How to analyse Email Headers?
Email communication is important type of written communication. Today, communications are conducted among business firms, organizations and companies mostly via emails. This is not only the cheapest but also the most reliable means of communications. The companies and organizations communicate with other companies and organizations for business purposes through emails.
Email fraud is the intentional deception made for personal gain or to damage another individual through email. Almost as soon as email became widely used, it began to be used as a means to defraud people. Email fraud can take the form of a "con game" or scam.
Most important way to be safe from Email Frauds is to investigate the mail headers and inspect whether email has originated from a genuine source or is sent by attacker.
How to access the Message Header ?
Most mail clients allow access to the message header. The following list contains a few popular mail and web mail clients. Please refer to the manual of your mail client if your mail client is not included in this list.
View the Message Header in MS Outlook:
Open the message in MS Outlook. Now go to "View" and select "Message Options" - or "File" -> "Info" -> "Properties". Look at "Internet Headers".
View the Message Header in Google Mail (GMail) Webmail:
Login to your account on the web page and open the message (click on it). Click on the "down-arrow" on the top-right of the message and select "Show Original". Now you will see the complete message source.
View the Message Header in Yahoo! Mail Webmail: Login to your account on the webpage and open the message (click on it). Click on "Actions" and select "View Full Header". View the Message Header in Hotmail Webmail: Login to your account on the webpage and go to the message list. Right-click on the message and select "View Message Source". View the Message Header in Thunderbird: Open the message, then click on "View" and select "Message Source". View the Message Header in MS Windows Mail (and MS Outlook Express): Select the message in the list, right-click on it and select "Properties" and go to "Details
Analyzing message headers:
Message headers (email header) are used by people which include from, to, cc and subject.
The email message headers are contained in the envelope headers.
Overview of Email Headers
Email headers contain information which is used to track an individual email, detailing the path a message takes as it crosses mail servers. This is especially helpful when investigating SPAM, MalSPAM and phishing emails. Though there have been tools developed such as Email Gateways which can catch this, at times it is still necessary for a hunt team or threat intel team to use email header analysis to track a threat actor, campaign, or infrastructure.
As per the RFC 2822 from IETF, an email message consists of header fields followed by a message body. The header lines are used to identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory like FROM, TO and DATE. Other header information includes the sending timestamps and the receiving timestamps of all the mail transfer agents(MTA) that have received and sent the message.
Important fields that could be of interest are:
Origination date field The origination date specifies the date and time at which the creator of the message indicated that the message was complete and ready to enter the Mail delivery system. So, this is the time that a user pushes the “send” or “submit” button in an application program
Originator Fields The originator fields of a message consist of the below fields and indicates the source of the message. a) From This field specifies the author(s) of the message i.e, the mailbox(es) of the person(s) or the system(s) responsible for writing the message. b) Sender This field specifies the mailbox of the agent responsible for the actual transmission of the message. For example, if Person A is sending a mail on behalf of another Person B, the mailbox of Person A would appear in the “Sender:” field and the mailbox of the actual author would appear in the “From:” field. c) Reply-to This is an optional field. If present, it indicates the mailbox(es) to which the author of the message suggests that replies be sent. In the absence of this field, replies should by default be sent to the mailbox(es) specified in the “From:” field. In many cases, phishing authors have exploited this field by having this enabled so that the recipient/victim of this mail might send the information to a different unintended mailbox.
Destination Address Fields The destination address fields specify the recipients of the message. a. To -This field contains the address(es) of the primary recipient(s) of the message. b. Cc - This field abbreviated as Carbon Copy contains the addresses of others who are to receive the message, though the content of the message may not be directed at them. c. Bcc - This field abbreviated as Blind Carbon Copy contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message.
Identification Fields These are optional as below: a.ssage-ID Every message should have a “Message-ID:” field. The “Message-ID:” field contains a single unique message identifier that refers to a particular version of a particular message. A message identifier pertains to exactly one instantiation of a particular message and subsequent revisions to the message each receive new message identifiers. The generator of the message identifier MUST guarantee that the msg-id is unique. b. In-reply-to The contents of this field identify previous correspondence which this message has answered. c. References The contents of this field identify other correspondence which this message references. Also, one more point to be noted is that all reply messages should have “In-Reply-To:” and “References:” fields.
Informational Fields These are all optional. a. Keywords The “keywords:” field contains a comma-separated list of one or more words or quoted-strings. b. Subject This is the most common field and contains a short string identifying the topic of the message. c. Comments This field contains any additional comments on the text of the body of the message. The “Subject:” and “Comments:” fields are unstructured. d. Encrypted If data encryption is used to increase the privacy of message contents, the “ENCRYPTED” field can be used to indicate the nature of the encryption.
Trace Fields These are a group of header fields which provides trace information and which are used to provide an audit trail of message handling. In addition, it also indicates a route back to the sender of the message. a. Return-Path This field is added by the final transport system that delivers the message to its recipient. The field is intended to contain definitive information about the address and route back to the message’s originator. b. Received A copy of this field is added by each transport service that relays the message. The information in the field can be helpful while troubleshooting any network problems as well as while investigating Phishing and SPAM.
Additional Fields Additionally, there are parameters as below which helps in investigation. a. VIA The VIA parameter may be used to indicate what physical mechanism the message was sent over b. WITH The WITH parameter may be used to indicate the mail or connection level protocol that was used, such as SMTP or X.25 transport protocol. c. Date and Time Specification The headers will also carry the date, time zone information which would be one of the key information to investigate. d. User-Agent This field specifies the client software or program used by the source to send the mail
Note: Email headers should always be read from Bottom to Top
Analyzing Spam Email Headers
Spam characteristics appear in two parts of an email: the message header and the message content.
Headers are important to examine because they show the history of the message delivery path as well as some common characteristics of spam. When a message is initially generated, it should include standard header fields such as From, To, Subject, Date, and Message-ID. Other standard headers include Received, Cc, Bcc, etc.
Here are some typical header characteristics that can be found in spam:
The To: / Recipient address field
The To: or Cc: fields do not contain a recipient email address
The To: field is empty
To: field contains an invalid email address
More than 10 recipients in To: and/or Cc: fields
Bcc: header exists. In normal email messages, a Bcc: header does not exist since this is stripped from the mail.
The From: / Sender address field
The address in the From: field is the same as the To: field
Missing From: field
Missing or malformed Message ID
X-headers can refer to any non-standard header that gets added at any stage during the sending of an email. Some X-headers are added by spam filters to display the scan results. Examples of X-headers are:
X-Mailer: This field contains name of the mailing software that was used. If this header contains the name of popular spam software this could indicate that it is a spam message.
X-Distribution = bulk: Spammers using Pegasus Mail will have ‘X-Distribution: bulk’ added to their mail if it is addressed to a large number of recipients, but this doesn’t occur often. This header can also be used by newsletters (both legit and non-legit), so it’s not the most effective thing to filter by.
X-UIDL header exists: Incoming messages should not have an X-UIDL header since they are only intended for the mail server to stop it downloading messages more than once, for instance when ‘leave messages on server’ is checked. This header would normally be stripped when the message is received. Spammers add an X-UIDL header to try to get the recipient’s mail server to download multiple copies of their message and therefore increase the chance that the message will be read.
Methods for Threat Hunting
Tracking Back to the Source
The FROM header helps identify the sender of the mail. However, that can be spoofed. So, most of the time, this may not be a vital data point. However, in widespread campaigns, the same sender might be used for all the mail sent. To overcome SPAM filters, attackers have come up with new technique called a “Hailstorm” attack where every sender is unique.
The FROM address could be searched across the Internet with the help of Google Dorks to see if there is any history for this and if anyone else has already observed this.
From: "USPS Ground" <email@example.com>
The RECEIVED header is another vital information source which helps to understand where the mail has traversed (or “hopped”). Basically, these hops would be mail relays & servers. With this header, the sender’s infrastructure and location could be located through the IP Address that gets captured– that helps with attribution. From there, these IP addresses can be checked against existing blacklists to identify anything malicious.
The REPLY-TO field is normally filled in with the email address for replying to the message. This is another sign of the email to be malicious.
The MESSAGE-ID field provides a nice clue as to the actual origin of the mail. Message-identifiers are supposed to be unique identifiers and a common technique is to use the date and time of the message generation as the source of the first part of the message ID. This along with the Date field helps us to identify the country from where the email has originated. Lastly, the domain information in the message ID helps to identify the actual domain associated with this email.
Leveraging Threat Intelligence
There are numerous threat intel vendors who offer premium services and maintain the inventory of these malicious actors.
Humans are fallible and it is inevitable that at least one person in your organization is going to open a malicious email.
However, knowing what to do afterwards is as important as knowing how to avoid danger in the first place. As a closing note, below are the various ways in combatting email.
Do not trust that any message that you receive is legitimate, treat it with suspicion
Look at messages for content, misspellings and other anomalies
Do not click on any embedded links
Do not open any attachments
Keep your antivirus software up to date