Product Navigation

Let's Perform A Deep Analysis on IncrediMail Header Portion


Day-by-day, on one side there is increase in new technologies but, also there is rapid growth in cybercrime. One or the another day, we came across news related to internet crimes. Therefore, to solve such issues and reduce crime to zero level from this world, it mandatory to have knowledge about the ways of performing header analysis of each email client. In this section, we are going to discuss about deep analysis of email header in IncrediMail program.

Introduction

IncrediMail is an advance and feature-rich email application, which offers its users an amazing experience while working with it. It is desktop-based mail program that also works in absence of internet connection and provides protection from spam, phishing, and fraud attempts. IncrediMail allow users to operate their POP and IMAP account in it.

Open IncrediMail Email Header

Solution To Open IncrediMail Email Header

The user of IncrediMail can easily view entire email header part of mail, which is attached with each mail to get detailed information about the received emails. Since header portion of an email is not visible to each user in original mail therefore, one can open header file in IncrediMail with help of following procedure:

1. Launch IncrediMail program on your machine and then double click on the mail on which you want to perform analysis

analysis on incredimail header

2. On the current window, go to File >> Properties

incredimail email header analysis

3. From the properties window, go to Details tab and then you will find all header properties of IncrediMail email

Examine on incredimail header

With help of these manual tricks, one will be able to open and read header part in IncrediMail for a particular email. Moreover, forensic investigators can go through the following section to understand about each header attribute.

About Each Attribute of IncrediMail Header

Until now we have understood the way to open IncrediMail email header portion of each email. Now, you will get to know about each attribute used in this header structure with its value.

Delivered-To: The Delivered-To header provides complete email id of receiver who have received that particular mail.

Value: xyz1223@gmail.com

X-Recieved: This header replaces the To message header part need in a typical SMTP message. Atleast, one X-Receiver field, which contain some value should be present. Moreover, there can be multiple such fields with multiple recipients addresses.

Value: by 10.98.103.85 with SMTP id b82mr5175618pfc.180.1476958888551; Thu, 20 Oct 2016 03:21:28 -0700 (PDT)

Investigate on incredimail header

Return-Path: Each email message comprises of Return-Path header, which is sometimes considered as bounce address or envelope sender address also. In general, this field comprises of sender id and it’s address to which sending activity notifications are sent. However, in IncrediMail the value shown are in Hexa-decimal format, which denotes id and notification.

Value: 3p5oIWBIJAMQmrs1kqk1y1k.zm5s3kqwksv.myw@doclist.bounces.google.com

Received-SPF: This attribute of IncrediMail header notifies that whether the mail is received successfully or not. The value of this header part is either pass or fail. If the mail is not sent or received successfully then, the value will be ‘fail’; else it will be ‘pass’

Value: pass(google.com: domain of 3p5oiwbijamqmrs1kqk1y1k.zm5s3kqwksv.myw@doclist.bounces.google.com designates 2607:f8b0:400e:c00::248 as permitted sender) client-ip=2607:f8b0:400e:c00::248;

Authentication-Results: Since we know that email authentication is a collection of different techniques whose purpose is at equipping email of network with complete verification. Therefore, there is an attribute named as Authentication-Result header which gives complete report of authentication procedure. It is considered as a trace header part where a receiver is recording the result of email authentication that it carried out.

Value: mx.google.com; dkim=pass header.i=@gmail.com; spf=pass (google.com: domain of 3p5oiwbijamqmrs1kqk1y1k.zm5s3kqwksv.myw@doclist.bounces.google.com designates 2607:f8b0:400e:c00::248 as permitted sender) smtp.mailfrom=3p5oIWBIJAMQmrs1kqk1y1k.zm5s3kqwksv.myw@doclist.bounces.google.com; dmarc=pass (p=NONE dis=NONE) header.from=gmail.com

Trace an incredimail header

DKIM-Signature: The DKIM-Signature is originated when digital signatures in form of keys are assigned with each mail, which is to be send. These signatures are part of email authentication in order to verify that whether the receiver or sender is genuine or not.

Value: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:references:message-id:date:subject:from:to:cc; bh=TEXcyR4RTVa001MMa6yaOknF0nLZejkncPbezZ1vmwc=; b=KJn9lm/M7BQyVzz6q6m4OGDIVGu+g+jNTuX9SbI7IkQaUxaF6VJrgx14Lp5b+M1kMB dYLpz095EPLClySb0AEIg+GF3zQMC/hmw4Ft3bim7wVowqCUpGhOfsUZokCfZhSN+K66 aI6bbl1EkbGSFXhOnb2WCqSahY8HUzwUdkTi7pV7Rorqj8n2rM17S2akgih5g2pWJOMU qRQ08E87eZrbzwNAop80OESAGlILbisum6nHB74scrL6tmsC1c0bK5GBARLR1SQvlGuO ggC/90uB4cEiTI8x4rT6mN4ArIQVikHGb95pVaeOIgclnZChar6plNyLrF3b6YVX1/r/ JBpg==

X-Google-DKIM-Signature: An email client can prevent spoofing by adding signature to header part of sending messages with help of the DKIM standard. It involves using of a private domain key for encryption of Outgoing messages. On the other end, receiver servers are capable of retrieving public key to decrypt those incoming headers and perform verification.

Value: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:references:message-id:date :subject:from:to:cc; bh=TEXcyR4RTVa001MMa6yaOknF0nLZejkncPbezZ1vmwc=; b=OSlBGkAj0L3QIfVQUmlm4tpDNPbXWOD+2RJnfcL5PI6Dlch+q/Ol82OB3VNRi7LOPq elxCbEVKAIDjwOsHcHE/eTgi3waLGn+b3I2iWpyGpRMj9Knod7tlzU9keKxzbf8aJCdN HIn2WJd9beyfifX+bSGjbpCblMN0+C9Ay9KkEOgGryX/R7XwqKSrk0UqP6OB1FVsj/eI 01GmAUqXx9x+JNGOCy9Y8pMcRWfoFFAi5jPR0d6irgZCe4unmn9umu29xnPDzPw+PnGn X/fgB6zdotaxd9zInDMr8v9o9Mo9g5M+jIkkSYwJ+gOeE57PSq7w2CcnNZ8Z7vYoB0q5 un7Q==

X-Gm-Message-State: This field illustrate the IP address of receiver end. It can be considered as most important field while collecting evidences during investigation procedure.

Value: AA6/9RkSpO0k2bV8mcfIzs1ApELo1+xC5+BiTh5hcfXsZPoYfHyVq1BslpsFtFDMLqEIoCX9wCcF/g==

MIME-Version: Multi-Purpose Internet Mail Extensions which let users to make operate protocols for exchanging different kinds of data files over the network. This field of the IncrediMail header will let users to determine the version of MIME used in an email

Value: 1.0

Reply-To: The Reply-To header field is very much useful when a user directly wants to reply to a mail just by clicking on Reply button of the mail.

X-Originating-IP: This value will denote the IP address of the server from which the mail is originated

X-No-Auto-Attachment: This field is rarely found in email header analysis. This part tells the total number of attachments appended with each email

Message-ID: This is the unique id of email which in form of combination of number and alphabets with some web extension.

Conclusion

Apart from the above-mentioned attributes of IncrediMail header part, the rest of header components are common that are easily known by a normal user. Hence, now we have completed with understanding of all attributes of IncrediMail email header thus, we can perform investigation without any complications. IncrediMail email header analysis tool offers advance Email Search Tool.