Uncategorized

Examine Phishing Emails (part 2 – more email header basics

Posted on by SEARCH-ish Author in Uncategorized

Some information from an email in your inbox, such as the sender’s IP address and reply-to information, can only be obtained via the email header.

Email Header data provides raw data about the email. Here is a basic run-through of some parts of interest.


X-Originating-IP – The IP address of the email was sent from (this is known as an X-header)

Reply-To – This is the email address a reply email will be sent to instead of the From email address
To clarify, in the email in the sample above, the Sender is newsletters@ant.anki-tech.com, but if a
recipient replies to the email, the response will go to reply@ant.anki-tech.com, which is the Reply-To,
and NOT to newsletters@ant.anki-tech.com.


Smtp.mailfrom/header.from – The domain the email was sent from (these headers are within
Authentication-Results)
Sometimes a phsihign email will hide the domain it is being sent from.

ARC-Authentication-Results or Received-SPF – Among several other things, this section shows if the email’s domain actually has permission or authentication to use the domain. A random hacker cannot just make an email address hacker@wordpress.com without WordPress knowing about it. The email address needs permission / authentication from WordPress.

Route to your computer

 X-Originating-IP:  This header is important since it tells you the IP address of the computer that had sent the email. If you cannot find the X-Originating-IP header, then you will have to sift through the Received headers

Received: The “received” lines are a chronological list of all the servers/computers the message travels through. The received lines are best read from bottom to top.

That is, the first “Received:” line is your own system or mail server. The last “Received:” line is where the mail originated.

Each mail system has their own style of “Received:” line. A “Received:” line typically identifies the machine that received the mail and the machine from which the mail was received

Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700

Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from mt.kb.user@gmail.com) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for user@example.com; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)

Delivery-Date: is when the message arrived at your computer

Example Email Header

Delivered-To: *********@gmail.com
Received: by 2002:a05:7108:a0b3:b0:37d:a3f0:fd0b with SMTP id gy51csp1882787gdb;
        Mon, 29 Apr 2024 03:02:27 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFRyQs/OTtdmi+6wMqhfSU8EdORqJDCDJdzlyp0mMDXQqgF6tGYfyyeKjnFMvgvzp78K3vK
X-Received: by 2002:a05:622a:4e8f:b0:437:7a3f:d392 with SMTP id dj15-20020a05622a4e8f00b004377a3fd392mr7165545qtb.46.1714384947482;
        Mon, 29 Apr 2024 03:02:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1714384947; cv=none;
        d=google.com; s=arc-20160816;
        b=zBCjPt1YxvjoHHl6pm+6X0vhPN5HETyIyA3MqbuqRTkEZGx1CfxJOZcQ9OQSQ6QJad
         2vOJUq4vC96HYafGFMKL4JrdzLCKeaSiBorocAB+h5eDvQ3tpwBes3qRowSgLEX+mFng
         eyBexOyWqa1J9hmWO1LbsDLJwca7GTZLBWntKTnBPwNy6uFPZd6s9GM+07YgCeQcOL3D
         xowM0KOdyyf9q3ek4LbE4uvPV7oBNQRNwJPB7b5P67B9PEZrqw4tv7cebrwEMG3wuyYF
         6mx8i1RtCV6FwNlqOau2GwuiSdPNfx2Z1E7ejyLGmSNIwO5jmAT44dCENixFFmcAtXwH
         lCVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:precedence:mime-version:subject:message-id:to:from
         :date:dkim-signature;
        bh=eGCAD6vfTH0ZKx5NmfsrThMMs8vd4RWoFTA2vny//54=;
        fh=C12Z+FVaJur21YdbIxTkLLkxokPr6jyYWUe019IZjg4=;
        b=vQqRUPQ8DQrKQ9eVIN/yrbwqzH2WSu850HXxf6x6BZmmLTopdhXlDSQFJ3cGq1q6M1
         p+BmVzc73Wihe5OnOEuYLfDOc470eDH8L8xSeioIsMgJb5NYFp0bUqh2k3A/EOCY9gh2
         bZP0VNB2irzSUhq6NHGgsdBOV3PpsytQ/nUJMc98Fi0m7AVfaVlLhRzsK/HzyPS7hT20
         GP/ICXARwiM/z8YIVtRUtsktzEB+CeSEQ/vd2PF2J/+Orou1vCp4YIC0yPzSHevYjXu2
         bfs0PNmE0kj26MZ7JTz/ZR5uYUPzz/5s5XchCkBbXq9Q3Pog9lt2Vo1iYOgMe8WXweso
         a6yw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@patch.com header.s=sailthru header.b=fhdpgWf6;
       spf=pass (google.com: domain of delivery_20240429060221.35191884.2351@bounce.patch.com designates 192.64.237.203 as permitted sender) smtp.mailfrom=delivery_20240429060221.35191884.2351@bounce.patch.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=patch.com
Return-Path: <delivery_20240429060221.35191884.2351@bounce.patch.com>
Received: from pmta237-203.sailthru.com (pmta237-203.sailthru.com. [192.64.237.203])
        by mx.google.com with ESMTPS id g2-20020ac85802000000b0043adb77eddasi2478527qtg.492.2024.04.29.03.02.27
        for <*********@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 29 Apr 2024 03:02:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of delivery_20240429060221.35191884.2351@bounce.patch.com designates 192.64.237.203 as permitted sender) client-ip=192.64.237.203;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@patch.com header.s=sailthru header.b=fhdpgWf6;
       spf=pass (google.com: domain of delivery_20240429060221.35191884.2351@bounce.patch.com designates 192.64.237.203 as permitted sender) smtp.mailfrom=delivery_20240429060221.35191884.2351@bounce.patch.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=patch.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=sailthru; d=patch.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; i=noreply@patch.com; bh=M1HESBI1nCNbD8w63yPVe1oTMP+yfAvSq4cQV7ZGYA4=; b=fhdpgWf64XzkZftX+3JKurgFczfGidcP4NIyhG7lV6RMxudJ6+YooKoja/O/5WW2kh0zSjq4o9BX
   BWWZgkb4tEAfYxO8fnJ+7qFGtxVzRkSHPnb19wVbZ6/ZYyVbXmJ3nS0zUMYEZ0MlO75UOuXN3NU7
   iWRg2NEIO5Okf4SLiqk=
Received: from aws1-mta-relay1.sailthru.cloud (10.55.90.180) by pmta237-203.sailthru.com id h5to3630o6oh for <fakeemail@gmail.com>; Mon, 29 Apr 2024 05:02:23 -0500 (envelope-from <delivery_20240429060221.35191884.2351@bounce.patch.com>)
Date: Mon, 29 Apr 2024 06:02:21 -0400 (EDT)
From: Woodbridge Patch <noreply@patch.com>
To: *************@gmail.com
Message-ID: <20240429060221.35191884.2351@sailthru.com>
Subject: Store Closings + Restaurant Openings + Mom Cleans Up: Business News
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_45711669_1397823151.1714384941727"
Precedence: bulk
x-job: 1070-35191884-20240429
X-Feedback-ID: 1070:35191884:campaign:sailthru
X-TM-ID: 20240429060221.35191884.2351
X-Info: Message sent by sailthru.com customer Patch
X-Info: We do not permit unsolicited commercial email
X-Info: Please report abuse by forwarding complete headers to
X-Info: abuse@sailthru.com
X-Mailer: sailthru.com
X-JMailer: aws-campaign-mailer-2.sailthru.cloud
X-Unsubscribe-Web: https://link.patch.com/oc/653d1684c9d9ffe2fe0456f9kya8c.1tb/bcda0cd8
List-Unsubscribe: <https://link.patch.com/oc/653d1684c9d9ffe2fe0456f9kya8c.1tb/bcda0cd8>,<mailto:unsubscribe_20240429060221.35191884.2351@mx.sailthru.com>
X-rpcampaign: stbpe35191884

------=_Part_45711669_1397823151.1714384941727
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Leave a comment