0

When an average person sees an email, he can see only part of an information enclosed in the mail. To see full information one can look at the source of an email, which shows more. Example of an email source looks like this:

Received: via dmail-2008.19 for +INBOX;
        Tue, 3 Feb 2009 19:29:12 -0600 (CST)
Received: from abc.luxsci.com ([10.10.10.10])
    by xyz.luxsci.com (8.13.7/8.13.7) with
        ESMTP id n141TCa7022588
    for <user-999@xyz.luxsci.com>;
        Tue, 3 Feb 2009 19:29:12 -0600
Return-Path: <test@sender.com>
Received: from [192.168.0.3] (verizon.net [44.44.44.44])
   (user=test@sender.com mech=PLAIN bits=2)
   by abc.luxsci.com (8.13.7/8.13.7) with
   ESMTP id n141SAfo021855
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
   bits=256 verify=NOT) for <test@domain.com>;
   Tue, 3 Feb 2009 19:28:10 -0600
Message-ID: <4988EF2D.40804@domain.com>
Date: Tue, 03 Feb 2009 20:28:13 -0500
From: "Test Sender" <test@sender.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: "Test Recipient" <test@domain.com>
Subject: Example Message
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Comment: Lux Scientiae SMTP Processor Message ID -
   1233710941-9110394.93984519

My question is: what kind of information can a skilled person get from an email source in two cases:

  • a person who sends an email has no knowledge of computer except sending mails/browsing internet
  • a person who sends an email is skilled and want to hide/change as much as possible, but does not have too much control (by too much control I mean he does not have control over big email services, but can have his own email server)

P.S.

  • I am not talking about this specific example (it is just for people who do not know about email source).
  • I know that some of the fields can be changed by sender (but I do not know how many of them could be changed).
  • I can read, so I see that I can find through which email provider an email was sent, at what time, through which program. But I am curious whether I can get information which can narrow down possible user (may be his OS, IP, timezone and so on)
Salvador Dali
  • 1,745
  • 1
  • 19
  • 32

2 Answers2

2

First and foremost, you are referred to RFC 5822 as a definitive source of information regarding the mail format. RFC 5321 should help with understanding of how mail is transferred. Now, to be more specific:

Everything below the Date: header (inclusive) is sent to a SMTP server by the sender's mail client. For a savvy person it should be no big deal to whip a crafted email client which will send arbitrary headers. The information obtained cannot be considered a proof of anything other that byte values used to represent it -- there is no way to prove data authenticity, both parties might have forged the headers -- who knows?

I am curious whether I can get information which can narrow down possible user (may be his OS, IP, timezone and so on)

Assuming the sender didn't tamper much with email contents:

User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) Sender's OS disclosed by the mail agent itself.

Date: Tue, 03 Feb 2009 20:28:13 -0500 Sender's TZ disclosed.

Received: from [192.168.0.3] (verizon.net [44.44.44.44]) Sender's IP disclosed via the mail server.

Depending on the mail agent used, there may be more information available.

Community
  • 1
Dmitry Janushkevich
  • 992
  • 5
  • 10
1

Dmitry is right on the money. Additionally you have to bear in mind that servers in the mail flow stream could manipulate the headers. For example, I worked with a client that had their firewall strip all headers from outbound email to prevent the sharing of any internal host information (as the email actually took a couple of hops internally before being sent out of their network).

Last but not least, there is nothing saying a mail client needs to be used. Sending of an email could be scripted or done manually (all that is needed is telnet to port 25 to a server that will relay mail for you).

user1234
  • 11
  • 1