Email Forensics
February 12, 2008 2:16 PM Subscribe
Where can I find information about email headers? I'd like to learn how to look at an email header and answer such questions as "Was this email forged?" and "What is the IP of the sender and the sender's ISP?"
Thanks for your help. Examples of email header parsing would be welcome as well.
Thanks for your help. Examples of email header parsing would be welcome as well.
Best answer: Also, this.
Note that each e-mail client (sending program like Outlook) and server (sending and receiving) add their own twists and turns. Spam and virus filters also add another "layer" of fingerprint info.
posted by rokusan at 2:50 PM on February 12, 2008
Note that each e-mail client (sending program like Outlook) and server (sending and receiving) add their own twists and turns. Spam and virus filters also add another "layer" of fingerprint info.
posted by rokusan at 2:50 PM on February 12, 2008
Best answer: Sam Spade is a useful tool for investigating the bits and pieces of headers.
posted by elle.jeezy at 3:18 PM on February 12, 2008
posted by elle.jeezy at 3:18 PM on February 12, 2008
The main thing is to follow the "received" headers. Each server adds a new header to the top of the list. So a proper email should look like:
Received from C by D;
Received from B by C;
Received from A by B;
Each time the server named after "from" should be the server named after "by" on the line below.
When headers have been forged, you will see something like:
Received from P by Q;
Received from O by P;
Received from M by N;
There is a break in the logic. P is the actual origin of the message and all headers below "Received from O by P;" are forged.
posted by winston at 3:27 PM on February 12, 2008
Received from C by D;
Received from B by C;
Received from A by B;
Each time the server named after "from" should be the server named after "by" on the line below.
When headers have been forged, you will see something like:
Received from P by Q;
Received from O by P;
Received from M by N;
There is a break in the logic. P is the actual origin of the message and all headers below "Received from O by P;" are forged.
posted by winston at 3:27 PM on February 12, 2008
Though, now that I think of it, we don't know for certain that the "received by O" part is correct, just that it was actually P who added that header
posted by winston at 11:27 AM on February 13, 2008
posted by winston at 11:27 AM on February 13, 2008
« Older Do any of the various car search sites out there... | How to find a good job without an Ivy League... Newer »
This thread is closed to new comments.
But try this site, it's a pretty good intro: http://www.uic.edu/depts/accc/newsletter/adn29/headers.html
posted by hubris at 2:21 PM on February 12, 2008