How to understand an email header

Email headers and what you can learn from them

Have you gotten someone asking if an email is real? More and more lately, users are receiving phishing or spam emails. As scammers get more sophisticated the phishing attempts get harder and harder to catch. It used to be, you would catch the email by looking for misspelled words or bad grammar. While these can still be an indicator of a phishing emails, we cannot stop there. Our detection methods need to grow as well.

Today, we are going to look at email headers and how to read them. The email header contains the information that the servers are using to route the email to the correct place. The header contains a wealth of information that is not readily available to the user, however, let’s look at the obvious first and work our way to the header.

When you receive an email the first thing we tend to do is scan the email or read it to see if it is important. Those that are from people we recognize or have some significance in our lives get moved to the top of the list. Scammers love to “spoof” known emails to get our attention. Spoofing an email is the act of forging the sender of an email to appear legitimate. Here is an example of an email that was spoofed (Note: names and confidential information has been changed in this example)

From: John Smith [mailto:jsmith@gmail.com] 

Sent: Monday, November 06, 2017 10:50 AM

To: Joan Johnson <joan@company.com>

Subject: RE: Professional Expense

Joan,

I’ll appreciate you get it all processed and released at the soonest. Below is the account information for a payment of $26,878.00. This should be coded to pre-paid professional fees. Send me the confirmation when completed.

NB: I’ll send support for this later on. Beneficiary Name: Leilani Mendoza Beneficiary Address: 770 Skokie Blvd. Northbrook, IL 60062 Checking Account: 12345679 Routine Number: 123456789 Bank Name: Bank Bank Address: 123 E Northwest Hwy. city, ST 60582 

Thanks, John Smith

President and Chief Executive Officer at Company

From the example, you can see that the scammer is trying to get someone to transfer money to a bank account. Let’s look at the obvious things first. The sender’s email address is jsmith@gmail.com, if this was a business email this should be the company email address, not Gmail. The scammer has used the name of the President, most likely from the website. Our next tip-off is the way the email is written, this is the harder part to tell. If you know the person you might be able to read it and see if it sounds the way the person would speak or write emails in the past. If you do not know the person it would just be a judgment call or gut feeling about it. The next indicator is the sender including the bank account information. Normally this kind of email would be sent over a secure email system or at the very least sent in multiple emails.

Here are a few things to check for, in a phishing email;

  1. The message contains a mismatched URL
  2. URLs contain a misleading domain name
  3. The message contains poor spelling and grammar
  4. The message asks for personal information
  5. The offer seems too good to be true
  6. You didn’t initiate the action
  7. You’re asked to send money to cover expenses
  8. The message makes unrealistic threats
  9. The message appears to have been sent from a government agency
  10. Something just doesn’t look right, i.e. gut feeling

In short, just do a logic check to see if this is something that could be legit. Do the emails match? Do the URL’s go to the expected website? Does it make sense?

Now that we have looked at the obvious visual clues, let’s move on to the header and see what information we can learn from the header. To look at the header, we will need to get the original email and not a forwarded copy of the email. This can be done in a variety of ways;

  1. The user can save the email and send it as an attachment
  2. Certain outlook addons will gather the header information and forward the email to your administrator
  3. The header can be extracted from the email and sent by itself

If you do not know how to view your email header Please check the following link

https://mxtoolbox.com/Public/Content/EmailHeaders/

I have included some of the common ways to get the header information;

Outlook 2016

Double click on the email message so that it is opened in its own window. 

1.    On the Message tab, in the Options section, there is a little button with an arrow in it. Click on it and you have the message options menu with the internet headers in the bottom section. 

2.    This will bring up the Message Options window. The last component of this is the Internet Headers. 

3.    Right-click inside the headers and choose Select All, then right-click again and choose Copy.

4.    Close the Message Options window.

5.    You should now be looking at the original message window. You can copy and paste these message headers into a plain text editor, such as notepad or notepad++

Gmail

1.    Open the message you’d like to view headers for.

2.    Click the down arrow next to Reply, at the top-right of the message pane.

3.    Select Show original. 

4.    The full headers will appear in a new window, simply right-click inside the headers and choose Select All, then right-click again and choose Copy. 

5.    Close the Message Source box.

6.    You should now be looking at the original message window. 

Header Breakdown 

Return-Path: The return-path email header Outlook is mainly used for bounces. It describes the return-path of the message, where the message needs to be delivered or how one can reach the message sender. If the message is not delivered, then the mail server will send the message to the specified email address.

Received: An essential email header in Outlook 2010 or all other versions is received header. It displays the list of all the email server through which message is routed to reach the receiver. Moreover, the best way to analysis this header is read it from bottom to top. 

This header also provides the information about the message that is when the message is transferred for example in above header it specifies that it occurred on Monday, November 06, 2017 10:50 in the morning in Central Standard Time that is 6 hours late than UTC (Universal Coordinated Time). 

This field also provides IP address of all the sender’s mail server, receiver’s mail server, and the mail server, through which message is passed from sender to receiver.

Message-ID: There is always a unique message id assigned to each message that refers to a particular version of a particular message. For example:

Message-ID: “58060de3.644e420a.7228e.e2aa@mx.google.com”

This message has a unique identifier (number) that is assigned by mx.google.com for identification purpose. It is the unique ID that is always associated with the message.

Date: As it is clear from the name, it specifies the date and time of a particular message that when the message was composed and sent. Moreover, this date and time are totally dependent on the clock of sender’s computer.

From: The from email header in Outlook specifies the name of the sender and the email address of the sender. This header can easily be forged, therefore it is least reliable. For example:

From: “John Smith” “jsmith@gmail.com”

It specifies that message was sent by John Smith from the email address jsmith@gmail.com 

To: The “to” field in the Outlook email header normally specifies the name of the receiver or we can say that to whom the message was sent.

Subject: This header field normally displays the subject of the email message which is specified by the sender of the email. 

MIME-Version: MIME is basically a Multipurpose Internet Mail Extension is an internet standard. Its role is to extend the email message format. It also describes the version of MIME protocol that sender was using at that time. It is also an important email header in Outlook.

Content-Type: It is an additional MIME header that tells the type of content to expect in the message with the help of MIME-compliant e-mail programs. It also displays the format of the message like HTML, XML and plain text. 

Conclusion

Phishing emails have become a part of the daily life of anyone with an email address. As administrators, it will fall upon us to be able to tell what is a legitimate email and what is not. Headers are an invaluable tool to see the truth behind the emails. With just a little effort on our part, we can identify the phishing emails and help to teach our users how to spot the obvious signs.

For your reference, please see below for links to Email Header Analyzers;

https://technet.microsoft.com/en-us/library/dn133083(v=exchg.80).aspx

https://toolbox.googleapps.com/apps/messageheader/

https://mxtoolbox.com/EmailHeaders.aspx

I hope this helps to illuminate the world of email headers, what other things have you run across that help in catching those pesky email scammers?

Happy Hunting 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s