Tuesday, June 13, 2006

Reading Mail Headers

One of the things that you will eventually do if you work in network security is read the header of a piece of email. Whether it's troubleshooting a problem, backtracking spam, or just trying to figure out where a message has been, you need to be able to interpret what you're reading. "Reading Email Headers" explains the basics.

Keep in mind the article may or may not be entirely accurate as each piece of software that handles e-mail has its own "standards" for doing things. An example of this is that MsgID's are valid only on the machines that generated them, especially on firewalls. Assuming that MsgID's are constant from source to destination will quickly get you lost.

Also, each mail handler has its own way of generating those ID's. Sendmail's ID's are a combination of timestamp and process number. (Beginners should consult the Bat Book to learn how to decode them.) MS Exchange ID's appear to be totally random. (For years, I've been looking for a source of info for this.)

Also, some organizations purposely munge headers in an attempt to "hide" their internal architecture. This sword cuts both ways though as it also complicates troubleshooting.

In any case, the article explains the basics of reading headers and basic forgery detection. Count it as a need-to-know.