ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Using message id headers to determine if an email has been forged

From ForensicsWiki
Revision as of 17:29, 21 April 2007 by Jessek (Talk | contribs) (Copied from my blog)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

According to the RFCs for email, RFC 822 and RFC 2822, every email should have a message id field that: "provides a unique message identifier that refers to a particular version of a particular message. The uniqueness of the message identifier is guaranteed by the host that generates it. ... This message identifier is intended to be machine readable and not necessarily meaningful to humans. A message identifier pertains to exactly one instantiation of a particular message; subsequent revisions to the message each receive new message identifiers."

The message id headers can prove useful when trying to determine if a email is authentic. Although they can't always prove that message is authentic, they can often show that a message has been forged.

Repeated Message ID

In this case, the forger, when creating a fake email, reuses the headers belonging to an earlier message. The examiner need only compare the Message-ID from the email in question to all of the other email messages in the world. Ok, probably not all of the other email messages out there. Usually just the messages on the systems in question are good enough. But finding the same message id on the "smoking gun" email and an old guacamole recipe can be used as evidence that a message was forged.

Impossible Message ID

This case is more subtle, but can be used quite effectively. Although the RFC states that the message id should be globally unique, it says nothing about how it should be constructed. Most email programs have their own format for generating the message id. For example, Apple Mail uses a Universally Unique Identifier and the sender's domain. Thunderbird, on the other hand, uses a combination of the time the message was sent, a salt, and the sender's domain.

Sample Apple Mail Message ID:

Sample Thunderbird Message ID:

If a message was purportedly sent by a certain email program but does not have a message id created by that program, it has obviously been forged. It would be like a round cookie-cutter making square holes; it just can't happen. Thus, if somebody claims that they received an authentic email, look at the message-id and the format of the headers. If the message id does not match the format for that program, the message has been forged!

See Also