Analyzing Email Messages and Determine Sender’s Source IP [Part 1]

Electronic Mail (Email) is one of the critical components of today’s Unified Communication Systems and one of the most used methods to communicate between institutions, companies and individuals. Email used to send and receive messages, documents, media files, meetings … etc.
Sometimes we need to analyze received email messages whether for an incident forensic investigation or as a part of email security protection process. One of the email analysis results is the actual source IP address that originally sent the email message. Before starting to learn together how to analyze email message let’s have a simple and brief introduction about two things:

1. Email System
2. Email Message

Email System

Email systems simply are (client – server) applications where email clients in its basic functionality used by end user to compose new messages and read received messages. Email clients have different types from web clients that uses web browsers to mobile devices and desktop clients like MS Outlook. Email clients accesses email servers using multiple protocols like HTTP / HTTPS / POP(s) / IMAP(s) / MAPI. In the other hand email servers save all sent and received messages into mailboxes and route emails between email servers using SMTP/SMTPs TCP protocols.

Email Message

An email message consists of three components, the message envelope, the message header, and the message body.  The email message envelope contains the email address of the "Sender", and the address(es) of the recipient(s).
The message body is the actual message contents and sometimes include signature field. Based on the email client used by end user the message body could be either plain text or HTML format. HTML email messages often include an automatically generated plain text copy as well, for compatibility reasons. HTML message format has the ability to include in-line links and images, set apart previous messages in block quotes, wrap naturally on any display, use emphasis such as underlines and italics, and change font styles.
The message header is structured into fields. Each field has a name and a value. The field name starts in the first character of the line and ends before the separator character ":". You can find information about nearly all email message header fields http://www.iana.org/assignments/message-headers/message-headers.xhtml.
The following list includes the common and mandatory message header fields:

• From: The email address, and optionally the name of the sender.
• To: The email address(es), and optionally name(s) of the message's recipient(s).
• CC: Carbon copy.
• BCC: Blind carbon copy; addresses added to the SMTP delivery list but not (usually) listed in the message data, remaining invisible to other recipients.
• Subject: A brief summary of the topic of the message (Title). Certain abbreviations are commonly used in the subject, including "RE:" and "FW:".
• Date: The local time and date when the message was sent. Many email clients fill this field automatically when sending. The recipient's client may then display the time in the format and time zone local to him/her.
• Message-ID: An automatically generated field; used to prevent multiple delivery of the message.
• In-Reply-To: This field only applies for reply messages and used to link related messages together.
• Content-Type: Information about how the message is to be displayed, usually a MIME type.
• Reply-To: Address that should be used to reply to the message.
• Sender: Address of the actual sender acting on behalf of the author listed in the From: field.
• Received: when an SMTP server accepts a message it inserts this trace record at the top of the header. The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you. The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.
• Return-Path: The email address for return mail. This is the same as "Reply-To:".
• Authentication-Results: when a server carries out authentication checks, it can save the results in this field for consumption by downstream agents.
• Received-SPF:Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.
• Auto-Submitted: is used to mark automatically generated messages.
• Dkim-Signature & Domainkey-Signature: These are related to domain keys. You can learn more about these by visiting: http://en.wikipedia.org/wiki/DomainKeys.
• Mime-Version: Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email. Please see http://en.wikipedia.org/wiki/MIME for more details.
• X-Spam-Status: Displays a spam score created by your service or mail client.
• X-Spam-Level: Displays a spam score usually created by your service or mail client.
• X-Originating-IP: This header is important since it tells you the IP address of the computer that had sent the email.

At next part we will discuss how to display email message header and use it for Analyzing Email Messages and Determine Source IP.