dfm covers

You Have Mail

You Have Mail

Tim Watson explains how vulnerable email protocols can be abused and how to catch those who do it.

Email started life as a novelty and has risen to become a necessity. But the speed, flexibility and low costs of email communication have been turned into a weapon. From spam to spear phishing, your inbox can place you one click away from disaster. In fact, you don’t even need to click to be in danger. How can you tell the good from the bad, the genuine from the fake? How is a deceptive email constructed and how can it be spotted? Let’s find out.

As with any form of defence, knowledge is power. The main weakness exploited by those who send malicious emails is the weakness of ignorance. The fact that the vast majority of users do not have a clue how emails work, how they are constructed and how they get from source to destination, is both a credit to the design of the email system, which provides a simple and reliable communication method, with no need for the user to understand the machinery and an opportunity for those who do understand the system to perform nefarious, electronic sleight of hand to deceive the trusting masses of email users who embrace its magic.

To understand the dangers and the ways to reduce them, we need to peek behind the curtains and discover the secrets of the processes and protocols that make up the modern email system. By understanding how emails work, we will be able to spot the weak points and to discover the trail of clues left by those who seek to abuse the system for their own advantage. We will start by following the typical journey of an email from composition to the point at which it is read at its destination. In simple terms, an email is composed in a mail client such as Mozilla Thunderbird or Outlook Express, sent to a mail server (e.g. Sendmail), which then forwards it through other mail servers until it reaches the destination mail server. To be precise, if the sender and receiver use the same mail server then there will only be one mail server involved and if the email is sent to diverse recipients then there will be several destination mail servers. After the email has arrived, the recipient can use a mail client to download and read the email. If you explore the various standards and documentation relating to email you will discover that there are further components defined, such as mail submission agents, mail delivery agents and mail access agents. You’ll also see that clients are often called mail user agents (MUAs) and that mail servers are called mail transfer agents (MTAs).

For the purposes of this article, we need to explore the format of emails, the client and server programs that process them and the protocols used to transport them. There is also another area that provides an attacker with a wealth of opportunities and that is HTML, commonly found within emails and often used to mislead and compromise victims, but, since the topic is vast and not specific to emails, it will not be covered here. The interested reader is directed to the many resources on the Web to do with Web-based attacks, drive-by downloads, cross-site scripting etc. I have to admit that there is a certain, delicious irony in directing readers to HTML pages to discover more about HTML attacks. As well as looking at how attackers can exploit emails to deceive victims, we are also interested in how to detect their deception and how to determine the identity of the attacker. Again, the limitations of space prevent us from covering a number of useful avenues of investigation. These include the various attribution techniques that rely on the details contained in the network packets associated with sending and receiving emails and the evidence contained in the machines running mail servers. Our investigation will be based solely on the information available from an email retrieved by a mail client.

Email Message Format

An email message is contained in an envelope. The envelope is defined in the RFC 5321 document (you can find this and other RFCs at http://www.ietf.org/rfc.html) that describes the Simple Mail Transfer Protocol (SMTP) and, just like a standard mail envelope, it tells the mail system where to deliver it. We’ll look more closely at the envelope later but for now we will concentrate on the message itself.

A typical email, as viewed by a user, is shown in Figure 2. The mail client shows which mail folder is being viewed, a list of email subject lines, usually in date order, and a preview pane that displays the contents of the currently selected email. However, this is often only a selected part of the email. The actual email source can be viewed (using CTRL+U or choosing ‘view message source’ in a menu) and doing so will reveal the full email as received by the mail client. RFC 5322 and RFC 2045 together provide an authoritative description of the format of an email message.


The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Dr Tim Watson

Dr Tim Watson is the head of the Department of Computer Technology at De Montfort University


Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 42 on sale from February 2020:

Forensic Syntactical & Linguistic Investigation

Mark Iwazko presents a case study regarding a Forensic Syntactical & Linguistic investigation: Instructed by the Moscow General Council of one of the actual big four accountants. Read More »

Forensic Readiness: A Proactive Approach to Support Forensic Digital Analysis

An increasing number of criminal actions are inflicting financial and brand damage to organizations around the globe. An impressive number of such cases do not reach the courts, mainly because of the organization’s inefficiency to produce robust digital evidences that are acceptable in the courts of law. Read More »

Subscribe today

Using Error-Patterns for Attribution: An Applied Linguistics Technique

Corpus Linguistics within Second Language Acquisition has developed models of error patterns made by defined groups of second language learners. This knowledge base can be leveraged by a knowledgeable analyst to attribute content to a subset of authors. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue