In the absence of this field, replies should by default be sent to the mailbox(es) specified in the “From:” field. If present, it indicates the mailbox(es) to which the author of the message suggests that replies be sent. For example, if Person A is sending a mail on behalf of another Person B, the mailbox of Person A would appear in the “Sender:” field and the mailbox of the actual author would appear in the “From:” field. This field specifies the mailbox of the agent responsible for the actual transmission of the message. This field specifies the author(s) of the message i.e, the mailbox(es) of the person(s) or the system(s) responsible for writing the message. The originator fields of a message consist of the below fields and indicates the source of the message. So, this is the time that a user pushes the “send” or “submit” button in an application program The origination date specifies the date and time at which the creator of the message indicated that the message was complete and ready to enter the Mail delivery system. Important fields that could be of interest are: Other header information includes the sending timestamps and the receiving timestamps of all the mail transfer agents(MTA) that have received and sent the message. Some headers are mandatory like FROM, TO and DATE.
![report a malicious text spammer ip address report a malicious text spammer ip address](https://kinsta.com/wp-content/uploads/2020/08/Referrer_Spam.png)
![report a malicious text spammer ip address report a malicious text spammer ip address](https://www.n-able.com/wp-content/uploads/2021/02/Screen-MA-email-security-filter-settings-1002x800.png)
The header lines are used to identify particular routing information of the message, including the sender, recipient, date and subject. Though there have been tools developed such as Email Gateways which can catch this, at times it is still necessary for a hunt team or threat intel team to use email header analysis to track a threat actor, campaign, or infrastructure.Īs per the RFC 2822 from IETF, an email message consists of header fields followed by a message body. This is especially helpful when investigating SPAM, MalSPAM and phishing emails.
![report a malicious text spammer ip address report a malicious text spammer ip address](https://pt-br.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/images/blog/main_malicious_code_prevention_report.png)
Since plenty of threat campaigns using email as a vector to distribute Malware and spam infrastructure, understanding the various email headers will help threat hunters to find missing links.Įmail headers contain information which is used to track an individual email, detailing the path a message takes as it crosses mail servers. Email header analysis is one of the oldest techniques employed by incident handlers and this article tries to revive this old technique to see how it can be looked at through the lens of Threat Hunting. This article brings out the importance of email header analysis and how it can help in a hunt trip. The art of Threat Hunting can be especially fun when dealing with isolated individual pieces of puzzle.