In the age where a huge percentage of all attacks are done through e-mail, very few of us know how to analyze where this e-mail was sent from. This analysis must go beyond the sender e-mail displayed in your e-mail client (which are easily spoofed). Here is a simple tutorial on analyzing Internet headers.
I. Where to find the e-mail headers?
A very frequent question. Let's review the common e-mail reading interfaces and where you can see the e-mail headers in them:
- MS Outlook (all versions) - Point to a suspect email in your inbox and right-click. On the context menu, select Options. A new window will appear. In that window, the e-mail headers are displayed at the bottom, in the box titled Internet headers.
- Outlook express (all versions) - Point to a suspect email in your inbox and right-click. On the context menu, select Properties. A new window will appear. In that window, click on the details tab. The e-mail headers are displayed in the box titled Internet headers for this message.
- Gmail - When you open an e-mail message, at the top there is a link titled "Show original". Click on it and a new browser window will appear, with the e-mail header at the top.
- Yahoo Mail - When you open an e-mail message, at the bottom there is a link titled "Full Headers". Click on it and the windows will re-render showing a very nice presentation of the e-mail header at the top.
II. How does e-mail headers work?
First, lets review how the SMTP (Simple Mail Transfer Protocol) works to transfer your e-mails. Let's assume that you are sending an e-mail message for mailto:firstname.lastname@example.org.
- When you click send, your local mail server will receive the e-mail message for further delivery.
- The mail server will then break the recipient address into user (webmaster) and domain (shortinfosec.net)
- The mail server needs to know which mail server knows how to deliver an e-mail to email@example.com . For this, it will query the DNS server asking for a Mail eXchanger (MX) record for the domain shortinfosec.net.
- The MX record is actually a DNS name of another mail server which is registered as authoritative for a specific domain - i.e. knows what to do with e-mails for that domain
- The mail server contacts the MX server the shortinfosec.net domain and delivers the e-mail message. Then the MX server will follow internal rules on how to deliver the message to firstname.lastname@example.org
- There are specific mail servers on the Internet called relay servers, which don't actually hold real mailboxes. They are usually hosted by ISP's and provide availability to receive e-mails for many domains, which are then internally delivered to the real mail servers residing on slow links or hidden behind corporate firewalls.
- An e-mail message may traverse multiple hops on the Internet before being delivered to the recipient.
- Each mail server that processes an e-mail message during it's transit will add a line to the e-mail header of the e-mail message. A legitimate mail server will NEVER rewrite or alter an e-mail header. This was originally designed for troubleshooting, but is very useful in spotting scams and fake e-mails
III. How to I analyze the e-mail headers?
Let's review a real life example: The following e-mail headers are from an e-mail that supposedly arrived from Chase Bank, and is a clear example of phishing attack (click for larger image)
NOTE: The real recipient, domain and it's servers are anonymized .
- The message claims that it was sent from email@example.com. This information can be very easily forged, so NEVER trust that information.
- The useful information is in the "Received:" lines. Each of these lines represents a hop between two mail servers on the path from the sender to the recipient. These can also be forged, but there is a catch: A malicious mail server can forge the current headers, and at the end will have to send the mail to legitimate mail servers. The legitimate mail servers WILL RECORD the IP address of the sending e-mail server, and this information will ALWAYS BE TRUE.
- So, the malicious sender has no control over the Received lines of the header.
- The "Received:" lines are stacked on top of each other, so the first hop will be the lowest, and the last hop will be the first in the header. Therefore, to properly follow the path, read the lines bottom up.
- So, reading our e-mail header, this e-mail was sent from an ADSL IP address registered to an ISP in Warszawa - Poland, and then had 2 more hops in the protection systems of the delivery ISP. Visually, this was the path of the mail:
IMPORTANT - You can easily check the registered owner of any address using SamSpade.org
- Suddenly, it's obvious that this message has a slim to none chance of being sent by Chase Bank. There is absolutely no reason for them to send it via an ADSL address in Poland when they have huge corporate servers
- There are two more elements that can be useful for analysis, although they can be forged:
- X-USER_IP - the apparent IP address of the sending client computer
- User-Agent- the apparent mail client program used to send the e-mail
- In our example, the X-USER_IP points to 220.127.116.11 - an AT&T WorldNet Services address, and the User-Agent claims to be Tumbleweed Mail Gate server - both of which are highly suspicious, so we discard them
When in doubt about the authenticity of an e-mail message DON'T follow instructions within it and DON'T click on the attachments inside it. Instead:
- Open the e-mail headers and read where it came from. Usually, it's very easy to identify a fake message just from the path it took on the internet.
- If you can't identify the problem, just extract the headers and send them to your IT and Security Officer for analysis.
Talkback and comments are most welcome