Investigating Emails

Emails play a key role in many cases we see, especially phishing cases. When most people view an email, they are using whatever the program selected by their computer or cell phone. Because the device only displays what is of interest to most users, they a simply viewing the body of the email message. This means they don’t see the mail header which contains all kinds of valuable information.

Emails can also come with attachments which are additional files associated with the email. It is estimated that 80% of email data comes in the form of an attachment.

When emails are sent via the Internet they are sent as text. Emails themselves are usually encoded as ASCII text and the attachments are encoded as MIME/base 64.

Emails work similarly to regular postage mail. With postage mail, there is an address on an evelope along with a return address and the contents of the envelope contain the message. The addresses on an email can be found in the message header. Just like regular mail, the return address can be faked, and the envelope will still be delivered. If the return address on the email is faked, then this is called “spoofing.”

Here are some parts of the email header you should look at if you are investigating an email:

1) The Message-ID: – Think of this as a tracking number attached to the name of the sending computer.
2) Received: This is a list of IP addresses that show the path of the email as it travels from computer to computer. The bottom entry is typically the IP of the originating computer. Remember, this can be faked.
3. X-Originting-IP: This is an optional tag that shows the IP of the computer used to send the message. In order to fake this, the sender would have to be able to control the mail server. Consequently, if you see this, it fairly reliable.
4) X-Mailer: This identifies the program used to create and send the email.

With many of the phishing cases, the bad guys don’t bother to spoof the IP address of the sending email server. That means if you want to prevent phishing, you need set up controls to identify suspicious orginating IP addresses. Also, if you are trying to determine if the email you are looking at is fraudulent, there are usually clues in the header that should allow you to identifiy suspicious emails.