Mail Diagnostics: Getting The Original View

When dealing with problematic emails, it is vitally important to get a proper view of the message headers. Mail clients (such as the Google Mail client on the web) typically hide this view, and only show the interesting headers such as “From”, “Subject”, “To”, etc.

However the Google Mail client does allow the proper raw headers to be shown and that is done by opting for the “Show original” command.

Firstly when you are reading the mail in question, look at the menu under the “Reply” button :-

2015-09-17_1447

The underlined button has a drop-down arrow next to it. If you select that you get the menu :-

2015-09-17_1449

And the option “Show original” will show a very plain looking page with just the raw text view of the email within it, which may contain something like :-

Delivered-To: mike.meredith@port.ac.uk
Received: by 10.64.133.101 with SMTP id pb5csp2715007ieb;
        Thu, 17 Sep 2015 03:23:19 -0700 (PDT)
X-Received: by 10.66.253.170 with SMTP id ab10mr70840708pad.135.1442485399205;
        Thu, 17 Sep 2015 03:23:19 -0700 (PDT)
Return-Path: <upngxfym@quicvt.com>
Received: from quicvt.com ([122.190.89.187])
        by mx.google.com with ESMTP id yo3si4299121pbb.127.2015.09.17.03.23.09
        for <mike.meredith@port.ac.uk>;
        Thu, 17 Sep 2015 03:23:19 -0700 (PDT)
Received-SPF: neutral (google.com: 122.190.89.187 is neither permitted nor denied by best guess record for domain of upngxfym@quicvt.com) client-ip=122.190.89.187;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 122.190.89.187 is neither permitted nor denied by best guess record for domain of upngxfym@quicvt.com) smtp.mailfrom=upngxfym@quicvt.com
Message-ID: <2ED9BF882B94D9ACDC5E3863B7CEB321@quicvt.com>
From: =?utf-8?B?5r2Y5YWI55Sf?= <upngxfym@quicvt.com>
To: <mike.meredith@port.ac.uk>
Subject: =?utf-8?B?77yI6YKA6K+35Ye977yJ6IGM5Zy65r2c6KeE5YiZLS3kuK3lnZrlipvph4825aCC6K++?=
Date: Thu, 17 Sep 2015 18:23:03 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0B32_01510E77.1F352EB0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

This is a multi-part message in MIME format.

(It usually carried on into the message at this point).

This “original view” allows us to look more closely at where emails originate from.

The Authentication Check

When looking at the “original view”, there is one header whose presence is a good indicator that the email was probably sent by someone using the sender’s account. This header is :-

Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of mike.meredith@port.ac.uk designates 2607:f8b0:400d:c04::229 as permitted sender) smtp.mailfrom=mike.meredith@port.ac.uk;
 dkim=pass header.i=@port.ac.uk

The name of the header (“Authentication-Results”) and the significant parts of that header have been made bold. There is a reasonable degree of confidence that the mail associated with this header was in fact sent using Craig Robson’s account.

In the event that the mail was a spam, there is a good chance that the account has been compromised.

But It Says “From …”

The “From” header in an email is just a label and anyone who can control the mail software they use can put anything they like in that header.

This entry was posted in Email and tagged , , , , , . Bookmark the permalink.