When you forward an email, key details of where it originated and how it was delivered are left behind. These details are exactly what an investigator needs to do their work. So forwarding doesn’t help.
Thus it is very important when you report a suspicious or threatening email that you use the right method, that captures all the forensic information. This method is not always obvious in modern email clients.
I will show you the method for common email clients in this post, and provide some links to other resources. Read on.
Email On The Inside
When you receive an email you usually see just a short header above it which shows the sender, receiver, date and subject of the email. But those are just a small subset of many pieces of information that might be included in the email behind the scenes. Here’s a peek behind the curtain, from a David Mabus message I received in June 2009:
From: David Mabud <firstname.lastname@example.org>
Subject: Fwd: [AvC] TAM 7 & the Termination of the James Randi Paranormal Challenge
Date: July 12, 2009 2:10:54 PM EDT
Received: from whmx-evening.pas.sa.earthlink.net ([127.0.0.1]) by whmx-evening.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1mq3wO31j3NZFkO0; Sun, 12 Jul 2009 11:11:58 -0700 (PDT)
Received: from fall-patron.pas.sa.earthlink.net ([126.96.36.199]) by whmx-evening.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1mq3wN2hz3NZFkO0 for ; Sun, 12 Jul 2009 11:11:57 -0700 (PDT)
Received: from wsmarth-goshawk.pas.sa.earthlink.net ([188.8.131.52]) by fall-patron.pas.sa.earthlink.net with esmtp (Exim 4.34) id 1MQ3Wg-00081H-5e for email@example.com; Sun, 12 Jul 2009 11:11:50 -0700
Received: from whmx-nag.pas.sa.earthlink.net ([184.108.40.206]) by wsmarth-goshawk.pas.sa.earthlink.net with smtp (Exim 3.36 #4) id 1MQ3W1-0006V3-00 for firstname.lastname@example.org; Sun, 12 Jul 2009 11:11:09 -0700
Received: from whmx-nag.pas.sa.earthlink.net ([127.0.0.1]) by whmx-nag.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1mq3vNa63NZFmC0; Sun, 12 Jul 2009 11:10:55 -0700 (PDT)
Received: from rv-out-0708.google.com ([220.127.116.11]) by whmx-nag.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1mq3vN5dd3NZFmC0 for ; Sun, 12 Jul 2009 11:10:55 -0700 (PDT)
Received: by rv-out-0708.google.com with SMTP id l33so644442rvb.16 for ; Sun, 12 Jul 2009 11:10:54 -0700 (PDT)
Received: by 10.140.178.8 with SMTP id a8mr2392909rvf.116.1247422254483; Sun, 12 Jul 2009 11:10:54 -0700 (PDT)
You can see that some of these lines are used to display what you normally see at the top of an email. But the rest are ordinarily hidden.
Those usually hidden lines are often called “headers”. Particularly all the lines that start with “Received” are key to understanding where this email came from, as they trace the entire path it took from the sender to the receiver.
There are also other headers that will tell you what software the sender may have used, whether or not their email server is secure, whether the email was virus-checked and so on.
All of this is information that we may need in an investigation.
So what do I do now?
In most email clients, there may be one of two ways you can capture this information:
- Display the headers, then copy/paste them into a new email
- Forward the bad email whole as an email attachment
The procedure varies for different email programs. I will try to cover the most popular email products below, but I can’t cover everything and sometimes the instructions have changed across different versions. I’ll only cover the current versions.
For programs I don’t cover, if the drag and drop trick doesn’t work, look for something in the menus or toolbar that mentions “headers”, “long headers”, “full headers” or sometimes “view source” or “view original”. When you choose that item, you should see something like the text above. If you don’t see headers like the above, keep looking.
In many email programs, the header view is separate from the rest of the email. Which means you may need to cut and paste the body of the message separately.
Sometimes the body of the message is not important, for instance “Mabus” typically sends the same thing over and over. But sometimes the body is very important, such as when filing a police report over a threat – it is the body content that makes it a threat.
Make sure you copy and paste the entire set of headers. Often this involves using Select All (Ctrl-A on Windows or Command-A on Mac) and then Copy (Ctrl-C or Command-C). Although they may seem very repetitive to the untrained eye, there are often little clues in there that can only be interpreted properly if you have the complete list.
Desktop Email Clients
Tested: Outlook 2007, 2010; OSX Mail 4.5; Thunderbird 15.0.1)
By “desktop client” I mean email software that you install on your computer, as opposed to email that you access in a web browser. Most of these programs have very a very rich way of handling attachments, since working with files is key to the desktop experience.
And that’s the key to the easiest way to report emails. Take the following steps:
- Start a new email (the report)
- Find the troublesome email in your inbox
- Drag and drop the bad email to the report
- It should appear as an attachment to the report
- Repeat as needed to report multiple emails
- Describe the circumstances and send the report to the appropriate authority or investigator
In some email programs you can drop the suspicious email anywhere on the new email window. In others (e.g. Thunderbird) you must drop the dragged email on the header portion of the window. (You will see an attachment list box appear when you are in the right spot in Thunderbird).
If you cannot get the drag and drop to work in your client, often there is a menu item that does the same thing, typically called “forward as attachment.” The exact details vary, the procedures for many clients are described here.
GMail (or GoogleMail in some countries) has a button in the upper right corner of every message, to the right of the subject line. The large part of the button is for replying, but if you click the downward pointing arrow a menu appears with other options. The option you want is named Show original. (See screen shot, you can click it to enlarge it).
Choose that option and you will be given a new window showing both the headers of the email and its contents in plain text as they were sent across the Internet. Use Select All and Copy to copy this text into a new email.
Alternately you can save this text into a file for safekeeping, an attach that file to your report.
Microsoft’s web mail product shows you headers in a way almost identical to GMail. There is a drop-down menu in the upper right when you are looking at a message, it is right next to the Reply button. Click the down arrow to display the menu and pick the item that says View message source near the bottom of the menu. (See screen shot, click to enlarge)
You will be displayed a new page that shows all the headers and the content of the email as well. Hit Select All then Copy, and paste it into your report email. Or if you choose you can save it to a text file and send it as an attachment – this is useful if you want to keep a record and/or report more than one email at a time.
Microsoft Outlook 2010 Web Access
If you are using the web version of Microsoft Outlook 2010, also known as Outlook Web Access or OWA, you can send the offending email as an attachment. However, the drag and drop trick from regular Outlook doesn’t work here.
Instead click the second mouse button while on the offending email in the list, and select from the menu which appears the option named Forward as Attachment.
You can also get this same option from the Actions button in the upper right as you are looking at the message itself.
Yahoo Mail is a little bit different than the others here. While reading a message, there is a button in the upper right with a gear on it and a downward pointing arrow. Click that button and you will see the menu in the screen shot here. (Click to enlarge).
The menu item you want is called View full header and it produces just the headers for the email (no content) in a pop-up box. You’ll need to hit Select All and then Copy to copy this text somewhere else for your report. And if you need to include the message body in your report, you’ll need to copy that separately.
The usual advice to possibly save it as a file and then attach that to your report applies here as well.
You can practice these techniques so that you’ll be ready to generate a good report when needed. Just send the reports to yourself, and make sure you can open the resulting email and see the Received headers and other information from the original email.
If you have tips on particular email clients that I did not cover here, be sure to share them in the comments. Again, keep in mind that the exact menus and click sequences change from version to version so you may have to slightly alter the procedures I give here, especially as this post ages.
In a future post, I will show you how to interpret and investigate a troublesome email using this information on your own.
Meanwhile, you can read the long sordid history of “David Mabus” at this post here on Skeptools.