Accelerat ing t he world's research.

E-Mail Header-A Forensic Key to

Examine an E-Mail
IRJET Journal

Related papers Download a PDF Pack of t he best relat ed papers 

IRJET-Overview of Ant i-spam filt ering Techniques

IRJET Journal
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

E-Mail Header- A Forensic Key to Examine an E-Mail

Swapnil Gupta1, Kopal Gupta2, Dr. Anu Singla3
Institute of Forensic Science & Criminology,
1,2,3

Bundelkhand University, Jhansi (U.P.), India

---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - In today s world of technology, it is very difficult to Corporation for Assigned Names & Numbers). Domain
identify the location of a crime. Similar things also happen in Name Server (DNS) is the phonebook of the internet.
case of an e-mail. E-mail is an electronic message transmitted
over a network from one user to another while e-mail header Every device involved in communicating on internet
is a part of an e-mail that comes before the body of the letter requires an IP (Internet Protocol) address. An IP
and contains information about the e-mail. Simply, e-mail address is a series of 4 digits ranging from 0 to 255. It
header is a return address and route label of an e-mail. E-mail allows for a total of 256^4 or 1,099,511,627,776
header consists of two parts, one is header which represent unique addresses. An IP address may belong to either
journey information of e-mail from origin to destination and of two categories: static and dynamic. A static IP
another is body which include written part as well as address is permanently assigned to devices configured
attachment part, e.g. are pictures, documents, sounds & videos, to always have the same IP address (e.g. Website)
etc. In the present study an attempt has been made to review while dynamic IP address is temporally assigned from
e-mail header and its structure, location, protocols, formation
a pool of available addresses registered to an ISP
(Internet Service Provider). ISP is a commercial
as well as forensic examination.
vendor, which reserves block of IP addresses to users.
Key Words: E-mail Header, SMTP, MTA, POP, IMAP, MAPI, ISP may log date, time, account user information and
HTTP ANI (Automatic Number Identification). [2] The
following table [3] is showing details of all classes of IP
addresses:
1.INTRODUCTION

Any sufficiently advanced technology is

indistinguishable from magic. - C. Clarke

E-mail like electricity, refrigeration and

broadcasting is one of those magical technologies
which we use every day without really understanding,
how it works. E-mail is the second most used
application on the internet next to web browsing. 95%
of all business documents are created digitally and
most of them are never printed. 50 billion e-mails
transverse through the internet daily. The average Fig 1: Classes of IP Address
business person sends and receives approx. 50 to 150 )n today s modern world, e-mail has emerged
e-mails every day. E-mail contributes 500 times greater as a major communication tool in academic, business
volume to the internet that web page contains. [1] and social environments. E-mail comprises of word
Electronic Mail . An e-mail is an electronic message
Now a day, everybody is having his/her e-mail
transmitted over a network from one user to another.
account onto different domain. Each e-mail address has
An e-mail can be simply a few lines of text sent from
2 parts: forename@lastname. Forename is known as e-
one user to another or include attachments such as
mail account and lastname is called as domain name.
pictures or documents.
Domain name is registered with the ICANN (Internet

© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 642
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

Basically, an e-mail is handled by a minimum of The following table and diagram illustrate the
four separate computers: following details:

(i) The computer it is sent from Step1 A composes message in his computer
known as A.alphanet.com.
(ii) The mail server of the sender Step2 A.alphanet.com sends the e-mail to
mailserver.alphanet.com.
(iii) The mail server of the receiver Step3 mailserver.alphanet.com sends the e-mail
to the mail server of B i.e.
(iv) The computer that receives the e-mail mailserver.betanet.com
Step4 B uses his computer B.betanet.com to
Suppose that A wants to send an e-mail to B .
check his e-mail
A and B use different )SP for sending and receiving e- Step5 B.betanet.com retrieves e-mail of A from
mail. A uses alphanet.com and B uses betanet.com. mailserver.betanet.com.
Firstly, A composes an e-mail on his computer known
as A.alphanet.com. The message will then be send from
his computer to his mail server i.e.
An e-mail header is a part of an e-mail that
mailserver.alphanet.com. After this point, A has no
comes before the body of the letter and contains
control on the message and it will be processed by
information about the e-mail. In simple words, e-mail
other computers, out of his control. When
header is a return address and route label of an e-mail.
mailserver.alphanet.com finds that the message is to be
delivered to B in the betanet.com, it places the
message in the inbox of B . Next time, when B checks
his e-mail account, he finds that the e-mail of A is
delivered to him.

Therefore an e-mail is made up of two main

parts, the header and the body . The header part
contains all the technical information such as who are
the sender and recipient and from how many systems
the message passed through on its way. The body
contains the actual message including written part and
attachment part. Attachment may be any type of file
such as pictures, documents, sound and video, etc. [4]

Location of E-Mail Header

Different users may have their e-mail accounts

in different mail servers. In the present study an
attempt has been made to review the significance of e-
mail header in commonly used mail servers i.e. Gmail,
Rediffmail and Yahoomail. Here are some examples,
which illustrate how to view an e-mail header in a
Fig 2: Life Cycle of A’s E-mail to B
particular account.

© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 643
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

1. Gmail Account- First of all, login your Gmail How Does E-mail Work?
account. Then go to inbox, select one of your messages,
now click on reply option and then select show original An e-mail is based on a Client Server Model.
The Client- The client carries out the user s
option. That is the e-mail header present on the new
interactions with e-mail server. A client can appear in
window.
various forms:

a. Application based- These are installed onto

user machines and include Microsoft outlook,
etc.
b. Web based- These appear in a web browser s
Window include Gmail, Hotmail, Yahoomail,
etc.

The client also configured with the account

information and names or IP addresses of e-mail
server for communicating.

The Server- The client only has to connect to the e-

Fig 3: E-mail Header of Gmail mail server when it sends and receives new e-mail.
2. Rediffmail Account- Firstly, login your Rediffmail
How Does E-mail Server Work?
account. Then go to inbox and select one of your
messages. Now click on show full header option. That Most of the e-mail servers work by running two
is the e-mail header, you can see on new window. separate processes on the same machine. Each machine
has two servers. First is SMTP (Simple Mail Transfer
3. Yahoomail Account- First of all, login your Protocol) server that receives outgoing e-mails from
Yahoomail account. Then go to inbox and select one of other SMTP servers and second is POP3 (Post Office
your messages. Now click on full header option. That Protocol 3) server that holds e-mail in a queue and
is the e-mail header; you can see it on the same delivers e-mail to the client when they are downloaded.
window. Sometimes, TCP/IP (Transmission Control Protocol/
Internet Protocol) or IP port 25 is used to send the mail
Working and Protocols of E-Mail
and POP3 on port 110 is used to check the mail.
E-mail system is an integration of several
hardware and software components, services and
protocols, which provide interoperability between its
users and among the components along the path of
transfer. The system includes sender s client, server
computers and receiver s client, server computers with
required software and services installed on each.
Besides, it uses various systems and services of the
internet. The sending and receiving servers are always
connected to the internet but the sender s and
receiver s clients connect to the internet as and when
required. [5] Fig 4: Relation between Clients, Servers &
Internet

© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 644
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

TCP/IP is having many ports that range from 0 to sender s E-mail address and initiates a mail
65535 and it uses different ports to perform different transaction.
jobs. Such as Port 21 is used for FTP (File Transfer E.g. MA)L FROM: A@alphanet.com .
Protocol), Port 25 for SMTP (Simple Mail Transfer This command does not verify that e-mail
Protocol), Port 80 for HTTP (Hyper Text Transfer address provided is valid. When mail server
Protocol), Port 110 for POP3 (Post Office Protocol 3). accepts this command, it replies back a 250
Therefore, Protocol is like the address of the Post Card code.
which is a bit of computer code and is used as a 250 Code (Requested mail action okay,
communicator between two applications. Ports are also completed)
known as Points of Entry .
3. RCPT TO Command- RCPT TO Command is
Outgoing Mail Protocol similar to MAIL FROM Command; it specifies e-
1. SMTP (Simple Mail Transfer Protocol) mail address of the recipient.
E.g. RCPT TO: B@betanet.com .
2. MTA (Message Transfer Agent) = Message ID This command does not verify that e-mail
Incoming Mail Protocol address provided is valid. When mail server
accepts this command, it replies back a 250
1. POP/ POP3 (Post Office Protocol) code.
250 Code (Requested mail action okay,
2. IMAP (Internet Mail Access Protocol)
completed)
3. MAPI (Messaging Application Programme Interface)
4. DATA Command- DATA Command signifies the
4. HTTP (Hyper Text Transfer Protocol)
message portion of the e-mail.
IMAP is used for viewing e-mail stored on a server. DATA starts the actual mail entry. Everything
The basic difference between IMAP and POP3 is that entered after a DATA Command is considered
IMAP does not download the message while POP3 as part of the message.
does. [1] If the mail server accepts this command, it
replies back a 354 code.
Commands and Formation of E-Mail Header 354 Code (Start mail input; end
with<CRLF>.<CRLF>)
SMTP Commands- Most common SMTP commands
used for outgoing mails are as follows [6]-
5. QUIT Command- QUIT command signals the
1. HELO Command- HELO command is used by termination of an SMTP session.
sending machine to identify itself. When SMTP When client want to stop the SMTP connection,
is established, mail servers send a 220 code to then QUIT command is given.
signal that it is ready. Now client will sends a 221 Code (Closing Connection). [7]
HELO Command. This will identify the sending
machine.
E.g. If A.alphanet.com sends HELO to
Mailserver.alphanet.com, and then its
command would be (ELO A.alphanet.com .
220 Code (<domain> Service Ready)

2. MAIL FROM /ENVELOPE FROM Command-

MAIL FROM Command is used to identify the

© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 645
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

Table: SMTP Sequence of an E-mail[8]

Fig 5: Parts of E-mail Header

Formation of E-mail Header
Forensic Examination of E-Mail Header
Formation of e-mail header is also called E-mail
Metadata . Metadata in an e-mail message is in the form The examination of e-mail header can be done line by
of control information, i.e. envelope and headers line analysis.
including headers in the message body, which contain
information about the sender and/or the path along A. Message Header- It contains information added to
which the message has traversed. [7] E-mail header is header by sender s e-mail. This is user created
organised from bottom to top. As the message passes information. It contains Date, From, To, Subject, MIME
through mail server, some information added by these Version, Content- Type and Content- Length.
into previous information. So mail server referred to as
Description of Message Header (Header from the
Message Transfer Agent (MTA) and each adds a
Client)
Received section to e-mail header.
E.g. The content of A s mail has written in the first
set of message, A s mailserver in second set and B s
mailserver in third (3) set as shown below: This information is assigned by the sender s machine.
It is not important for the investigation purpose
because sender s machine may be wrong in date and
time.

This information is configured in e-mail client by the

user and it may not be reliable.

© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 646
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

This information is entered by the user. While Cc

(Carbon Copy) & Bcc (Blind Carbon Copy) allows the
sender to add multiple recipient, similar to the To
Received field is a unique numerical address for each
header.
computer through which that e-mail passed while
being sent known as an electronic postmark. It can be
examined forensically.
This information is entered by the user. Forensic Examination- The message received from
computer claiming to be A.alphanet.com and server IP
address is z17mr1009295 on Thu, 13 Nov 2008
SMTP can send only text, while this method is used to 20:15:50 -0800PST. Therefore it gives IP address of its
send attachment is UUencode or MIME (text, images, mail server. It could indicate name of server, protocol
video etc). UUencode firstly convert binary to text used, date and time of server.
which can travel by SMTP. MIME (Multi-purpose
Internet Mail Extensions) is used to change nature of
attachment. It encodes images and sounds.

It is the last stamp placed on the header.

It tells the recipient about the information of e-mail
client to interpret the content of the message. Forensic Examination- This message received from
computer claiming to be Mailserver.alphanet.com and
server IP address is 160.121.0.5. It is received by
Mailserver.alphanet.com and with SMTP ID of
It tells about all the attachments.
23so1241039agd on Fri 14 Nov 2008 09:45:53 +0530.
B. Envelope Header- It contains information added to Therefore, it gives IP address of its mail server. It could
header by Mail server that receive the message during indicate name of server, protocol used, date and time of
the journey. It contains Received and Message ID lines. server.

Description of Envelope Header (Header from the N.B. The information at Sr. No. [11] is configured in e-
Mail Server) mail client by user and may not be reliable. It is
provided by MAIL FROM Command.

It is a unique identifier assigned to each message. It is

assigned by the first mail server. It can be forensically 3. CONCLUSIONS
examined.
In the present review article an attempt has been made
Forensic Examination- Message ID plays a vital role in to highlight the anatomy of e-mail header. An e-mail is
tracing e-mails. Message IDs are created by both e-mail not a suitable medium to transfer any information that
client and mail server. Usually first part of ID is created
has to be kept secret because it is transferred via
by client software while second part by SMTP server.
numerous computer systems that could provide points
The given Message ID is showing following of access to the content of the e-mail. IANA (Internet
information: Assigned Number Authority) has issued some
standards for e-mail header. These are called as PMFN
Year 2008, Month 11, Day 11, Time 09:45:50 GMT
(Permanent Message Field Names), which comes under
[RFC3864]. But most of DNS does not follow these
standards. At least they need add some important
headers e.g. Approved, Archive, Comments, Control,
© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 647
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 03 Issue: 02 | Feb-2016 www.irjet.net p-ISSN: 2395-0072

Expires, Follow-up- To, Injection- Date, Injection- Info,

Newsgroups, Organization, Path, Summary,
Supersedes, User- Agent, Xref, which can be useful the
tracing of an e-mail. Hence, after the thorough
examination of e-mail header one can easily
understand its technology and process. This article
may not only be useful for Forensic Scientist but for a
layman also.

REFERENCES

[1] Ball, C. 5, Six on Forensics ,

http://www.craigball.com/_OFFLINE/cf_vcr.pdf,
64-95.

[2] National Institute of Justice (2007)

)nvestigations )nvolving the )nternet and
Computer Networks Special Report, U.S.
Department of Justice Office of Justice Programs.

[3] Internetworking Technology Overview (1999),

)nternet Protocols ,
http://fab.cba.mit.edu/classes/961.04/people/neil
/ip.pdf.

[4] Colvin, T. & Jolley, J. 5 , Viewing E-mail

(eaders , National Criminal Justice Computer
Laboratory & Training Centre.

[5] Banday, M. T. , Technology Corner

Analysing E-Mail Headers for Forensic
)nvestigation , Journal of Digital Forensics, Security
and Law, Vol. 6(2).

[6] Riabov, V. V. 5 SMTP Simple Mail Transfer

Protocol , Rivier College,
https://www.rivier.edu/faculty/vriabov/Informati
on-Security-SMTP_c60_p01-23.pdf.

[7] G.E. Investigations, (ow to )nterpret E-mail

(eaders , LLC & Team Majestic Designs, LLC.

[8] Banday, M. T. , TEC(N)QUES AND TOOLS

FOR FORENSIC INVESTIGATION OF E-MA)L ,
International Journal of Network Security & Its
Applications (IJNSA), Vol.3, No.6, November 2011.

© 2016, IRJET | Impact Factor value: 4.45 | ISO 9001:2008 Certified Journal | Page 648