dfm covers

You Have Mail

You Have Mail

Tim Watson explains how vulnerable email protocols can be abused and how to catch those who do it.

Email started life as a novelty and has risen to become a necessity. But the speed, flexibility and low costs of email communication have been turned into a weapon. From spam to spear phishing, your inbox can place you one click away from disaster. In fact, you don’t even need to click to be in danger. How can you tell the good from the bad, the genuine from the fake? How is a deceptive email constructed and how can it be spotted? Let’s find out.

As with any form of defence, knowledge is power. The main weakness exploited by those who send malicious emails is the weakness of ignorance. The fact that the vast majority of users do not have a clue how emails work, how they are constructed and how they get from source to destination, is both a credit to the design of the email system, which provides a simple and reliable communication method, with no need for the user to understand the machinery and an opportunity for those who do understand the system to perform nefarious, electronic sleight of hand to deceive the trusting masses of email users who embrace its magic.

To understand the dangers and the ways to reduce them, we need to peek behind the curtains and discover the secrets of the processes and protocols that make up the modern email system. By understanding how emails work, we will be able to spot the weak points and to discover the trail of clues left by those who seek to abuse the system for their own advantage. We will start by following the typical journey of an email from composition to the point at which it is read at its destination. In simple terms, an email is composed in a mail client such as Mozilla Thunderbird or Outlook Express, sent to a mail server (e.g. Sendmail), which then forwards it through other mail servers until it reaches the destination mail server. To be precise, if the sender and receiver use the same mail server then there will only be one mail server involved and if the email is sent to diverse recipients then there will be several destination mail servers. After the email has arrived, the recipient can use a mail client to download and read the email. If you explore the various standards and documentation relating to email you will discover that there are further components defined, such as mail submission agents, mail delivery agents and mail access agents. You’ll also see that clients are often called mail user agents (MUAs) and that mail servers are called mail transfer agents (MTAs).

For the purposes of this article, we need to explore the format of emails, the client and server programs that process them and the protocols used to transport them. There is also another area that provides an attacker with a wealth of opportunities and that is HTML, commonly found within emails and often used to mislead and compromise victims, but, since the topic is vast and not specific to emails, it will not be covered here. The interested reader is directed to the many resources on the Web to do with Web-based attacks, drive-by downloads, cross-site scripting etc. I have to admit that there is a certain, delicious irony in directing readers to HTML pages to discover more about HTML attacks. As well as looking at how attackers can exploit emails to deceive victims, we are also interested in how to detect their deception and how to determine the identity of the attacker. Again, the limitations of space prevent us from covering a number of useful avenues of investigation. These include the various attribution techniques that rely on the details contained in the network packets associated with sending and receiving emails and the evidence contained in the machines running mail servers. Our investigation will be based solely on the information available from an email retrieved by a mail client.

Email Message Format

An email message is contained in an envelope. The envelope is defined in the RFC 5321 document (you can find this and other RFCs at http://www.ietf.org/rfc.html) that describes the Simple Mail Transfer Protocol (SMTP) and, just like a standard mail envelope, it tells the mail system where to deliver it. We’ll look more closely at the envelope later but for now we will concentrate on the message itself.

A typical email, as viewed by a user, is shown in Figure 2. The mail client shows which mail folder is being viewed, a list of email subject lines, usually in date order, and a preview pane that displays the contents of the currently selected email. However, this is often only a selected part of the email. The actual email source can be viewed (using CTRL+U or choosing ‘view message source’ in a menu) and doing so will reveal the full email as received by the mail client. RFC 5322 and RFC 2045 together provide an authoritative description of the format of an email message.


The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience


Coming up in the Next issue of Digital Forensics Magazine

Graph Database Technology

Attackers examine how your assets are connected, looking for a vulnerable part of the network, and navigating via methods such as “spear phishing.” What they’re really doing is abstracting out the graph of your networked systems, which is the set of security dependencies. Read More »

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures ibased on forgery types and detection techniques. Read More »

Subscribe today

Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters.  Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the future issues