Zimbra Email Header Analysis: Complete Study
Zimbra is an open source desktop-based email client that is the most wanted after email program by users worldwide. It is a database where to save or store the multiple files including contacts, emails, calendars etc, therefore, comes in data file category. It has a proprietary file format such as .zdb. It is widely used by home users as well as professionals. Moreover, it is compatible on cross-platforms like Apple's Mac and Linux operating system and Microsoft Windows. It works with multiple types of web based email programs to synchronize the data of emails, contacts, etc. with local data which is stored on the computer hard drive. It is compatible with in both POP and MAPI protocols that help to support email clients as Yahoo, MS Exchange, Gmail, etc.
As the number of Zimbra user's increases then, the number of cyber crimes also rises according to time. Thus, it becomes more necessary to investigate a specific crime including Zimbra Server. For a specific crime, to enable the forensic users to store the data files without any evidence needed. Trace Email Header by simple and easy analysis process.
Analysis of Zimbra Email Header
When the header information for an email is opened, Zimbra displays the information as:
Now, let us consider various parameters contained in the email header and their significance in email message authenticity.
Delivered To: The email message header delivered to indicates the actual identity on which the message was sent to the sender's end.
As per forensic point of view, to analyze and making a comparison with a delivery message, one can easily get to know about the message comes from whom.
Received: The received field denotes the transparent information for the specific email. One can easily extract the unique IP address, host name, and other relevant information related to the delivery path of email.
Main purpose of this field it can be used to find complete track of information including the IP address of sender. It plays a major role for searching the criminals or crooks.
Return-path: The Zimbra return path header field indicates the email address where the notifications for the message should be sent back. In multiple cases, this happens same as that of sender's email address.
This field signifies when an email fails to deliver to the particular recipient, then the sender must be acknowledged about a failure of message. Thus, a sender can set his own address to get notified about message bounced back.
Authentication Result: This field wants to tell the authenticated receipts or output to the receiver at the time of the delivery message.
Received From: The received field deals to trace the information for the specific email from where the message has been sent. One can extract the unique IP address, host name, and other information from the delivery path of email
This field able to find out the entire track of information including the IP address of sender and helps to tell the message received from which ID.
DKIM Signature: In this field, the signature of an email is saved into DKIM signature header. In Zimbra an email, it is a technique to identify the accuracy of email message to detect email spoofing and spamming.
Date: This field holds the date and time when the email message is available for delivery.
As per forensic point of view, this header deals to specify a date during the message was composed and sent.
From: The Zimbra Mail email header from field represents the email identity of the sender, who has delivered the email.
Forensically, one can easily come to know the email address of the sender of the future result. However, many criminals attempt to manipulate the field by using email forging technique. Thus, this field is less reliable or efficient to depend on critical email analysis.
Message-ID: While sending the message, the email message ID is a unique key generated by the server. Every email has a different message identity proof so that it can be identified in a unique manner.
As the unique message id, several spammers attack to manipulate the id. So, the messages id rule can be used to detect any kind of changes done with message id.
Subject: A completely free-form field specified through the sender helps to tell the subject or topic of the message which is fully helpful for users.
MIME-Version: The MIME Version indicates the MIME type supported by Zimbra email client.
Zimbra messages always contain MIME 1.0 as MIME Version. So, if any other MIME is found, the message may get corrupted or manipulated.
Content Type: The Zimbra mail content type represents the way in which emails are displayed in the application. Various qualities of content type denote the structure of email messages.
Generally, the Zimbra email client helps to display the respective content. So, it relies on Content Type from email header to find out the way in which message should be displayed or viewed.
Content Transfer Encoding: While sending an email message over the Web, an encryption is enabled to maintain email authentication. Thus, content transfer encoding header field helps to specify the type of encryption performed on the content.