=1554346214; bh=SGSL8wJRA7+YflVA67ETqxpMCMuzIg+Fe1LKVzldnbA=;   h=From:Date:Subject:To; b=oY3SGJaiN0EVVIZGe4qRW387o3JTI2hMavvK/6RsTToszEuR9J4tVB3CUCeubu9S+    

   X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;    d=1e100.net; s=20161025;    h=x-gm-message-state:mime-version:from:date:message-id:subject:to;    bh=SGSL8wJRA7+YflVA67ETqxpMCMuzIg+Fe1LKVzldnbA=;    b=YaWzCdnw7XFUn6N6Ceok2a    

The section X-Gm-Message-State shows a unique string for two possible states: bounced back and sent.

   X-Gm-Message-State: APjAAAUDZt8fdxWPtMkMW5tr36yJEQsL/6qVDvoZPRyyFl0LjcTE1wtK   t6HvCiRDpuHHwPQyP  

The X-Received value belong specifically to gmail.

  X-Received: by 2002:a50:89fb:: with SMTP id h56mr1932247edh.176.1554346208456;   Wed, 03 Apr 2019 19:50:08 -0700 (PDT)  

Below you can find the MIME (Multipurpose Internet Mail Extensions) version and regular information displayed to users:

  MIME-Version: 1.0    From: Editor LinuxHint <editor@linuxhint.com>    Date: Wed, 3 Apr 2019 19:50:27 -0700    Message-ID: <CAGtLPhFVS411Qbwz+SvXmEuafLfBPYNMsVn+BBRvPDHDvGyhyg@mail.gmail.com>    Subject: payment sent $150    To: Ivan <ivan@linux.lat>    Content-Type: multipart/alternative; boundary="0000000000009d08b80585ab6de6"    Authentication-Results: registrar-servers.com; dkim=pass header.i=  linuxhint-com.20150623.gappssmtp.com    X-SpamExperts-Class: unsure    X-SpamExperts-Evidence: Combined (0.50)    X-Recommended-Action: accept    X-Filter-ID: PqwsvolAWURa0gwxuN3S5aX1D1WTqZz4ZUVZsEKIAZmQZhrrHO4tCCdd7Glc/hE6Ad92F9LvLiZB  UmTDs6LztDdIhjKJtmyqxGggHTBQkRv3cFX8llim30hS81NKz3IPKJfBc4dflnSXjyC+hcWqo8T7  edt47wTUEZSG1pLBlhmyXn4nYf    

I hope you found this tutorial on email header analysis useful. Keep following LinuxHint for more tips and tutorials on Linux and networking.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Install Paper Icons and GTK Theme on Ubuntu – A Stylish Linux Icon Theme

Who doesn’t like customization? The flexibility of customization is probably one of the main reasons people prefer to...
28/12/2020

How to use tee command in Linux

Sometimes we need to store the command output into a file to use the output later for other purposes. `tee` command is...
Chưa phân loại
29/12/2020

CentOS Versus Ubuntu

Your server needs a stable operating system that you can depend on, and both CentOS and Ubuntu are popular choices that...
29/12/2020