http://ask.metafilter.com/83496/Email-Forensics/ Comments on Ask MetaFilter post Email Forensics Tue, 12 Feb 2008 14:21:52 -0800 Tue, 12 Feb 2008 14:21:52 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://ask.metafilter.com/83496/Email-Forensics Where can I find information about email headers? I'd like to learn how to look at an email header and answer such questions as "Was this email forged?" and "What is the IP of the sender and the sender's ISP?" <br /><br /> Thanks for your help. Examples of email header parsing would be welcome as well. post:ask.metafilter.com,2008:site.83496 Tue, 12 Feb 2008 14:16:47 -0800 about_time forensics computers security email http://ask.metafilter.com/83496/Email-Forensics#1236048 It's pretty much just experience; taking an e-mail and reading through it, then looking up stuff you don't know. <br> <br> But try this site, it's a pretty good intro: http://www.uic.edu/depts/accc/newsletter/adn29/headers.html comment:ask.metafilter.com,2008:site.83496-1236048 Tue, 12 Feb 2008 14:21:52 -0800 hubris http://ask.metafilter.com/83496/Email-Forensics#1236083 <a href="http://cr.yp.to/immhf.html">Also, this.</a><br> <br> Note that each e-mail client (sending program like Outlook) and server (sending and receiving) add their own twists and turns. Spam and virus filters also add another "layer" of fingerprint info. comment:ask.metafilter.com,2008:site.83496-1236083 Tue, 12 Feb 2008 14:50:17 -0800 rokusan http://ask.metafilter.com/83496/Email-Forensics#1236121 <a href="http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/Sam-Spade.shtml">Sam Spade</a> is a useful tool for investigating the bits and pieces of headers. comment:ask.metafilter.com,2008:site.83496-1236121 Tue, 12 Feb 2008 15:18:02 -0800 elle.jeezy http://ask.metafilter.com/83496/Email-Forensics#1236145 The main thing is to follow the "received" headers. Each server adds a new header to the top of the list. So a proper email should look like:<br> <br> Received from C by D;<br> Received from B by C;<br> Received from A by B;<br> <br> Each time the server named after "from" should be the server named after "by" on the line below.<br> <br> When headers have been forged, you will see something like:<br> <br> Received from P by Q;<br> Received from O by P;<br> Received from M by N;<br> <br> There is a break in the logic. P is the actual origin of the message and all headers below "Received from O by P;" are forged. comment:ask.metafilter.com,2008:site.83496-1236145 Tue, 12 Feb 2008 15:27:49 -0800 winston http://ask.metafilter.com/83496/Email-Forensics#1236411 You mean O is the origin, yes? comment:ask.metafilter.com,2008:site.83496-1236411 Tue, 12 Feb 2008 18:29:57 -0800 yclipse http://ask.metafilter.com/83496/Email-Forensics#1236441 alt.spam FAQ: <a href="http://digital.net/~gandalf/spamfaq.html#item2">Tracing an e-mail message</a> comment:ask.metafilter.com,2008:site.83496-1236441 Tue, 12 Feb 2008 18:57:32 -0800 DevilsAdvocate http://ask.metafilter.com/83496/Email-Forensics#1237197 Thanks, yclipse. You are correct. comment:ask.metafilter.com,2008:site.83496-1237197 Wed, 13 Feb 2008 11:24:47 -0800 winston http://ask.metafilter.com/83496/Email-Forensics#1237203 Though, now that I think of it, we don't know for certain that the "received by O" part is correct, just that it was actually P who added that header comment:ask.metafilter.com,2008:site.83496-1237203 Wed, 13 Feb 2008 11:27:53 -0800 winston http://ask.metafilter.com/83496/Email-Forensics#1237205 from O. I'll stop now comment:ask.metafilter.com,2008:site.83496-1237205 Wed, 13 Feb 2008 11:28:27 -0800 winston