Email Message Internet Header Analysis

---

An email’s Internet header contains address information for the recipient and sender and details of the servers handling the message’s transmission.

• server details use fields from SMTP

Header in Email Communication

• when an email is created
  • the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA)
  • MDA should check that the sender is authorized to issue messages from the domain
  • MDA adds or amends its own header, then transmits the message to a message transfer agent (MTA)
  • MTA routes the message to the recipient
    • using DNS to locate the recipient’s MTA
    • message passes via one or more additional MTAs
      • e.g., SMTP servers operated by ISPs or mail security gateways
      • each MTA adds header information

3 Sender Address Fields

• Display-From
  • the sender’s email address
  • this is the field displayed by an email client as the “From” field
  • submitted using a From: header in the message body
  • designated RFC5322.From
  • can be populated by both a friendly name string and the email address in angle brackets
  • email clients may suppress the display of the email address portion
    • bad practice
  • adversaries will often enter a trustworthy domain string in the first part
    • hoping that email client won’t display the actual email address
  • e.g.,
    • Legit: Friendly Guy <friendlyguy@isp.foo>
    • Spoofed: friendlyguy@isp.foo <friendlyguy@xyz.foo>
• Envelope-From
  • a return address for use if the email is rejected by the recipient MTA
  • can take various labels, including Return-Path
  • value of this field is submitted using the MAIL FROM SMTP command
  • designated as RFC5321.MailFrom
  • mail client typically hides this field
• Received from/by
  • a list of the MTAs that processed the email
  • each MTA identifies itself and the server that sent the message
  • if adversary is spoofing a domain,
    • true origin of the message and be found by examining this list of servers
  • when starting a session with another SMTP server,
    • a server identifies itself using the HELO/EHLO string

Analysis

• header typically is not shown by most email clients
• can view and copy headers from a mail client via a message properties/options/source command
• MTAs can add a lot of information in each received header
  • e.g., results of spam checking
• viewing the header in a plain text editor can be difficult to identify where each part beings and ends
  • Message Analyzer tool parses header information into a structured format
    • part of Microsoft Remote Connectivity Analyzer
    • lays out the hops a message took more clearly
    • breaks out the headers added by each MTA
• can implement software that inspects headers and alerts if it matches known malicious values

Email Header Analysis Example

Example

Example shows the headers from a spam message.

• some fields have been removed
• some of the original identifying information is redacted and replaced with placeholders

Received: from protection2.outlook.com (2603:10a6:208:ac::18) by exchangelabs.com with HTTPS ; Tue, 24 Dec 2019 19:30:08 +0000

Received: from protection1.outlook.com (10.152.16.53) by protection2.outlook.com (10.152.17.88) with Microsoft SMTP Server ; Tue, 24 Dec 2019 19:30:08 +0000

Authentication-Results: spf=none (sender IP is w.x.y.z) smtp.mailfrom=spam.foo; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=spam.foo;

Received-SPF: None (protection.outlook.com: spam.foo does not designate permitted sender hosts)

• these fields show the recipient of the email by the recipient’s mail gateway, which performs analysis on it
• sender’s domain is identified as spam.foo

---

Received: from openrelay.foo (w.x.y.z) by protection1.outlook.com (10.152.16.89) with Microsoft SMTP Server ; Tue, 24 Dec 2019 19:30:06 +0000

• this field shows the SMTP server that originated the message
• comes from a different domain than spam.foo
• openrelay.foo domain and IP address is on many mail blacklists

---

Subject: Your account is blocked by the administrator

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset="UTF-8"; format=flowed; delsp=yes

Date: Wed, 25 Dec 2019 06:30:07 +0000

MIME-Version: 1.0

From: Gmail Accounts <spammer@spam.foo>

To: recipient@hotmail.com

Return-Path: spammer@spam.foo

• from and return-path fields list the same sender address
  • but note the attempt to disguise the nature of the sender by impersonating a Gmail account administrator

---

X-MS-Exchange-Organization-Expiration StartTime: 24 Dec 2019 19:30:07.8963 (UTC)

X-MS-Office365-Filtering-Correlation-Id: ca0b527c-0b59-4085-cfc2-08d788a7af58

X-Sender-IP: w.x.y.z

X-SID-PRA: SPAMMER@SPAM.FOO

X-Microsoft-Antispam: BCL:8;

X-MS-Exchange-Organization-SCL: 6

• the X- headers indicate custom headers that are controlled by the SMTP server administrator
  • often used for message authentication and spam analysis
  • these are from Microsoft