This is a basic post about the first step in examining an email for signs of phishing and at the end lists through key points about email headers in general.
We start with basic email header info found using Gmail and how to decode certain parts of the coding.
Here is an example of the code for a Subject Line
Subject: =?UTF-8?B?T3JkZXIgUGxhY2VkIDogWW91ciBPcmRlciBJRCBPRDIzMjE2NTcwODkyOTEgUGxhY2VkIFN1Y2Nlc3NmdWxseQ==?=
According to (https://stackoverflow.com/questions/10828807/how-to-decode-utf-8b-to-string-in-c-sharp)
So remove the parts in green text
Subject: =?UTF-8?B?
T3JkZXIgUGxhY2VkIDogWW91ciBPcmRlciBJRCBPRDIzMjE2NTcwODkyOTEgUGxhY2VkIFN1Y2Nlc3NmdWxseQ
==?=
Leaving us with: T3JkZXIgUGxhY2VkIDogWW91ciBPcmRlciBJRCBPRDIzMjE2NTcwODkyOTEgUGxhY2VkIFN1Y2Nlc3NmdWxseQ
Then go to: https://www.base64decode.org/to do the decoding. I like the site because it has the “auto-detect” option for the encoded content.
So paste in the data and hit decode
Email Header Lookup From Gmail
Open an email and see on the top right 3 dots, click then click on “open original”
Shows you a view where it parses the info and then provides the raw email header and message in the section below it.
Other Great Tools
https://mha.azurewebsites.net/
Like this Blog? Get the books! (the content is all new, it pays the bills and it only costs $3)
General Notes About Email Header Info
The following are key pointers about email header info in general
(Email Header Basics sections identified from Mediatemple: https://mediatemple.zendesk.com/hc/en-us/articles/204643950-Understanding-an-email-header)
The exmaple email header is at the bottom of this post
Return-Path
- The email address for return mail. This is the same as “Reply-To:”.
Return-Path: <mt.kb.user@gmail.com>
Envelope-To
- This header shows that this email was delivered to the mailbox of a subscriber whose email address is user@example.com.
Envelope-To: user@example.com
Delivery Date
- This shows the date and time at which the email was received by your (mt) service or email client.
Date: January 25, 2011 3:30:58 PM PDT
Received
“It is important to know that when reading an email header every line can be forged, so only the Received: lines that are created by your service or computer should be completely trusted” According to – https://mediatemple.zendesk.com/hc/en-us/articles/204643950-Understanding-an-email-header
The “received They form a list of all the servers/computers through which the message traveled in order to reach you
The received lines are best read from bottom to top.
That is, the first “Received:” line is your own system or mail server.
The last “Received:” line is where the mail originated.
Each mail system has their own style of “Received:” line. A “Received:” line typically identifies the machine that received the mail and the machine from which the mail was received
Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700
Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <user@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Finding the Original Sender
According ton Media Temple, the easiest way for finding the original sender is by looking for the X-Originating-IP header. This header is important since it tells you the IP address of the computer that had sent the email. If you cannot find the X-Originating-IP header, then you will have to sift through the Received headers to find the sender’s IP address. In the example above, the originating IP Address is 10.140.188.3.
Once the email sender’s IP address is found, you can search for it at http://www.arin.net/. You should now be given results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the headers of the email when filing a complaint.
Example Email Header
From: Media Temple user (mt.kb.user@gmail.com)
Subject: article: How to Trace a Email
Date: January 25, 2011 3:30:58 PM PDT
To: user@example.com
Return-Path: mt.kb.user@gmail.com
Envelope-To: user@example.com
Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700
Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from mt.kb.user@gmail.com) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for user@example.com; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+JqkmVt+sHDFIGX5jKp3oP18LQf10VQjAmZAKl1lspY=; b=F87jySDZnMayyitVxLdHcQNL073DytKRyrRh84GNsI24IRNakn0oOfrC2luliNvdea LGTk3adIrzt+N96GyMseWz8T9xE6O/sAI16db48q4Iqkd7uOiDvFsvS3CUQlNhybNw8m CH/o8eELTN0zbSbn5Trp0dkRYXhMX8FTAwrH0=
Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=wkbBj0M8NCUlboI6idKooejg0sL2ms7fDPe1tHUkR9Ht0qr5lAJX4q9PMVJeyjWalH 36n4qGLtC2euBJY070bVra8IBB9FeDEW9C35BC1vuPT5XyucCm0hulbE86+uiUTXCkaB 6ykquzQGCer7xPAcMJqVfXDkHo3H61HM9oCQM=
Message-Id: c8f49cec0807011530k11196ad4p7cb4b9420f2ae752@mail.gmail.com
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=”—-=_Part_3927_12044027.1214951458678″
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***
Message Body: This is a KnowledgeBase article that provides information on how to find email headers and use the data to trace a email.
Deep Web OSINT 