Email header analysis to find either the received mail is from the legitimate sender or not and what are the techniques involved in phishing attacks and spoofing attacks.
2. View message Header in Mail
MS OutLook:
Open the message in MS Outlook.
Now go to "View" => "Message Options" - "Info" - "Properties".
Look at "Internet Headers".
Yahoo! Mail Webmail:
Open the message (click on it).
Click on "Actions" and select "View Full Header".
Google Mail (Gmail) Webmail:
Open the message (click on it). Click on the "down-arrow" on the top-right of the
message and select "Show Original".
Now you will see the complete message source.
4. Email Header Analysis
Analysis done on 7 stages:
1. Origination date field
2. Originator Fields
3. Destination Address Fields
4. Identification Fields.
5. Information Fields.
6. Trace Fields.
7. Security fields.
NOTE: Email headers should always be read from Bottom to Top (HOPS)
5. Email Header Analysis
1. Originated Date Fields
Field Name Field Description
Date
It holds date and time when message is available to delivery from source to
destination
6. Email Header Analysis
2. Originator Fields
Field Name Field Description
From Name and Email of the author of the message.
Sender
Behalf of author the agent is responsible for the actual transmission
Of the message.
Reply-to The author would like recipients to use for replies
7. Email Header Analysis
3. Destination Address Fields
Field Name Field Description
To This field contains Address of the Primary Recipient.
Cc Carbon Copy contains the addresses of the others who are to receive the message.
Bcc
Blind Carbon Copy contains addresses of recipients of the message whose addresses
are not to be revealed to other recipients of the message.
8. Email Header Analysis
4. Identification Fields
Field Name Field Description
Message-ID An unique identification string is generated when it is sent.
In-Reply-to
It Contains Message-ID of the Original Message in Response to which the Reply
message is sent.
References Identifies other documents related to this message, such as other e-mail message.
9. Email Header Analysis
5. Information Fields
Field Name Field Description
Subject It describes the subject or topic of the message.
Comments It contains the summarized comments regarding the message.
keywords It contains comma separated keywords that may be useful to the recepients.
10. Email Header Analysis
6. Trace Fields
Field Name Field Description
Return-path It contains the address recorded by MDA from Mail-Form SMTP command
Received
It contains trace information the includes Originating host, mediators and MSA host
domain names or IP address.
MDA : Mail Delivery Agent.
SMTP: Simple Mail Transfer Protocol.
11. Email Header Analysis
7. Security Fields
Field Name Field Description
Received-SPF SPF validation results for a domain and its mail-servers.
DKIM Signature
The signature of the header is stored in DKIM signature header field. The header
field contains all of the signature and key fetching data.
DMARC
It verifies that a sender’s email messages are protected by both SPF and DKIM,
It provides a way for the receiving server to report back to the sender about
messages that pass and/or fail the DMARC evaluation.
SPF: Sender Policy Framework
DKIM: Domain Key Identification Mail
DMARC: Domain-based Message Authentication, Reporting and Conformance.
13. Possibility of Email Attacks
These include
1. Abuses like spamming, phishing, cyber bullying, child pornography, sexual
harassment, racial vilification, etc.,
2. Misuse by transmitting viruses, worms, Trojan horses, hoaxes, and other malicious
programs with an intent to spread them over Internet, and
3. Carry out Internet infrastructure crimes through Denial of Services and Directory
Harvesting Attacks.
15. Techniques used for Email Attacks
1. Spoofing.
2. Unauthorized networks.
3. Open Mail Relays.
4. Re-Mailers.
5. Open Proxy.
6. SSH-Tunnel or Port-Redirector.
7. Botnets.
8. Untraceable internet connections.
16. Tools used for Header analysis
1. G Suite Toolbox Message header.
2. Mx Toolbox.
3. What Is My IP?
4. Mailheader.org.