Outlook Express Header Format

From ForensicsWiki
Revision as of 12:46, 20 June 2007 by Jessek (Talk | contribs) (Added notes on Mesage id)

Jump to: navigation, search

Version 6 of Outlook Express running on Microsoft Windows generates headers in the format:

From: "Username" <username@sendinghost.com>
To: "Username" <username@receivinghost.com>
Subject: Testing
Date: Wed, 4 Apr 2007 14:11:45 +0100
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807

Message ID Field

There is some confusion regarding the Message-id header. Messages created with Outlook Express have a message id field, but at this time we are not sure where exactly it goes in the order of headers. The format of the field is like this:

Message-id: <000f10c7183d$abe4d510$6031a8c0@hostname>

This example was not actually generated by Outlook Express. It's a real message id field with some of the digits randomly replaced. The key things to note are the two dollar signs in the field and bare hostname (i.e. no TLD information).