DEV Community

Cover image for Understanding Email Analysis: A Simple Guide
Mihika
Mihika

Posted on • Edited on

Understanding Email Analysis: A Simple Guide

Well, I assume everyone knows what email analysis or email forensics is. As the name suggests, it's exactly that—analyzing emails. But why should we learn this? Because it's important and, honestly, quite easy.

Understanding email analysis is crucial to avoid mistakenly downloading malware that could completely destroy your system, install a keylogger, or give an attacker access to your computer. They could use your system in many ways, such as a C2 server. Even if you don't regularly check or read emails, consider working in an organization where everyone shares resources. What if one of the employees is an attacker—a friend during office hours but a black hat hacker at night? It's a real possibility, and that's why email analysis matters.


Starting Out: Essential Gmail Security Features

There are some important security features you should know about in Gmail. First, let's clarify what an email client is. It's the software or application you use to send and receive emails, examples include Microsoft Outlook, Gmail, and Apple Mail. Throughout this article, we'll focus on Gmail, but the general steps might vary slightly for other email clients.

Checking Recent Activity:

  1. Open your Gmail web app > Go to the Social tab at the top > there's a "detail" option at the bottom of the page > click on it, it will show you all last access of the account, last 24 hours duration, IP address, device, location(country).

Gmail > Social > detail, at bottom, right side

  1. Go to Gmail setting > see all setting > forwarding tab > see if any forwarding rule is set. These rules automatically send your emails to another address specified in the rule.

  2. Go to Gmail setting > see all setting > filter and block addresses tab, at the top > see any filter(rule) is set, Here you can see any filters (rules) that have been set. You can use filters to block specific email addresses or create custom rules for managing your inbox.

Understanding Email Logs

Email logs record every action taken on your email client, such as sending, receiving, deleting, moving, or blocking emails. It's important to note that accessing detailed email logs is typically only available for organizational email software like Google Workspace, where admin access is required. Unfortunately, Gmail does not currently offer this functionality for individual users.

Log in to your Gmail account > Click on your profile picture > Select "Manage your Google Account" > Go to the "Security" tab > Scroll down to "Your devices" and "Recent security events" .


Before analyzing email headers, let's examine the incident response steps taken when encountering a suspicious email:

I. Preparation: Roles are determined, with the IT team, incident response team, and SOC team collaborating.
II. Detection: SIEM is configured by creating phishing alerts, utilizing threat intelligence, and implementing detection rules. The SOC team conducts initial triage, assigning priority levels to tasks and individuals. Incidents are escalated or forwarded to the IR team as needed.
III. Investigation and Analysis: Email headers are examined using the email gateway and log data. The email body, links, and attachments are investigated in a sandbox environment. The attack type, access method, distribution method, timeline, and indicators of compromise (IOCs) are identified. Findings are documented and reported to the IR team.
IV. Containment and Eradication: The email is deleted, the endpoint is isolated, IOCs are blocked, and password resets are performed.
V. Recovery: System restoration and network monitoring are implemented.
VI. Lessons Learned: Incident debriefings, reporting, and training are conducted.


Understanding Email Fields:

Go to Gmail > open any email > can you see those 3 dots, at top-right, click it and select option " show original" this will take you to the email header and content info.

lets understand each field:

  1. Return-Path: email@gmail.com undeliverables messages will be sent to this address.
  2. Delivered-To: email@gmail.com where you want to send the email.
  3. Authentication-Results: mail.enemywatch.net; dkim=none; dmarc=none; spf=fail (mail.enemywatch.net: domain of karen.marshall@olympus.co.uk does not designate 37.0.10.22 as permitted sender) smtp.mailfrom=karen.marshall@olympus.co.uk
    -What it is: gives you Details on how the email passed or failed authentication checks.
    -In this example: The email failed the SPF check, you can see "fail" value assigned to spf field, meaning the server sending the email (37.0.10.22) was not authorized by the domain’s settings. DKIM and DMARC checks were not performed.

  4. Received: from olympus.co.uk (unknown [37.0.10.22]) by mail.enemywatch.net (Postfix) with ESMTP id 4HZl1q6rCqz9sVx for macrus.cobb@enemywatch.net; Thu, 21 Oct 2021 11:02:34 +0000 (UTC)

    • What it is: Shows the path the email took from the sender to the recipient.
    • Simple Explanation: The email came from the IP address 37.0.10.22 at olympus.co.uk and was processed by the mail server at enemywatch.net.
  5. From: KAREN MARSHALL - sender name

  6. To: macrus.cobb@enemywatch.net - receiver email address.

  7. Date: 21 Oct 2021 04:02:30 -0700 : date and time when send, with 0700 time zone(Pacific Time).

  8. Message-ID: 20211021040230.7ED68DD78D4A19F2@olympus.co.uk - a unique code to identify this specific email. created by email client

  9. MIME-Version: 1.0 - This email uses MIME version 1.0, which is a standard for formatting emails.

  10. Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_D6D683E4.D392FCEB" The email contains multiple parts (text and attachment), separated by the boundary "----=_NextPart_000_0012_D6D683E4.D392FCEB".

  11. Content-Type: text/html; charset="iso-8859-1" -The main body of the email is HTML text encoded in ISO-8859-1.

  12. Content-Transfer-Encoding: quoted-printable - The email content is encoded in a way that makes it safe for transmission.

  13. X-Mailer - is the email client that used to create email ex: Microsoft outlook 14.0


In nutshell:

Header Field Description
Return-Path Where undeliverables messages are sent back.
Delivered-To The email address where the email was delivered.
Authentication-Results Email authentication results (SPF failed, DKIM and DMARC not checked).
Received The servers involved in delivering the email.
From The sender’s name.
To The recipient’s email address.
Subject The topic of the email.
Date When the email was sent.
Message-ID A unique identifier for the email.
MIME-Version Version of the MIME protocol used.
Content-TypeThe format of the email’s content(text & attachments).
Content The actual message and attachment in the email.


Email Header Important Fields:

1. SPF : sender policy framework, A security measure to verify if an email is coming from an authorized server. It tells the mail server which IP addresses are allowed to send emails for a domain. If the IP address of the server sending the email is not on the list, the email is flagged as suspicious. If you get an email claiming to be from your bank, SPF helps check if it’s really from the bank’s email server or from a fake one. Use an SPF checker tool like MXToolbox SPF Checker. If the IP address of the sender’s mail server is not listed in the SPF record, SPF fails, which might indicate the email is fake.

you can also check spf record of a domain from your terminal : dig @8.8.8.8 twitter.com txt +short

SPF records are DNS (Domain Name System) records specifically set by domain owners(hosting provider). They are published in the DNS records of the domain. These records specify which mail servers are allowed to send email on behalf of that domain. SPF is more relevant when emails are sent from domains where the domain owner has control over the SPF records, such as in the case of business email IDs using custom domains. When an organization or individual registers a domain name (e.g., twitter.com), they gain the ability to create custom email addresses using that domain.
For example, if Twitter registers the domain twitter.com, they can create email addresses like support@twitter.com, info@twitter.com, etc., for their own use, for that the domain owner needs email hosting services.

this is what failed spf looks like: Authentication-Results: mail.example.com; spf=fail (mail.example.com: domain of sender@example.com does not designate 203.0.113.1 as permitted sender) smtp.mailfrom=sender@example.com

If SPF fails, it doesn’t always mean the email is fake, but it raises a red flag. You should consider other checks (like DKIM and DMARC).


2. DKIM (DomainKeys Identified Mail) : DKIM is an email authentication method designed to verify that an email message has been sent and authorized by the domain it claims to be from and that the content of the email has not been tampered with during transit.
A DKIM signature is created by the sender’s mail server using a private key and is included in the email’s headers.

  • Hashing in DKIM: DKIM uses hashing to create a digest of the email headers and, optionally, the email body. This digest is essentially a hashed version of the email content.
  • Signing: The hash value (digest) is then encrypted using the sender's private key to create the DKIM signature.
  • Verification: Upon receiving the email, the recipient's server retrieves the public key from the sender’s DNS records and uses it to decrypt the DKIM signature. This reveals the original hash value. The recipient’s server then hashes the email headers and body again and compares this newly generated hash with the decrypted hash. If they match, it confirms that the email has not been altered and is from the legitimate sender.

How They Work Together
Hashing:Used to create a fixed-size representation of the email’s headers and body. This process is part of the signature creation in DKIM.

DKIM Signature:Involves hashing the email content, then encrypting this hash with the private key to produce the DKIM signature. The recipient uses the public key to decrypt and verify this signature against a newly computed hash of the email content.

Public Key
Publication in DNS: The public key is published in the DNS (Domain Name System) records of the sender's domain. It is stored as a TXT record under a specific subdomain, which is determined by the DKIM selector. For example, if the selector is selector1 and the domain is example.com, the public key would be found in a DNS record at selector1._domainkey.example.com.
If you want to verify DKIM-signature, use site MxToolbox DKIM verification from email header copy domain name of sender and selector value under DKIM-signature field, it may look something like this : s=20230601

Verification of Signatures:
When an email is received, the recipient's email server retrieves the public key from the DNS record associated with the sender’s domain. The server uses this public key to verify the DKIM signature in the email header. This process involves checking if the signature, which was created using the sender's private key, matches the content of the email and the public key.

Private Key
Creation of Signatures: The private key is kept securely by the sender’s mail server. It is used to generate DKIM signatures for outgoing emails. When an email is sent, the sender’s mail server creates a DKIM signature by hashing the email's headers and body, then encrypting this hash with the private key. This signature is included in the email header.

Security and Confidentiality:
The private key must be kept confidential and secure, as its exposure could allow malicious actors to forge signatures or impersonate the domain. The strength and security of the DKIM system rely on the private key being protected and only used by the legitimate mail server of the sender’s domain.

other sub-fields under DKIM-signature:
v= version of DKIM specification.
a= algorithm used to create DKIM signature.
c= Indicates the canonicalization algorithms that were used for the header and the body. c=relaxed/relaxed, makes the email's headers and body less sensitive to minor variations that are often introduced by mail servers or client software. This helps ensure that the DKIM signature remains valid even if there are slight, non-malicious changes to the email content.

bh= This is the hash of the body of the message after it was canonicalized, in Base64 form. "canonicalize" means to convert something into a standard or normal form.
h= This tells us which header fields were included in the signature.
b= The signature data in Base64 form.
t= timestamp in epoch format
s=selector: Selector to locate the public key in DNS record.
d= domain name


3. MIME (Multipurpose Internet Mail Extensions) : A standard for formatting emails so they can include text, images, attachments, etc. It tells email programs how to mix and present different types of content (like text, images, and attachments) in one message. MIME allows you to send an email that has both a message and a photo attached. current version is 1.0


4. ISO-8859-1 : A character encoding standard for Western languages. ISO-8859-1 is like a dictionary for how letters and symbols are stored in emails and web pages. It helps display characters correctly, especially for English and some other European languages. ISO-8859-1 helps make sure that the letters you see in your email look correct. it is just like ASCII, but only difference is ISO-8859-1 has more character in it.


5. SMTP (Simple Mail Transfer Protocol): A protocol for sending emails between servers. SMTP is like the mail carrier for the internet. It’s the set of rules that email servers use to send emails from one server to another until they reach the recipient. SMTP is what your email app uses to send your message to the email server, which then forwards it to the recipient’s email server.


6. ESMTP (Extended Simple Mail Transfer Protocol) : ESMTP is like a more advanced version of SMTP. It has additional features for handling things like attachments and larger messages. ESMTP is used to handle more complex email tasks that SMTP alone couldn’t handle.

7. ESMTP id: A unique identifier for each email transaction in the ESMTP protocol. The ESMTP id is like a tracking number for the email’s journey from sender to receiver. It helps email servers manage and trace the email as it moves through the system. If there’s a problem with delivering an email, the ESMTP id helps tech support figure out what went wrong.


9. CC (Carbon Copy): When you send an email and want others to receive a copy for their information, you use the CC field. Everyone who receives the email can see who else received it.

BCC (Blind Carbon Copy): Similar to CC, but recipients added in the BCC field receive a copy of the email without other recipients knowing. It's a way to send the email discreetly to multiple people.


10. MUA : mail user agent, those client application running on a computer that receives and send email. example Apple mail, microsoft outlook, mozilla thunderbird, google Gmail

11. MTA : accepts mail from the source and route them along to the destination. example sendmail, Microsoft exchange, postfix.

12. MDA : mail delivery agent, The primary function of an MDA is to receive incoming emails from an MTA (Mail Transfer Agent) and then deliver them to the appropriate recipient's mailbox or mail storage location. MDAs are typically located on the recipient's mail server or within their email service provider's infrastructure. example: Dovecot, Courier Mail Server, and Cyrus IMAP. These are software programs or components that handle the final step of email delivery within the recipient's mail system.


**You will also notice, many "Received" fields, the number of received fields depend on number of MTAs the email has crossed. the Received field at the top of the email header is the most recent one and closed to the destination or receiver. the Received field at the last of email header is closest to the source or sender.*

**If the "from" field and "reply-to" field are different, it may be suspicious, but other things should also considered.*

**The domain's SPF, DKIM, DMARC, and MX records can be obtained using tools such as Mxtoolbox Comparing this information will tell you if the email is spoofed or not. you can check whether the SMTP address belongs to that institution or not by looking at the Whois records of the SMTP IP address.*


POP3 (Post Office Protocol version 3):
Operation: When an email client connects to a POP3 server, it typically downloads all emails from the server to the client's local storage. By default, emails are usually deleted from the server once downloaded, although most POP3 clients have an option to leave a copy on the server.
Port: POP3 operates over port 110 (without encryption) or 995 (with SSL/TLS encryption)

IMAP (Internet Message Access Protocol):
Operation: When an email client connects to an IMAP server, it syncs with the server, allowing users to view, organize, and manage their emails without needing to download them. Changes made (like marking emails as read, moving them between folders) are reflected on the server.
Port: IMAP operates over port 143 (without encryption) or 993 (with SSL/TLS encryption).

Storage: POP3 downloads emails to the client's device, while IMAP keeps them stored on the server.
Offline Access: POP3 requires a constant connection to the server to manage emails, whereas IMAP allows offline access to previously synced emails.
Syncing: IMAP syncs actions across all devices accessing the same account, whereas POP3 actions are typically local to the device.
Usage: POP3 is suitable for users who want to store emails locally and manage them from one device. IMAP is ideal for users who access their emails from multiple devices and need consistent email management across all devices


SMTP (Simple Mail Transfer Protocol): Used for sending and receiving emails.

POP3 (Post Office Protocol 3): Used for retrieving and downloading emails from a server.


Labs you can Try:

Lab 1 Phishing Analysis: https://blueteamlabs.online/home/challenge/phishing-analysis-f92ef500ce
Lab 2 Phishing Analysis 2: https://blueteamlabs.online/home/challenge/phishing-analysis-2-a1091574b8
Lab 3 The Planet's Prestige: https://blueteamlabs.online/home/challenge/the-planets-prestige-e5beb8e545

Tools for Email Forensics:

  1. PhishTool Community Analyzes suspicious emails for phishing attempts.
  2. MxToolbox Troubleshoots email, domain, and network issues.
  3. Cisco Talos Intelligence Provides information about cyber threats and vulnerabilities.
  4. Browserling Tests websites across different browsers and devices (online tool).
  5. Virtual Machine (VM) Creates a virtual computer system for safe software testing.
  6. Hex Editor Views and edits files in hexadecimal format (for data analysis).
  7. Sandbox Environment (AnyRun) Safely executes suspicious code or opens risky files.
  8. Mozilla Thunderbird Free and open-source email client.
  9. Gary Kessler File Signature Resource Identifies file types based on their signatures.
  10. ExifTool Reads, writes, and edits metadata in various file formats.
  11. CyberChef Decodes, encodes, and manipulates various data formats (online tool).
  12. TheHarvester Gathers email addresses, phone numbers, and social media profiles (Kali Linux tool).
  13. dig Tool Gets information about domain names and their associated records (command-line tool).
  14. Metasploit articles Resources for email forensics (website).
  15. Email Headers website which shows you all the Email Header Fields and their reference.
  16. SquareX file viewer and other useful extension


    Investigating email links:

  17. Hover your cursor over the link without clicking on it. Check if the URL matches the context of the email, check if it looks suspicious or have slight misspellings.

  18. Ensure the URL uses HTTPS, has a valid domain name and is not a shortened or obfuscated link. check for long strings of characters, unexpected domain names, or extra subdomains.

  19. Use URL scanner and Domain Lookup, VirusTotal, PhishTank, browerling.

  20. Check for URL redirections that lead to unexpected sites

  21. You can use URL Expander tool

  22. Sometimes, links are hidden behind text (e.g., “Click here”). Ensure that the text link and the actual URL match.

  23. Test in a virtual Environment make sure to make snapshot of that virtual machine before testing.


What if you clicked on those links and nothing much happened? How can you ensure it's not harming your device?

  1. Disconnect your device from internet.
  2. Run Antivirus and Anti-Malware Scans.
  3. Look for unusual slowdowns, unexpected pop-ups, check task manager, sudden spike in memory.
  4. Monitor your system activity and network activity, (memory, process analysis, packet capture).
  5. See if any new program installed, control panel > programs or press window button and search "all apps".
  6. Use a file integrity monitoring tool to see any changes made to system’s directories or critical system files.
  7. Look for any unauthorized changes in the system registry, use tool like Autoruns.
  8. Check your browser extensions for any new or unfamiliar ones.
  9. Update your operating system, browser, and all software.
  10. Restore from Backup.
  11. changing online account passwords.

How to Investigate Email Attachments?

  1. First thing that you can do is to verify with the sender.
  2. Use File Extension Verification Tools ex: TrID
  3. Monitor system and network activity when analyzing
  4. Test attachment in virtual environment.
  5. Review file properties and metadata and use file analysis tool like virustotal.
  6. Scan attachment with AntiVirus.

Top comments (0)