How Email Message-ID Helps in Forensic Email Analysis?

When digital forensics investigators study emails to find the source of spoofed messages, they have to analyze every field of email architecture. Email header is one of the vital resources that contains many important fields, one of which is Message-ID. So, it is important to understand what Message-IDs are, how they are created and extracted, and how they can help investigators in extracting useful information.

Taking a Closer Look at Message-ID

According to RFC 2822, standard for the format of Advanced Research Projects Agency (ARPA) Internet text messages or emails, each email should have a globally-unique identifier to distinguish it from other emails. This identifier is called Message-ID, an important field in email header. It comprises a long string of characters that end with the Fully Qualified Domain Name (FQDN).

Message-IDs are generated by client programs that send emails such as Mail User Agents (MUTs) or Mail Transfer Agents (MTAs). The following is an example of Message-ID:

902209150748453103@mailer.iris-solutions.com

Message-ID Format

A Message-ID can be divided into two parts – one is before @ and the other part is after @.

20200507100640.18423.99370.175765@transactional-email-2.bluedart.com

Many mail services incorporate the date and time, at which an email is sent, into the Message-ID along with other random string of characters to distinguish from other emails. In the sample Message-ID above, the mail system has used timestamp information of the message at the time when it was sent. The date and time format is in the form of YYYYMMDDHHMMSS. Extracting the details from timestamp (the numerical value in the first part till the first dot: 20200507100640), we can know the following details:

• Year: 2020
• Month: May (05)
• Day: 07
• Time: 10:06:40

The second part of the Message-ID (text in green) contains the details of the FQDN. It shares important details such as the local hostname which is transactional-email-2 and local domain name which is bluedart.com.

You can find Message-ID of an email in its message header. The following are the steps to extract the message header of an email in Gmail and Outlook:

How to Obtain Message-ID in Gmail?

To obtain Message-ID of a Gmail message, follow the given steps:

Step 1: Open the email message whose Message-ID you need.

Step 2: Click the icon with three dots on the top-right of the message box and select Show original from the options. [See Image 1]

Step 3: It will open a new tab that contains the entire fields of email header. You can find the Message-ID in it. [See Image 2]

You can also instantly locate it by using the search function of your web browser (usually activated by CTRL+F key combination) and searching with the keyword “Message-ID”.

How to Obtain Message-ID in Outlook?

The steps to obtain Message-ID of an email in Microsoft Outlook are given below,

Step 1: Open the email message and click on more actions (v) menu to expand it. [See Image 3]

Step 2: Click View message details. It will open a new window that contains the email header. You can find the Message-ID [See Image 4]

How Message-ID Helps in Forensic Analysis?

Spoofing Message-ID isn’t easy compared to manipulating other email header fields like Received. Only technically-sound spammers can spoof a Message-ID. So, a meticulous analysis of a Message-ID can confirm spoofing and also helps an investigator find the source of the email.

Here, we discuss how the Message-ID format of an MTA can help decode the ID and gather important details. Let’s take the example of Sendmail which is a popular MTA used for delivering or routing emails across the globe, with methods like Simple Mail Transfer Protocol (SMTP). It uses the following format for generating Message-ID for an email:

Message-ID: Section1.Section2@Section3

This is a sample Message-ID generated by Sendmail:

201508131227.s7DCKVem009817@Here.US.EDU

The three sections in the Message-ID are explained below:

• Section 1: This section contains the current time and date in UTC (Universal Time Coordinated) in the format YYYYMMDDHHMM. It consists of 12 decimal values – 201508131227. Following the format, we can decode the actual delivery time which is 13.08.2015 at 12:27.

• Section 2: This section is called queue ID and it can have different formats depending on the Sendmail version used. In Sendmail version 8.10 and higher, the format used is YMDhmsSEQpid, where Y=year, M=month, D=date, h=hour, m=minute, s=second, SEQ=sequence number, pid=process ID.

The relation between the format YMDhmsSEQpid and section s7DCKVem009817 is represented through color code. Here, the characters for certain details like YMD are not in numeric but in alphabets – ‘s’ and ‘D’. This is because of the mapping system set by Sendmail. When referred to this system, it gives the decimal value for ‘s’ and ‘D’ alphabets as 2008 (year) and 13 (date), respectively. This makes the delivery date 13.08.2008. (7 for M is actually 08 as per the mapping system).

• Section 3: This section contains the FQDN. The part until the dot (.) is the local host name (Here in the example) and the remaining part is the domain name.

By understanding the Message-ID of a particular MTA like Sendmail, you can examine emails in detail and validate their authenticity. You can use the mapping system to decode the values in the Message-ID. You can check if the date and time match the values shared by the email client (almost every email client such as Outlook shows the date and time at which an email is delivered).

Since most MTAs and MUAs incorporate the date and time at which an email is send in the Message-ID, you can authenticate an email by matching these details with the date and time section of an email client.

Challenges with Message-ID in Email Forensics

Message-ID is a unique identifier that helps to distinguish emails across the globe. An email forensic expert can break it down to discover important details about an email and its MTA. However, there are a few challenges:

• The majority of mail systems add Message-ID field in their emails. However, it’s an optional detail and you may come across an email that doesn’t contain Message-ID.

• No standard algorithm is used for Message-IDs generation and each mail service uses its own algorithm to generate unique identifiers. You must have a sound understanding of multiple email platforms and their Message-ID formats to decode these identifiers for comprehensive investigation.

• You can understand the construction of a Message-ID of open source email MTAs like Sendmail as documentation is easy to obtain. However, proprietary programs can make acquiring information a challenge.

Looking Beyond Message-IDs for Comprehensive Email Examination

Message-ID is an important email header field and can be of huge help in investigation. However, forensic experts need all kinds of additional details to conduct investigations. For instance, useful information can be readily found in other email header fields like Received: where the details of each server that’s relayed an SMTP message is cumulated, or X-headers where details of security devices like email anti-virus are found. Similarly, for closer inspection of attachments, their Hex values may be required.

Forensic experts correlate multiple pieces of information in an email message to trace its origin. This can only be done efficiently and timely with the help of a reliable and feature-rich tool such as Stellar Email Forensic.  This software is engineered for accuracy, speed, and versatility (can support 25+ email file formats). It allows you to perform granular search for emails and offers case management facility.