Forums
Main Category
General (Technical,...
Message-id Format o...
 
Notifications
Clear all

Message-id Format of Different MUAs

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by ForensicMania 16 years ago
4 Posts
2 Users
0 Reactions
1,192 Views
RSS
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 14/05/2009 4:03 pm  

Hi Seniors,

Does anyone know about message-id formats used by different version of Outlook Express and MS outlook? I mean, how message ids are computed and how can we verify them?

My point of interest is to check email message+header forgery through message-id header added by Microsoft outlook express v 6.00.XXX.XXXX.

I have already checked the rest of the email headers and found no evidence of forgery but the message-id seems to crafted. Even after painstaking search on google, i was not able to find message-id format of outlook express. The only thing i found over the internet from website forensicswiki.com is

The Message-ID have 4 parts [hex time]$[random?]$[hw-hash?]@[hostname]

Well the message-id under inspection is of the same format and after analysis i have come to know that

hex time= 12 Hex digits
Random (not sure about)= 8 hex digits
hw-Hash (not sure about how it can be calculated)= 8 Hex digits
hotname= its the name of the computer

windows NTFS store date and time internally using 64-bit Hex Value in little endian format. (the number of 100 nano-seconds starting from Jan 01, 1601) so what is the format of 12 Digit Hex time in subject message-id field?

Moreover, analysis shows that hw-hash part is always same when the same computer is used to send the email messages through outlook express v 6.00.XXX.XXX but i was not able to find that how is it calculated by outlook express.

It is my request to all seniors, please help me finding answers in regard.

thanks


   
Quote
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 21/05/2009 3:47 pm  

Well I am still hoping to get back any suggestions. Because analysis Message-ID header field is the way to get point-out Message Forgery.

I hope that many of you must have worked on it.


   
ReplyQuote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
21/05/2009 7:11 pm  

Good morning,

Most, if not all, of the message headers are created by MTA - mail transfer agents - who deliver the mail from one client to another. You might start with the various RFCs that describe how the headers are constructed. I'd start with RFC 822 but there are others that also can apply.

-David


   
ReplyQuote
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 22/05/2009 10:03 am  

well i have been through RFCs but they were of no help specifically in regard of message-id header field.

I this case, analysis shows that message-id when added by MUA is not overwritten by the concerned MTA.

I was even able to decode the first part of message-id i.e., 12 digit Hex using "Decode" freeware tool but was not able to find how it did it?

Anything specific, if anyone can refer me?.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: