Decoding e-Mail Headers

19 July 2023 - Jacob Anderson

Outlook? Gmail? Wait, AWS?

RFC 821 | RFC 2821 | RFC 5321 + RFC 7504

e-Mail headers tell the story about where the message originated and where it stopped along the way to your receipt. Headers detail the chain of custody for the message.

When forwarding a message into or out of the Internet environment, a gateway MUST prepend a Received: line, but it MUST NOT alter in any way a Received: line that is already in the header section.

I receive this email which is obviously some nefarious attempt to get me to open a PDF, which was attached. You've probably gotten many of these over the years and maybe you've opened one or two by mistake. We all lower our guard and get caught in the spider's web. It's OK.

The FROM line that outlook shows (I use outlook for email reading) appears to be "Update - Bill". Huh, obviously scammy in nature, right? What the actual From header looks like: From: "Update~BiII" <jorrimanlombricks@gmail.com> which shows the LL as two capital i characters. This was amateurish, but criminals start somewhere and this one is starting with header font obfuscation.

So I investigated where this message originated. First is to open the message options in outlook. If you don't know how to do that, then you need do the following steps to add it to your Quick Access Toolbar:

  • In the top bar of outlook, left side, find the down-arrow chevron/button and click it.
  • From the menu, choose "More Commands"
  • In the toolbar editor, choose "Commands Not In The Ribbon" from the "Choose Commands From:" dropdown.
  • In the toolbar editor (shown now) find "Message Options", select it, and click "Add >>". This will make is show up on the right in the Quick Access Toolbar.
  • Close the toolbar editor (not cancel, just click OK)

The message options window is named "Properties" and it gives you details about the message you selected. You access it, now, from the Quick Access toolbar (top left) in outlook, so select a message and click the new icon that shows in the toolbar message options icon in outlook.

There is a text box in this window with the label "Internet headers." Click in that box, type Control+A (select all), then Control+C (copy). Now open notepad (start -> run -> notepad.exe) and Control+V (paste). Close that properties window so outlook can keep running.

Looking in the headers, the top most (first) line was:
Received: from PH7P221MB1029.NAMP221.PROD.OUTLOOK.COM (2603:10b6:510:1ab::14) by DM4P221MB0907.NAMP221.PROD.OUTLOOK.COM with HTTPS; Wed, 19 Jul 2023 14:41:56 +0000
This header is injected when a message arrives at a relay, or the final destination. In that most recent Received header you can see that outlook was the final receipient, which makes sense since it was a Microsoft hosted mail address.

There's another instance of the Received header that is interesting:
Received: from DB3EUR04FT017.eop-eur04.prod.protection.outlook.com (2603:10a6:10:d4:cafe::16) by DBBPR09CA0043.outlook.office365.com (2603:10a6:10:d4::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.24 via Frontend Transport; Wed, 19 Jul 2023 14:41:54 +0000
That was a EUROPE hosted mail relay. So the mail came out of Europe and landed in NAMP which is North America. Hmmm, so why would mail to me route through Europe? Let's keep looking. There's an SPF check in the headers which is fun:
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates 209.85.214.172 as permitted sender) receiver=protection.outlook.com; client-ip=209.85.214.172; helo=mail-pl1-f172.google.com; pr=C
SPF is Sender Policy Framework which is a way for mail servers to verify that a source IP address is authorized to send email for a domain. You can learn more about SPF in RFC 7208. Note that in the SPF receive header the source was Google! This spammer sent their email through gmail. Using gmail gives the message a little bit of credibility because Google has DKIM setup and SPF and does lots of validations when you send email through gmail. But there's more.

This message originated outside of gmail. How do I know that? The very first (oldest) Received header gives us the clue:
X-Received: by 2002:a17:902:c211:b0:1b2:2c0c:d400 with SMTP id 17-20020a170902c21100b001b22c0cd400mr11915346pll.52.1689777713024; Wed, 19 Jul 2023 07:41:53 -0700 (PDT)
Return-Path: jorrimanlombricks@gmail.com
Received: from EC2AMAZ-VUI87U2 (ec2-35-89-54-10.us-west-2.compute.amazonaws.com. [35.89.54.10]) by smtp.gmail.com with ESMTPSA id v11-20020a170902d68b00b001b8b6a19bd6sm4076020ply.63.2023.07.19.07.41.52 for [redacted] (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jul 2023 07:41:52 -0700 (PDT)

There's the Amazon AWS smoking gun. So this genius hacker hosts a jump node in North America using the US-West Amazon AWS infrastructure, which then relays mail through gmail to his targets. You could look up 35.89.54.10 in ARIN to find the source of that IP, but ARIN doesn't provide much anymore thanks to data protection laws that protect criminals that abuse the Internet today.

There are lots of anti-spam headers in this email, but it's very evident that none of those filters do anything useful to prevent this kind of nefarious email from getting through. There are many funky headers injected by Microsoft's counter-spam tools, X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0z but all of that is encrypted now. In that X-Message-Delivery header the "0x" is the code marker and the values are base-62 (A-Z,a-z,0-9). Furthermore, decoding Microsoft's node nomenclature can be a bear: PH7P221MB1029 doesn't have a clear region descriptor in it, like the EUR (DB3EUR04FT017) headers do.

X-MS-TrafficTypeDiagnostic: DB3EUR04FT017:EE_|PH7P221MB1029:EE_|DM4P221MB0907:EE_