Thunderbird Email Header Analysis
When the header information for an email is opened, Thunderbird displays the information as:
Now, let us understand various parameters contained in the email header and their significance in email message authenticity.
From: The email message header from field represents the email id of a sender, who has delivered the email.
Significance: One can easily come to know the email address of the sender for future reference. However, many criminals attempt to manipulate the field using email forging technique. Thus, this field is less reliable to depend on critical email analysis.
Date: Studying Thunderbird email header date field helps to know the date and time at which message was composed of the sender's end.
Significance: This field helps you to evaluate the time and date according to local time zone. Generally, a message is received within a fraction of seconds. However, if you have received a message which does not correspond to time field or have many gap, then there is suspect of other disturbances through the network.
X-UIDL: This is the unique code entered by POP3 server to retrieve a message from the server. This id is generally incorporated into header between receiver's mail server and receiver's mail software.
Significance: Since, this is added at the receiver's server end. So, if you find UIDL field at the server location then it must be considered as a junk mail, which may be added by spammers.
X-Mozilla status: Thunderbird X-Mozilla status indicates the status of an incoming message. Each email is associated with a hexadecimal value depending on its status. Most commonly used X-Mozilla status codes include:
| CODE |
MEANING |
| 0001 |
The email has been read |
| 0002 |
The reply has been sent to an email |
| 0004 |
The email has been flagged by user |
| 00010 |
The message has RE: field |
Significance: While going through the status codes, the current status of an email message can be relatively determined.
Return Path: The Thunderbird return path header field indicates the email address where the bounce notifications for the message should be sent. In most of the cases, this is same as that of sender's email address.
Significance: When an email fails to deliver to the specified recipient, then the sender must be acknowledged about message failure. Thus, the sender can set his own address or other address to get notified about message bounce back.
Envelope-to: The SMTP server itself adds a field, Envelope-to, which represents the email address of the intended receiver's envelope.
Significance: Being more reliable field, it plays a crucial role to determine the actual address of the receiver group.
Delivery Date: The email message delivery date indicates the actual date on which message was sent from the sender's end. The exact time is also associated at the end of this field.
Significance: By analyzing and making a comparison with the delivery date and actual date of email, one can easily get to know about the time difference between message delivery.
Received: The received field denotes the trace information for the specific email. One can extract the unique IP address, host name, and other information related to the delivery path of email.
Significance: This field can be used to find the complete track of information including the IP address of the sender. It plays a major role for searching and locating the criminals or suspects.
Message ID: The email message ID is the universally unique key generated by the server while sending the message. Every email has a different message id so that it can be identified in a unique manner.
Significance: As the message id is the unique key, several spammers attempt to manipulate the id. So, the messages id algorithms can be sued to detect any kind of changes done with message id.
User Agent: The user agent field associated with emails can be used to identify the medium or email application that has been used to send the email message.
Significance: One can be notified about the email application or server by which the email has been sent by the sender.
MIME Version: The MIME Version indicates the MIME type supported by Thunderbird.
Significance: Thunderbird messages always contain MIME 1.0 as MIME Version. So, if any other MIME is found, the message may be corrupted or manipulated.
Content Type: The Thunderbird email content type represents the way or style in which emails are displayed in the application. Various varieties of content type denote the structure of messages.
Significance: Generally, the Thunderbird email client ignores the meta tags for displaying content. So, it relies on Content Type from email header to find out the way in which message should be displayed.
Content Transfer Encoding: While sending an email message over the network, an encryption is enabled to maintain email authentication. So, content transfer encoding field specifies the type of encryption performed on the content.
Generally, Thunderbird messages come with 8 bit encryption applied on them.
X-Antivirus: The email header also represents the anti-virus application that has been used to scan the email message throughout its delivery.
Significance: If the receiver does not have any anti-virus installed on a system and the sender has anti-virus installed, then X-antivirus field represents the scan application used at sender end as Inbound Message.
However, if anti-virus application is installed at receiver's end, then the application details are displayed as Outbound Message.
If anti-virus application is absent at both sender and receiver end, then X-Antivirus field is missing from the header.
X-Antivirus status: Once an email is scanned by the anti-virus, this field represents the scan status of the email ie., whether it is clean or corrupted.
Significance: If the email is found to be corrupted during the scan, then a user can pay attention to use it after repair.
