Cybercriminals love email. They love email not only because it can be used to manipulate potential victims but also because it is also very easy to “spoof.” Simply put, a spoofed email is one in which the address in the From field is not that of the actual sender. However, how often do we just scan our our email messages for specific names or subjects and just assume they are legitimate? Every.Single.Day. This is why the bad guys love email.
Identifying a spoofed email requires the careful examination of the message, starting with the email “header.” Before we get into how to examine a header it is important to understand how an email gets transmitted.
After you construct an email message and hit Send your email program (e.g. Gmail, Outlook) uploads the message to a SMTP (Simple Mail Transport Protocol) server, a computer that begins the process of transmitting the message to the intended recipient. Your message is the then relayed from SMTP server to SMTP server across the Internet to its final destination domain (e.g. gmail.com) .
When your message arrives at it’s destination domain it is stored in the recipient’s mailbox at an IMAP (Internet Message Access Protocol) or POP (Post Office Protocol ) server. This email server provides a temporary in-box where the message waits until it is fetched by an email program.
The information contained in the email header provides the details on where the message is coming from, and where it is going to, so all the servers can assist in the routing. Every email message contains two headers. The first is the visible header, which one sees at the top of any email message and contains the From, To, Date, CC, and Subject lines.
The second email header is called the technical header. The technical header is almost always hidden from view but can take a bit of digging in your email client to figure out how to make it visible. The information included in the technical header is all the – you guessed it – technical details required for routing of an email message.
Over the next few posts I will discuss details of the visible header and what to look for in the header to help decipher the legitimacy of an email. I will also discuss the technical header and how it is used by servers and SPAM filters to weed out illegitimate messages.