Laboratory Practice – IV BE Computer Engineering

Answers Coding Viva (5) Timely Completion Total Dated Sign

(5) Efficiency (5) (5) (20) of Subject
Teacher

Expected Date of Completion:--------------------------

Actual Date of Completion:-----------------------------

Experiment No: Group A-1

Problem Definition:

Write a program for Tracking Emails and Investigating Email Crimes. i.e. Write a program to
analyze e–mail header

1.1 Prerequisite:
Application Layer Protocols
1.2 Learning Objective:
1. To understand how Mails are transferred from Sender to Receiver.
2. To Understand Email related Parameter.
1.3 Theory:

1.3.1 Introduction

Analysis of email is especially important not just because email may be used to
communicate about things that we might be interested in for an investigation, but because
it is a comparatively permanent and public record of those communications. In the case of a
phone call, there is only the record that a call took place; in a spoken conversation, there
may be no record at all. Conventional mail can be virtually untraceable, and paper
documents are easily destroyed. Email, however, is unique; when a message is sent, the
entire message is stored for both the sender and the receiver, and records of the mail being
sent are stored on dozens of servers that the message passes through before arriving at its
destination. There are a number of ways to analyze email, including: data mining
techniques, which may be applied to large or small data sets; straightforward searching of a
user's email for certain content; and in-depth analysis of an individual email's lineage.

E-mail system comprises of various hardware and software components that include
sender’s client and server computers and receiver’s client and server computers with
required software and services installed on each. Besides these, it uses various systems and

1
Laboratory Practice – IV BE Computer Engineering

services of the Internet. The sending and receiving servers are always connected to the
Internet but the sender’s and receiver’s client connects to the Internet as and when
required.
An e-mail communication between a sender ‘Alice’ having e-mail address ‘[email protected]’ and
recipient ‘Bob’ having e-mail address ‘[email protected]’ is shown in figure 1.‘Alice’ composes an
e-mail message on her computer called client for ‘Bob’ and sends it to her sending server
‘smtp.a.org’ using SMTP protocol. Sending server performs a lookup for the mail exchange
record of receiving server ‘b.org’ through Domain Name System (DNS) protocol on DNS
server ‘dns.b.org’. The DNS server responds with the highest priority mail exchange server
‘mx.b.org’ for the domain ‘b.org’. Sending server establishes SMTP connection with the
receiving server and delivers the e-mail message to the mailbox of ‘Bob’ on the receiving
server. ‘Bob’ downloads the message from his mailbox on receiving server to local mailbox
on his client computer using POP3 or IMAP protocols. Optionally, ‘Bob’ can also read the
message stored in his server mailbox without downloading it to the local mailbox by using
a Webmail program.

Figure 1: E-mail communication between a sender ‘Alice’ and recipient ‘Bob’

1.3.2 E-MAIL ACTORS, ROLES AND RESPONSIBILITIES

E-mail is a highly distributed service involving several actors that play different roles to accomplish
end-to-end mail exchange. These actors fall under “User Actors”, “Message Handling Service (MHS)
Actors” and “Administrative Management Domain (ADMD) Actors” groups.

2
Laboratory Practice – IV BE Computer Engineering

User Actors are people, organizations or processes that serve as sources or sinks of messages. They
can generate, modify or look at the whole message. User Actors can be of following four types
(Table 1):

All types of Mediator user actors set HELO/EHLO, ENVID, RcptTo and Received fields. Alias actors
also typically change To/CC/BCC and MailFrom fields. Identities relevant to ReSender are: From,
Reply-To, Sender, To/CC/BCC, Resent-From, Resent-Sender, Resent-To/CC/BCC and MailFrom
fields. Identities relevant to Mailing List processor are: List-Id, List-*, From, Reply-To, Sender,
To/CC and MailFrom fields. Identities relevant to Gateways are: From, Reply-To, Sender,
To/CC/BCC and MailFrom fileds.

Message Handling Service (MHS) Actors are responsible for end-to-end transfer of messages.
These Actors can generate, modify or look at only transfer data in the message. MHS Actors can be
of following four types (Table 2):

3
Laboratory Practice – IV BE Computer Engineering

For networks, a port means an endpoint to a logical connection. The port number identifies what
type (application/service offered) of port it is. The commonly used default port numbers used in e-
mail are shown in Table 3. A complete list of default port numbering assignment is given in

4
Laboratory Practice – IV BE Computer Engineering

1.3.3 Analyzing an Individual Email

Although webmail will feature prominently in this section, the analysis of a particular email's
lineage is much broader and can be applied to any email. A simple view of the path of an email from
a sender to a client is presented in Figure 2. The email originates from the sender, whether from a
local email client or a webmail application. When the email is sent, it is first sent to a Simple Mail
Transfer Protocol (SMTP) server. That server forwards it to other SMTP servers until it finally
reaches the destination server. On reaching its destination, the email is sent to a Post Office
Protocol (POP) server, or any number of similar mail-delivery servers (IMAP is another, and
webmail services may use their own servers for this purpose). The receiving client then connects to
that server, retrieves the message, and allows the recipient to read it.

Sender POP3, IMAP

Local SMTP Receiver
Server Local Client

Destination
Internet Multiple SMTP Server
SMTP Server

Figure 2: Path of an email from a sender to a client

5
Laboratory Practice – IV BE Computer Engineering

When the email is sent and when it is received, those respective servers add their own
information to the email's header, and most likely log the action. Access to those logs may be
required for much analysis, but specifics are outside of the scope of this paper. Considerable
information can be gleaned from the header alone.

Suppose Moses, with the address [email protected], sends an email from his office on the New
Mexico Tech campus to his similarly named friend, with the email address
[email protected]. The subject of this email is "Snakes," and the content "Fish."

Below is the entire theoretical email, including all headers.

From: Fig 1. Normal Network Traffic

[email protected]
Subject: Snakes
Date: September 25, 2021 9:35:29 PM
MDT To: [email protected]
X-Gmail-Received:
ca493ed685a8e9ae77165ab2ce345127e5b310b4 Delivered-
To: [email protected]
Received: by 10.90.33.15 with SMTP id g15cs279684agg; Mon, 25 Sep
2021 20:35:32 0700 (PDT)
Received: by 10.35.113.12 with SMTP id q12mr526602pym; Mon, 25 Sep 2021
20:35:32 -0700 (PDT)
Received: from mailhost.nmt.edu (mailhost.NMT.EDU
[129.138.4.52]) by mx.gmail.com with ESMTP id 36si2059018nza.
2021.09.25.20.35.32; Mon, 25 Sep 2021 20:35:32 -0700 (PDT)
Received: from localhostNetwork traffic with spoofed
(localhost.localdomain IP by
[127.0.0.1]) address
localhost.localdomain (Postfix) with ESMTP id 09FF4436164 for
<[email protected]>; Mon, 25 Sep 2021 21:35:32 -0600
(MDT) Received: from mailhost.nmt.edu ([127.0.0.1]) by localhost
(mailhost.nmt.edu [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP id 11225-05 for <[email protected]>; Mon, 25 Sep 2021
21:35:30 -0600 (MDT)
Received: from [192.168.1.2] (cs-fitch017.nmt.edu [129.138.21.110])
by mailhost.nmt.edu (Postfix) with ESMTP id 6FD4B436030 for
<[email protected]>; Mon, 25 Sep 2021 21:35:30 -0600
(MDT) Return-Path: <[email protected]>
Received-Spf: pass (gmail.com: best guess record for
domain of [email protected] designates 129.138.4.52 as
permitted sender) Mime-Version: 1.0 (Apple Message
framework v752.2)
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>

6
Laboratory Practice – IV BE Computer Engineering

Content-Type: text/plain; charset=US-ASCII;

format=flowed X-Mailer: Apple Mail (2.752.2)
X-Virus-Scanned: by amavisd-new-2.3.1 (20050509) (RHEL AS) at
nmt.edu Fish

E-MAIL IDENTITIES:

7
Laboratory Practice – IV BE Computer Engineering

1.4 Execution Steps

• Open the Email which you want to analyze header

• Click on the right side three vertical dot(more) and select show original.
• New tab will be open then copy header information which you want to analyze.
• Open https://www.whatismyip.com/email-header-analyzer website.
• Copy the header information and click on analyze button.
• Then You will see the header analysis on screen.

1.5 Assignment Question:

1. Why to Analyze Email Header?

2. What Fields are analyzed during Email Analysis Header?
3. Which Readymade Tools are Available for Analyzing E-Mail Header?
4. Explain Email Architecture in Detail?
5. What is POP3, IMAP, SMTP, and MIME?

1.6 Conclusion:

E-mail is a widely used and highly distributed application involving several actors that
play Different roles. These actors include hardware and software components, services
and protocols which provide interoperability between its users and among the
components along the path of transfer. Cybercriminals forge e-mail headers or send it
anonymously for illegitimate purposes which lead to several crimes and thus make e-
mail forensic investigation crucial.