Anda di halaman 1dari 4

Analyzing Email Headers

Division: Document Type: Effective Date: Next Review:


Information Technology Information 10/01/2009
Subject: Approvals: Supersedes:
Analyzing Email Headers/Security
Distribution: Contact: Issued By:
IT, TSG, Help Desk Steve Jones Bank Services Group
Distribution: Issued/Maintained By: Approvals: Next Review:
IT, TSG, Help Desk Michael Graves

Purpose: To identify means of tracking the source of an email

Email headers are metadata fields contained in every Simple Mail Transport Protocol (SMTP) message
transmitted over the Internet. They contain useful information about the message, from source to
destination.

1. The Webmail application of my ISP (hosting www.mwgraves.com).


a. Open message
b. Click Mail
c. Select Show Details
d. Select All from Header field
e. Cut and paste into word processing application
2. Microsoft Outlook
a. Open message
b. Click View
c. Click Options
d. Select All from Internet headers field
e. Cut and paste into word processing application

3. Microsoft Entourage (for Macintosh OS-X)


a. Open message
b. Click View
c. Click Internet Headers
d. A new window will open with the Header Information
Sample of Email Header From LEGITIMATE Email: (Read from the
bottom line up.) I have interjected descriptions of key lines in bold that were NOT originally part
of the header. IP server names and addresses of our network servers have been masked for
obvious reasons.

Received: from homing.chittenden.chittenden-corp.com (xxx.xxx.xx.xxx) by


MYSERVER.pub.corp.local (xxx.xxx.xx.xxx) with Microsoft SMTP Server id 8.1.358.0; Tue,
6 Oct 2009 02:25:49 -0400 This tells me what server dispensed the message to my
email box.
Received: from Carrier.chittenden.chittenden-corp.com ([xxx.xxx.xx.xxx]) by
homing.chittenden.chittenden-corp.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 6
Oct 2009 02:25:49 -0400 This is an intermediate server
Received: from EMAILSERVER ([xx.xxx.xxx.xxx]) by Carrier.chittenden.chittenden-corp.com over
TLS secured channel with Microsoft MTPSVC(6.0.3790.3959); Tue, 6 Oct 2009 02:25:49
-0400 Yet another intermediate server
Received: from mta45.e.bordersstores.com (Not Verified[207.251.97.205]) by Picui with
MailMarshal (v6,4,1,5038) id <B4acae3350000>; Tue, 06 Oct 2009 02:27:06 -0400 I
learn here that the recipient email server is running a spam blocker called
MailMarshall (sure did a good job, didn’t it?) along with the server name and IP
address of the server that transmitted the message.
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=200505; d=e.borders.com;
b=RS1jwxlmVQlkGAP8l/jEaURcC4skYJl8FI74g0MhGobv1ApV9LADPYq2DI64bpAfxllUHmJLR
+3a1h3cTfcRVXe51hwyGkCeLmgP1iGfULE5SJhqRF0qQ2RYPLRlCEcYgKGyYlTABtTc/CnciG0
Y3Zii8GYN3dlNrEeYvf/k7Bo=; h=Date: Domain Keys = digital signatures for emails
Message-ID:List-Unsubscribe:From:To:Subject:MIME-Version:Reply-To:Content-type;
Date: Tue, 6 Oct 2009 06:26:03 +0000
Message-ID: <bukxz55axsb41raxb73qe9jj9pmxjm.3093967756.7575@mta45.e.borders.com>
This is a unique identifier for the message. Only one email in the world will
have this. If I can get to the ISP or the originating server before the logs are
flushed, it might be possible to identify the sender.
List-Unsubscribe: <mailto:rm-0bukxz55axsb41raxb73qe9jj9pmxjm@e.borders.com> Legitimate
mass mailers provide an address to query in order to be removed from their
mailing list
From: Borders Rewards <Borders@e.borders.com> Sending User: In this case an
anonymous department name
To: mgraves@chittenden.com Intended recipient
Subject: Your Rewards Coupon Is Here What is contained in the original subject line
MIME-Version: 1.0 Version of Multipurpose Internet Mail Extensions used by server
Reply-To: "Borders Rewards" <support-bukxz55axsb41raxb73qe9jj9pmxjm@e.borders.com>
THIS tells me what email address will receive any REPLY message that I send.
Content-Type: multipart/alternative; boundary="=bukxz55axsb41raxb73qe9jj9pmxjm" Content
type can range from plain text to specific file types. Multipart Alternative refers
to a message sent in a mix of plain text and some other file format, such as JPG
or HTML
Return-Path: bo-bukxz55axsb41raxb73qe9jj9pmxjm@b.e.borders.com This is where bounced
email messages go when refused by target system.
X-OriginalArrivalTime: 06 Oct 2009 06:25:49.0358 (UTC) FILETIME=[D89574E0:01CA464D]

Sample of Header From SPAM:

Return-Path: katharyn.kathaleenip@awnet.com
Delivery-Date: Wed, 07 Oct 2009 05:26:32 -0400
Received: from syyyzf ([59.10.163.222])by mx.perfora.net (node=mxus2) with ESMTP
(Nemesis)id 0MFdfx-1N7qrp3Z7F-00FOKi ; Wed, 07 Oct 2009 05:26:31 -0400
From: "Katharyn Kathaleen" katharyn.kathaleenip@awnet.com
MIME-Version: 1.0
Sender: katharyn.kathaleenip@awnet.com
Subject: Best Buy Viagra50mg/100mgx30=$79; x60=$179; x120=$218, Fast Shipping -
100% SATISFACTION, We accept Master & Visa, 90000+ Satisfied US, UK
Customers! NoPrescription! xcijcy s7mw
To: submissions@mwgraves.com
Bcc: michael@mwgraves.com And you thought nobody could tell when you used BCC!
Date: Wed, 07 Oct 2009 00:49:06 -0700
Message-ID: 1254901746.8269@awnet.com
X-Sender: katharyn.kathaleenip@awnet.com
Content-Type: multipart/alternative; boundary="----
_NextPart_000_0EB9_517657C6.85CAC8F2" X-Nemesis-Spam: fuhafi Indicates
that my email provider’s SPAM filter identified this as spam and
redirected it to the SPAM folder. Which it did.
Envelope-To: michael@mwgraves.com This told the SMTP servers to send the
message to my email address REGARDLESS of what was viewable in the
TO: field.

Investigative Value:

This information was derived from the email seen in the first screenshot. I was a bit irritated that
my order of 500 Viagra tablets had not yet arrived. So I decided to see if I could figure out if I’d
been scammed. That shouldn’t happen to a bright guy like me! A brief check with WHOIS tells
me a couple things that make me worry that I might have gotten taken. 59.10.163.222 does not
indicate any server by the name of syyyzf. In fact, I learn that it is a server owned by an ISP
called Kornet in Korea. Wasn’t my Viagra order supposed to come from California? So who is
AWNET.COM? It’s hosted by GODADDY.COM (who has far and away the best advertisements
for an Internet Service Provider of all, but has no active user called katary.kathaleenip). The
company who registered that domain name is Awinc. LTD, yet another ISP? Wow. This could
get confusing.

Anda mungkin juga menyukai