Thunderbird Header Format
From Forensics Wiki
Revision as of 19:29, 26 February 2007 by Jessek
Message-ID: <41B5F981.email@example.com> Date: Tue, 07 Dec 2004 13:42:09 -0500 From: User Name <firstname.lastname@example.org> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: email@example.com Subject: Testing Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit
Extensions such as enigmail may add extra headers.
The Message-ID field has three parts:
- The time the message was sent in seconds past the epoch in hexadecimal.
- A random value called a salt. The salt is of the format #0#0#0# where # is a random digit. Because Thunderbird treats the salt like a number, it may be shorter if the leading digits are zeros. For example, a salt of "0030509" would display as "30509".
- The fully qualified domain name of the sender.
Information on the Message-ID header was derived from the source code in mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id()