Image by wirestock on Freepik
In this internet age businesses can’t survive without email communication. Email has become one of the most commonly used and preferred modes of communication known to mankind. They are used for keeping in touch with relatives and friends, sharing moments of joy, transferring important business documents etc etc. So email security has a high importance in our personal and professional life.
Each email on the internet originates at the sender’s computer; it gets routed through a number of intermediate mail servers and then finally reaches the recipient's computer. When an email travels through the internet, it carries a message body and an email header containing the path taken by it. So whenever you receive an abuse mail you can find the source of the mail by reverse engineering the path traveled by it. Cyber crime investigators normally analyze email headers for evidence on email related crimes.
Email headers not only contain valuable information on the source of the email, but also represent the exact path taken by it. Header of an email sent from jithesh@yahoo.com to jithesh@gmail.com is given below.
Delivered-To: jithesh@gmail.com
Received: by 10.143.1.13 with SMTP id d13cs447920wfi;
Mon, 10 Dec 2007 21:46:26 -0800 (PST)
Received: by 10.100.136.15 with SMTP id j15mr2177and.1197351986311;
Mon, 10 Dec 2007 21:46:26 -0800 (PST)
Return-Path: <jithesh@yahoo.com>
Received: from web53808.mail.re2.yahoo.com (web53808.mail.re2.yahoo.com [206.190.36.203])
by mx.google.com with SMTP id 18si7850821wry.2007.12.10.21.46.25;
Mon, 10 Dec 2007 21:46:26 -0800 (PST)
Received: (qmail 15950 invoked by uid 60001); 11 Dec 2007 05:46:25 -0000
Received: from [61.17.21.220] by web53808.mail.re2.yahoo.com via HTTP; Mon, 10 Dec 2007 21:46:25 PST
Date: Mon, 10 Dec 2007 21:46:25 -0800 (PST)
From: jithesh pk <jithesh@yahoo.com>
Subject: Test Mail
To: jithesh pk <jithesh@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-996715425-1197351985=:15936"
Content-Transfer-Encoding: 8bit
Message-ID: <20071210214625.62086.qmail@web53808.mail.re2.yahoo.com>
--0-996715425-1197351985=:15936
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
This is a Test Mail
Best technique to analyze an email header is to break it down into sections and start from the bottom. This email header can be divided into following sections
Date: Mon, 10 Dec 2007 21:46:25 -0800 (PST)
From: jithesh pk <jithesh@yahoo.com>
Subject: Test Mail
To: jithesh pk <jithesh@gmail.com>
This part tells us that this email was sent by jithesh@yahoo.com to jithesh@gmail.com on 10 December 2007 at 21:46 and has ‘Test Mail’ subject field.
Message-ID: 20071210214625.62086.qmail@web53808.mail.re2.yahoo.com
Message ID is the most important part of an email header. This gives valuable information about the source email server. It can be broken down to:
20071210214625 : Time stamp of email in the format yyyymmddhhmmss. This is the date and time at which the sender connected to the source email server. i.e this mail was sent on 10:12:2007 at 21:46:25
62086 : Reference number of the corresponding email. Each mail sent from an email server has a unique message ID reference number.
Received: from web53808.mail.re2.yahoo.com (web53808.mail.re2.yahoo.com [206.190.36.203])
by mx.google.com with SMTP id 18si7850821wry.2007.12.10.21.46.25;
Mon, 10 Dec 2007 21:46:26 -0800 (PST)
Received: (qmail 15950 invoked by uid 60001); 11 Dec 2007 05:46:25 -0000
Received: from [61.17.21.220] by web53808.mail.re2.yahoo.com via HTTP; Mon, 10 Dec 2007 21:46:25 PST
This is the path traveled by this email on the internet. Analyze the path from bottom to top.
This email journey started from the machine having IP: 61.17.21.220. From there it moved to the sender’s mail server: web53808.mail.re2.yahoo.com [206.190.36.203]. From the sender’s mail server it got received by the destination mail server: mx.google.com. Recipient connected to this destination mail server and read the mail.
Complete Path:
61.17.21.220 >> web53808.mail.re2.yahoo.com >> mx.google.com >> Destination system
You can see that analyzing email headers is not very difficult. So next time when you receive an abuse mail don’t just press the DELETE button, find out the culprit by the following simple steps:
- Open email header :
This URL: http://mail.google.com/support/bin/answer.py?answer=22454 explains how to find email header in some common email clients.
Identify the IP of the source computer.
Trace the IP to identify the culprit