Network Security 101: How to read an E-Mail Header

Add Your Comments

E-Mail is one of the most common way to send messages on the Internet, but not many people know how e-mail gets from your PC to your friend.

E-mail messages contain all the information you need to track down where those messages originated – if you know how to read it.

 

Mail Flow – Post Office, 2.0

 

When someone sends a letter through the postal service, the letter is put into envelope and into a mailbox. An employee from the postal office picks up the message and takes it to the post office. The envelope of the letter is then postmarked, routed through the post office’s mailing systems, and then delivered to the recipient’s mailbox.

E-Mail works very much like your average postal mail system. Instead of a letter we now use the body of an e-mail message, and instead of an envelope we now have a header. When a user sends an e-mail message, it is received by the user’s outgoing mail server via the Simple Mail Transfer Protocol (SMTP), routed through the Internet to other mail servers via SMTP, and then delivered to the recipients via Post Office Protocol Version 3 (POP3) or Internet Message Access Protocol (IMAP).

 

Headers – who are you and where did you come from?

 

The header of an e-mail message contains a wealth of information to determine where your mail comes from. Take a look at the example header below:

Delivered-To: recipient@customer.com
Received: by 10.204.101.212 with SMTP id d20cs87352bko;
Sat, 19 Sep 2009 17:48:08 -0700 (PDT)
Received: by 10.231.61.195 with SMTP id u3mr5730152ibh.12.1253407686583;
Sat, 19 Sep 2009 17:48:06 -0700 (PDT)
Return-Path:
Received: from mxsend.company.com ([1.2.3.4])
by mx.google.com with ESMTP id 38si7009500iwn.67.2009.09.19.17.48.04;
Sat, 19 Sep 2009 17:48:06 -0700 (PDT)
Received-SPF: neutral (google.com: 1.2.3.4 is neither permitted nor denied by best guess record for domain of sender@company.com) client-ip=1.2.3.4;
Authentication-Results: mx.google.com; spf=neutral (google.com: 1.2.3.4 is neither permitted nor denied by best guess record for domain of sender@company.com) smtp.mail=sender@company.com
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-_=_NextPart_001_01CA398C.029F16F9″
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: Example Message
Date: Sat, 19 Sep 2009 20:48:03 -0400
Message-ID:
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Example Message
Thread-Index: Aco5jAJxBXQKuDvKSPugBjy9m/cWEg==
From: “Joe Sender” sender@company.com
To: recipient@customer.com

 

Follow the Postmarks

 

From the header above we can determine how the message was postmarked and which post offices it traveled through across the way. I have highlighted the parts of the message above that we are interested as an example:

Delivered-To: recipient@customer.com
Received: by 10.204.101.212 with SMTP id d20cs87352bko;
Sat, 19 Sep 2009 17:48:08 -0700 (PDT)
Received: by 10.231.61.195 with SMTP id u3mr5730152ibh.12.1253407686583;
Sat, 19 Sep 2009 17:48:06 -0700 (PDT)
Return-Path:
Received: from mxsend.company.com ([1.2.3.4])
by mx.google.com with ESMTP id 38si7009500iwn.67.2009.09.19.17.48.04;
Sat, 19 Sep 2009 17:48:06 -0700 (PDT)

When looking at the headers, pay attention to phrases “Received: from” and “Received: by”. Each mail server will add its own postmark to the top of header as it flows through the mail system. The first server listed in the header (Received: by) is the final receiving server; the last server (Received: from) mentioned in the headers is the usually original sending mail system – in the example above we see the following mail servers mentioned:

* 10.204.101.212
* 10.231.61.195
* mx.google.com
* mxsend.company.com

The final destination server is 10.204.101.212, and the original sending server is mxsend.company.com in this case.

 

How is this Useful?

 

Determining the mail servers can go a long way in determining who sent out an email message. For example, you may see a great deal of spam coming from many recipients but the source of the messages may be coming from one particular server. Using this information you can then block that mail server via firewall/router policy; also you can use the information to contact the owner of the server to make sure they are aware of the spam messages being sent out through their server.

Clay Haynes
Dark_15

Leave a Reply

Your email address will not be published. Required fields are marked *