본문 바로가기
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://kb.mediatemple.net/questions/892/Understanding+an+email+header

https://www.arclab.com/en/amlc/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html

https://support.office.com/en-us/article/View-e-mail-message-headers-cd039382-dc6e-4264-ac74-c048563d212c


Introduction

This guide is provided to learn how to read and understand an email header. To understand an email header, we need to analyze the life of the email. Most of the time, it appears that email is passed directly from the sender directly to the recipient. This isn't necessarily true: A typical email passes through at least four computers.

To begin you will need to find your full email header. You can find instructions at: How to View Email Headers.

Viewing an email header

In this example, the "Sender" mt.kb.user@gmail.com wants to send an email to the "Receiver" user@example.com. The sender composes the email at gmail.com, and user@example.com receives it in the email client Apple Mail.

Here is the example header:

From: Media Temple user (mt.kb.user@gmail.com)
Subject: article: How to Trace a Email
Date: January 25, 2011 3:30:58 PM PDT
To: user@example.com
Return-Path: <mt.kb.user@gmail.com>
Envelope-To: user@example.com
Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700
Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <user@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+JqkmVt+sHDFIGX5jKp3oP18LQf10VQjAmZAKl1lspY=; b=F87jySDZnMayyitVxLdHcQNL073DytKRyrRh84GNsI24IRNakn0oOfrC2luliNvdea LGTk3adIrzt+N96GyMseWz8T9xE6O/sAI16db48q4Iqkd7uOiDvFsvS3CUQlNhybNw8m CH/o8eELTN0zbSbn5Trp0dkRYXhMX8FTAwrH0=
Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=wkbBj0M8NCUlboI6idKooejg0sL2ms7fDPe1tHUkR9Ht0qr5lAJX4q9PMVJeyjWalH 36n4qGLtC2euBJY070bVra8IBB9FeDEW9C35BC1vuPT5XyucCm0hulbE86+uiUTXCkaB 6ykquzQGCer7xPAcMJqVfXDkHo3H61HM9oCQM=
Message-Id: <c8f49cec0807011530k11196ad4p7cb4b9420f2ae752@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3927_12044027.1214951458678"
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***
Message Body: This is a KnowledgeBase article that provides information on how to find email headers and use the data to trace a email.

Understanding the email header

CAUTION:

It is important to know that when reading an email header every line can be forged, so only the Received:lines that are created by your service or computer should be completely trusted.

From

  • This displays who the message is from, however, this can be easily forged and can be the least reliable.

Subject

  • This is what the sender placed as a topic of the email content.

Date

  • This shows the date and time the email message was composed.

To

  • This shows to whom the message was addressed, but may not contain the recipient's address.

Return-Path

  • The email address for return mail. This is the same as "Reply-To:".

Envelope-To

  • This header shows that this email was delivered to the mailbox of a subscriber whose email address is user@example.com.

Delivery Date

  • This shows the date and time at which the email was received by your (mt) service or email client.

Received

  • The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you.

    The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.

Dkim-Signature & Domainkey-Signature

Message-id

  • A unique string assigned by the mail system when the message is first created. These can easily be forged.

Mime-Version

Content-Type

  • Generally, this will tell you the format of the message, such as html or plaintext.

X-Spam-Status

  • Displays a spam score created by your service or mail client.

X-Spam-Level

  • Displays a spam score usually created by your service or mail client.

Message Body

  • This is the actual content of the email itself, written by the sender.

Finding the Original Sender

The easiest way for finding the original sender is by looking for the X-Originating-IP header. This header is important since it tells you the IP address of the computer that had sent the email. If you cannot find the X-Originating-IP header, then you will have to sift through the Received headers to find the sender's IP address. In the example above, the originating IP Address is 10.140.188.3.

Once the email sender's IP address is found, you can search for it at http://www.arin.net/. You should now be given results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the headers of the email when filing a complaint.


Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
20 How to Decrypt SSL and TLS Traffic using Wireshark (test with sample file) file Hojung 2015.01.23 2290
19 자바스크립트 난독화 기법 / 분석 방법론 (정리예정) Hojung 2015.01.05 1314
18 Base64 encode/decode with OpenSSL Hojung 2015.01.04 1218
17 Convert ascii to hex and vice versa (hexdump, od, xxd, echo -e) Hojung 2015.01.04 947
16 Simple ruby script to de-obfuscate with XOR string Hojung 2015.01.01 595
15 Installing yara on CentOS and test with Ruby script Hojung 2014.12.31 1791
14 Installing Yara for ruby on Mac Hojung 2014.12.31 636
» How to find the original email sender (check X-Originating-IP or Received headers) Hojung 2014.12.29 735
12 Links for FireEye Deployment Check Hojung 2014.12.11 2341
11 Get timezone info from system logs which is /var/log/messages Hojung 2014.12.07 648
10 Analysing NTPd logs file Hojung 2014.12.07 1300
9 Sguil with tcpreplay (Security Onion) file Hojung 2014.12.01 2115
8 Wireshark settings for traffic analysis file Hojung 2014.11.29 966
7 Security Onion with Snort and Snorby (pulledpork and snort with offline pcap included) file Hojung 2014.11.24 3317
6 Snort on Ubuntu 14 (Barnyard2, PulledPork, BASE, Snort with pcap) file Hojung 2014.11.22 2991
5 How to install Snorby in Kali (snort) file Hojung 2014.11.21 7722
4 install geoiplookup on Mac Hojung 2014.08.06 2645
3 DDoS 공격대응 가이드 Hojung 2014.07.29 3748
2 DDoS 분석도구 설치 및 분석 (tcpdstat, ngrep, httpry) Hojung 2014.07.25 3197
1 Perl script to push samples to Virustotal Hojung 2014.02.20 1140
Board Pagination ‹ Prev 1 Next ›
/ 1

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5