Difference between revisions of "Outlook Express Header Format"

From ForensicsWiki
Jump to: navigation, search
(Added notes on Mesage id)
 
Line 1: Line 1:
 
Version 6 of [[Outlook Express]] running on [[Microsoft Windows]] generates headers in the format:
 
Version 6 of [[Outlook Express]] running on [[Microsoft Windows]] generates headers in the format:
  
<pre>From: "Username" <username@sendinghost.com>
+
<pre>
 +
Message-ID: <000f10c7183d$abe4d510$6031a8c0@hostname>
 +
From: "Username" <username@sendinghost.com>
 
To: "Username" <username@receivinghost.com>
 
To: "Username" <username@receivinghost.com>
 
Subject: Testing
 
Subject: Testing
Line 15: Line 17:
  
 
== Message ID Field ==  
 
== Message ID Field ==  
 
+
<!--
 
There is some confusion regarding the Message-id header. Messages created with Outlook Express have a message id field, but at this time we are not sure where exactly it goes in the order of headers. The format of the field is like this:
 
There is some confusion regarding the Message-id header. Messages created with Outlook Express have a message id field, but at this time we are not sure where exactly it goes in the order of headers. The format of the field is like this:
  
 
<pre>Message-id: <000f10c7183d$abe4d510$6031a8c0@hostname></pre>
 
<pre>Message-id: <000f10c7183d$abe4d510$6031a8c0@hostname></pre>
  
This example was not actually generated by Outlook Express. It's a real message id field with some of the digits randomly replaced. The key things to note are the two dollar signs in the field and bare hostname (i.e. no TLD information).
+
This example was not actually generated by Outlook Express. It's a real message id field with some of the digits randomly replaced. The key things to note are the two dollar signs in the field and bare hostname (i.e. no TLD information). -->
 +
 
 +
The Message-ID have 4 parts: [hex time]$[random?]$[hw-hash?]@[hostname]

Latest revision as of 22:39, 28 July 2007

Version 6 of Outlook Express running on Microsoft Windows generates headers in the format:

Message-ID: <000f10c7183d$abe4d510$6031a8c0@hostname>
From: "Username" <username@sendinghost.com>
To: "Username" <username@receivinghost.com>
Subject: Testing
Date: Wed, 4 Apr 2007 14:11:45 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807

Message ID Field

The Message-ID have 4 parts: [hex time]$[random?]$[hw-hash?]@[hostname]