In the previous article of this Ethical E-mail Hacking series, we learned how simple “reply to” address column is used to deceive a recipient of email. If you receive an email from a recipient, how will you find the sender, “From Address” is not the only option because as we seen in previous topic a hacker can change the from address very easily. Here the E-mail headers plays important role.
The email header is the information that travels with every email, containing details about the sender, route and receiver. It is like a flight ticket: it can tell you who booked it (who sent the email), the departure information (when the email was sent), the route (from where it was sent and how did it arrive to you) and arrival details (who is the receiver and when it was received). As when you would book a flight ticket with a false identity, the same goes for emails: the sender can partially fake these details, pretending that the email was sent from a different account (common practice for spammers or viruses).
Every e-mail client including web based clients like Gmail, yahoo mail have feature to show full e-mail headers. Normally most of the e-mail clients hide this, because only the body of email is important to the readers perspective, like we check the papers in the letters and not the envelope, but these envelopes are very important. Given screen shots will explain how to make your client to show the headers. Normally the button will captioned with “View Full Headers”.
Okay I hope you found “View Header” button in your email client. Now just click it to see the header of that particular email. The header of a mail might look like this. (example code from Google)
Received: by 10.36.81.3 with SMTP id e3cs239nzb; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Received: from mail.emailprovider.com (mail.emailprovider.com [18.104.22.168]) by mx.gmail.com with SMTP id h19si826631rnb.2005.03.29.15.11.46; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Received: from [22.214.171.124] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:45 PST
Date: Tue, 29 Mar 2005 15:11:45 -0800 (PST)
From: Mr Jones
To: Mr Smith
Now read the header from bottom to top. This typical header explains that this email is sent to ‘Mr smith’ with subject ‘Hello’ (body of message was already shown in the mail). The next lines says that this is from ‘Mr Jones’ sent at so and so time. As we already seen this from address can be modified by the sender that means anyone can send this mail with the name ‘Mr Jones’ pretending the mail is from Mr Jones but actually it was sent by some ‘x’. This is like writing others name in the envelope’s from address section instead of writing their own name, so that the letter seems to be from others. So we checking the sender, and sender’s mail server and ip of the server. Here the server is ’emailprovider.com’ and ip of it is ‘126.96.36.199’.
If you have difficulty in reading the headers don’t worry, it is not that much hard. Knowing some terms like ‘Return Path’, SMTP, HTTP, Message-ID, etc will help you. Please write your comments to provide you more better written-ed articles in future.