LOGO

Understanding Email Headers: What Information is Included?

September 28, 2016
Topics:FeaturesExplainersFiles
Understanding Email Headers: What Information is Included?

Unveiling the Hidden Information Within Emails

Each email you receive contains significantly more data than is immediately apparent. Typically, attention is focused on the sender's address, the subject line, and the message content itself.

However, a substantial amount of supplementary information is embedded within the email's structure, often unseen by the casual user.

The "Under the Hood" Details

This concealed data can offer valuable insights. It exists beyond the readily visible elements of the email.

Understanding these hidden components allows for a more comprehensive analysis of each message received.

Types of Hidden Email Information

  • Email Headers: These contain routing information, timestamps, and server details.
  • IP Addresses: The originating IP address can reveal the sender’s approximate location.
  • Digital Signatures: These verify the sender’s identity and message integrity.
  • Tracking Pixels: Often used to monitor email opens and link clicks.

Analyzing these elements can be crucial for security assessments and investigations.

Furthermore, this information can be used to authenticate senders and detect potential phishing attempts.

Utilizing Hidden Data

Accessing this information usually requires viewing the email's full headers, a feature available in most email clients.

Specialized tools and online analyzers can also decode and present this data in a more user-friendly format.

Security professionals and investigators frequently leverage this hidden data to trace email origins and identify malicious activity.

The Importance of Examining Email Headers

A legitimate inquiry arises: why would one need to inspect an email header? Typically, this isn't a necessary step unless specific circumstances warrant it.

  • A primary reason is to identify potentially malicious emails, such as phishing attempts or spoofed messages.
  • Another is to trace the email's journey and understand its routing details.
  • Finally, some individuals simply possess a technical curiosity.

Whatever the motivation, deciphering email headers is a straightforward process that can yield valuable insights.

Please note that the examples and screenshots provided within this article are based on the Gmail interface. However, the core information should be accessible across most email clients.

Understanding the Utility of Header Analysis

Analyzing email headers allows for a deeper understanding of an email’s origin and authenticity. It’s a crucial step in verifying the sender’s identity and ensuring the message hasn’t been tampered with.

The routing information contained within the header reveals the servers the email passed through, offering clues about its path and potential points of compromise.

Understanding Email Headers

Within Gmail, the email must first be opened to access its header information. For the purpose of this demonstration, the email shown below will be utilized.

To view the full header, locate the arrow icon in the upper-right corner of the email and select "Show original."

A new window will then appear, displaying the email header data in a plain text format.

Please note that, for privacy, all instances of my Gmail address in the following header data have been altered to myemail@gmail.com. Similarly, my external email address is represented as jfaulkner@externalemail.com, and jason@myemail.com, while IP addresses have been masked.

 

Delivered-To: myemail@gmail.com

Received: by 10.60.14.3 with SMTP id l3csp18666oec;

Tue, 6 Mar 2012 08:30:51 -0800 (PST)

Received: by 10.68.125.129 with SMTP id mq1mr1963003pbb.21.1331051451044;

Tue, 06 Mar 2012 08:30:51 -0800 (PST)

Return-Path: <jfaulkner@externalemail.com>

Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com. [64.18.2.16])

by mx.google.com with SMTP id l7si25161491pbd.80.2012.03.06.08.30.49;

Tue, 06 Mar 2012 08:30:50 -0800 (PST)

Received-SPF: neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) client-ip=64.18.2.16;

Authentication-Results: mx.google.com; spf=neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) smtp.mail=jfaulkner@externalemail.com

Received: from mail.externalemail.com ([XXX.XXX.XXX.XXX]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP

ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/9@postini.com; Tue, 06 Mar 2012 08:30:50 PST

Received: from MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3]) by

MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3%11]) with mapi; Tue, 6 Mar

2012 11:30:48 -0500

From: Jason Faulkner <jfaulkner@externalemail.com>

To: "myemail@gmail.com" <myemail@gmail.com>

Date: Tue, 6 Mar 2012 11:30:48 -0500

Subject: This is a legit email

Thread-Topic: This is a legit email

Thread-Index: Acz7tnUyKZWWCcrUQ+++QVd6awhl+Q==

Message-ID: <682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5@MYSERVER.myserver.local>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

acceptlanguage: en-US

Content-Type: multipart/alternative;

boundary="_000_682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5HARDHAT2hardh_"

MIME-Version: 1.0

 

When analyzing an email header, the information is presented in reverse chronological order. This means the topmost entries represent the most recent events in the email's journey. Consequently, to trace the email's path from the sender to the recipient, it's necessary to begin at the bottom of the header.

Examining Header Information

The header data reveals information generated by the email client used for sending. In this instance, the email originated from Outlook, and the following metadata was added by that application.

From: Jason Faulkner <jfaulkner@externalemail.com>

To: "myemail@gmail.com" <myemail@gmail.com>

Date: Tue, 6 Mar 2012 11:30:48 -0500

Subject: This is a legit email

Thread-Topic: This is a legit email

Thread-Index: Acz7tnUyKZWWCcrUQ+++QVd6awhl+Q==

Message-ID: <682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5@MYSERVER.myserver.local>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

acceptlanguage: en-US

Content-Type: multipart/alternative;

boundary="_000_682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5HARDHAT2hardh_"

MIME-Version: 1.0

The subsequent section details the route the email took from the sending server to the destination server. These steps, often referred to as "hops," are listed in reverse order. Each hop includes details about the IP address and its corresponding reverse DNS name, as indicated by the numbers below.

Delivered-To: myemail@gmail.com

[6] Received: by 10.60.14.3 with SMTP id l3csp18666oec;

Tue, 6 Mar 2012 08:30:51 -0800 (PST)

[5] Received: by 10.68.125.129 with SMTP id mq1mr1963003pbb.21.1331051451044;

Tue, 06 Mar 2012 08:30:51 -0800 (PST)

Return-Path: <jfaulkner@externalemail.com>

[4] Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com. [64.18.2.16])

by mx.google.com with SMTP id l7si25161491pbd.80.2012.03.06.08.30.49;

Tue, 06 Mar 2012 08:30:50 -0800 (PST)

[3] Received-SPF: neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) client-ip=64.18.2.16;

Authentication-Results: mx.google.com; spf=neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) smtp.mail=jfaulkner@externalemail.com

[2] Received: from mail.externalemail.com ([XXX.XXX.XXX.XXX]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP

ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/9@postini.com; Tue, 06 Mar 2012 08:30:50 PST

[1] Received: from MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3]) by

MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3%11]) with mapi; Tue, 6 Mar

2012 11:30:48 -0500

While this particular email header indicates a standard, legitimate transmission, the information contained within can be invaluable when investigating potentially malicious emails, such as spam or phishing attempts.

Analyzing a Phishing Email – Case Study 1

This analysis focuses on a clear example of a phishing email. While readily identifiable as fraudulent through visual cues, we will delve into the header information to pinpoint the warning signs as a practice exercise.

Email Header Examination

Let's begin by dissecting the email headers to uncover potential indicators of malicious intent.

Delivered-To: myemail@gmail.com

Received: by 10.60.14.3 with SMTP id l3csp12958oec;

Mon, 5 Mar 2012 23:11:29 -0800 (PST)

Received: by 10.236.46.164 with SMTP id r24mr7411623yhb.101.1331017888982;

Mon, 05 Mar 2012 23:11:28 -0800 (PST)

Return-Path: <securityalert@verifybyvisa.com>

Received: from ms.externalemail.com (ms.externalemail.com. [XXX.XXX.XXX.XXX])

by mx.google.com with ESMTP id t19si8451178ani.110.2012.03.05.23.11.28;

Mon, 05 Mar 2012 23:11:28 -0800 (PST)

Received-SPF: fail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;

Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.XXX.XXX as permitted sender) smtp.mail=securityalert@verifybyvisa.com

Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 02:11:20 -0500

Received: from mail.lovingtour.com ([211.166.9.218]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 02:11:10 -0500

Received: from User ([118.142.76.58])

by mail.lovingtour.com

; Mon, 5 Mar 2012 21:38:11 +0800

Message-ID: <6DCB4366-3518-4C6C-B66A-F541F32A4C4C@mail.lovingtour.com>

Reply-To: <securityalert@verifybyvisa.com>

From: "securityalert@verifybyvisa.com"<securityalert@verifybyvisa.com>

Subject: Notice

Date: Mon, 5 Mar 2012 21:20:57 +0800

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0055_01C2A9A6.1C1757C0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-ME-Bayesian: 0.000000

Identifying Initial Red Flags

A significant indicator is found within the client information. The metadata reveals the use of Microsoft Outlook Express. It's improbable that a company like Visa would utilize such an outdated email client – a version released over a decade prior.

Reply-To: <securityalert@verifybyvisa.com>

From: "securityalert@verifybyvisa.com"<securityalert@verifybyvisa.com>

Subject: Notice

Date: Mon, 5 Mar 2012 21:20:57 +0800

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0055_01C2A9A6.1C1757C0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-ME-Bayesian: 0.000000

Tracing the Email's Origin

Examining the initial hop in the email's routing path reveals the sender originated from IP address 118.142.76.58, with the email relayed through the mail server mail.lovingtour.com.

Received: from User ([118.142.76.58])

by mail.lovingtour.com

; Mon, 5 Mar 2012 21:38:11 +0800

Utilizing a tool like Nirsoft's IPNetInfo, we can determine the sender's location as Hong Kong, and the mail server's location as China.

htg-explains-what-can-you-find-in-an-email-header-4.jpg
htg-explains-what-can-you-find-in-an-email-header-5.jpg

This geographical discrepancy is notably suspicious.

Subsequent email hops demonstrate legitimate server traffic, and are therefore less relevant to identifying the fraudulent nature of this particular message.

Analyzing a Phishing Email – Case Study 2

This example presents a phishing email that is notably more sophisticated. While subtle visual cues might be present upon close inspection, our focus remains on analyzing the email headers for investigative purposes.

Email Header Breakdown

Let's examine the key components of the email header to uncover potential indicators of malicious intent.

Delivered-To: myemail@gmail.com

Received: by 10.60.14.3 with SMTP id l3csp15619oec;

Tue, 6 Mar 2012 04:27:20 -0800 (PST)

Received: by 10.236.170.165 with SMTP id p25mr8672800yhl.123.1331036839870;

Tue, 06 Mar 2012 04:27:19 -0800 (PST)

Sender Information and SPF Records

The initial sender information appears as follows:

Return-Path: <security@intuit.com>

Received: from ms.externalemail.com (ms.externalemail.com. [XXX.XXX.XXX.XXX])

by mx.google.com with ESMTP id o2si20048188yhn.34.2012.03.06.04.27.19;

Tue, 06 Mar 2012 04:27:19 -0800 (PST)

However, the Sender Policy Framework (SPF) check reveals a failure. This indicates that the domain of security@intuit.com does not authorize XXX.XXX.XXX.XXX as a permitted sender.

Received-SPF: fail (google.com: domain of security@intuit.com does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;

Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of security@intuit.com does not designate XXX.XXX.XXX.XXX as permitted sender) smtp.mail=security@intuit.com

Server Details and Script Usage

Further examination reveals details about the server handling the email:

Received: with MailEnable Postoffice Connector; Tue, 6 Mar 2012 07:27:13 -0500

Received: from dynamic-pool-xxx.hcm.fpt.vn ([118.68.152.212]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 07:27:08 -0500

Received: from apache by intuit.com with local (Exim 4.67)

(envelope-from <security@intuit.com>)

id GJMV8N-8BERQW-93

for <jason@myemail.com>; Tue, 6 Mar 2012 19:27:05 +0700

Notably, a PHP script was utilized in the email's transmission, originating from the IP address 118.68.152.212.

To: <jason@myemail.com>

Subject: Your Intuit.com invoice.

X-PHP-Script: intuit.com/sendmail.php for 118.68.152.212

From: "INTUIT INC." <security@intuit.com>

X-Sender: "INTUIT INC." <security@intuit.com>

X-Mailer: PHP

X-Priority: 1

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="------------03060500702080404010506"

Message-Id: <JXON1H-5GTPKV-0H@intuit.com>

Date: Tue, 6 Mar 2012 19:27:05 +0700

X-ME-Bayesian: 0.000000

Discrepancies and Origin Tracing

Initially, the email appears legitimate due to the matching domain name in the sending server. However, caution is advised, as attackers can easily spoof server names.

A closer look at subsequent hops reveals a critical discrepancy. The second hop indicates the sending server resolves to "dynamic-pool-xxx.hcm.fpt.vn," not "intuit.com," and shares the same IP address as identified in the PHP script.

Received: from dynamic-pool-xxx.hcm.fpt.vn ([118.68.152.212]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 07:27:08 -0500

Geolocation of the IP address confirms the suspicion, pinpointing the mail server's location to Viet Nam.

htg-explains-what-can-you-find-in-an-email-header-7.jpg

Conclusion

Despite its deceptive nature, this phishing attempt is readily exposed through careful examination of the email headers. Even a minimal level of investigation can quickly reveal the fraudulent activity.

Understanding Email Headers

Although examining email headers isn't a common task, the data they contain can prove exceptionally useful in certain situations. As demonstrated, these headers allow for the identification of deceptive senders who attempt to disguise their true identity.

Detecting Email Spoofing

Even with a convincingly crafted scam that relies on visual deception, it remains incredibly challenging – and often impossible – to perfectly mimic legitimate mail servers.

A careful review of the information within email headers can swiftly expose any fraudulent activity.

The Value of Header Analysis

The ability to analyze email headers provides a crucial layer of security. It empowers users to verify the authenticity of senders and protect themselves from phishing attempts and other malicious practices.

Practical Applications

  • Identifying Spoofed Emails: Determine if an email's sender address has been falsified.
  • Tracing Email Origins: Uncover the true source of an email message.
  • Detecting Forgery: Reveal discrepancies that indicate an email has been tampered with.

In essence, while not an everyday requirement, understanding how to view and interpret email headers is a valuable skill for anyone concerned with online security.

Links

The utility IPNetInfo can be downloaded from Nirsoft's website.

Accessing the Download

Users can obtain IPNetInfo directly from the Nirsoft portal. This provides a secure and reliable source for the software.

About Nirsoft

Nirsoft is a well-known developer of small, useful utilities for Windows. They offer a wide range of tools for network monitoring and system information.

IPNetInfo Functionality

IPNetInfo is designed to display a comprehensive range of information about your IP configuration. This includes details about network adapters, DNS servers, and routing tables.

  • It provides insights into both IPv4 and IPv6 addresses.
  • The tool can reveal details about DHCP leases.
  • Users can view MAC addresses associated with network interfaces.

The software is particularly useful for network administrators and anyone troubleshooting network connectivity issues.

Downloading and Installation

The download is a single executable file, meaning no formal installation is required. Simply download the file and run it to begin using IPNetInfo.

It’s a portable application, so it can be easily run from a USB drive or any other portable storage device.

#email header#email headers#email tracking#email authentication#email troubleshooting#email security