Email Header Analysis

Email header remains same in all email clients. Here we take squirrelmail webmail header as sample.


CAES1: Mails claiming to be from IIT Kanpur.

Figure 1.1.8: Full Mail Headers
Image head2
Figure 1.1.8-(1) This part of the email is visible in the mail client. The spammer can forge this part.
Figure 1.1.8-(2) This part of the email is helpful for the email server to deliver the email.
Figure 1.1.8-(3) This is the sender machine's IP address.
Figure 1.1.8-(4) This is the SMTP email server of the sender.
Figure 1.1.8-(5) This is the actual sender of the email from the SMTP server. Check if you know this user from the server mentioned in point 4. If you do not know this user then it is a masquerading of actual email address.
Figure 1.1.8-(6) This is the return path of the email used by the recipient server.
Figure 1.1.8-(7) This is the recipient's address.


CAES2: Mails from outside IIT KANPUR

We also receive emails from outside IIT Kanpur. Please note that IIT Kanpur has a SPAM filter that marks the sender of the external email address with "X-Barracuda-Envelope-From." The following images will help you to understand.

Figure 1.1.9: Full Mail Header from outside IITK mails
Image head3
Figure 1.1.9-(1) Email clients use this data to display the information to the user. Do not trust this field.
Figure 1.1.9-(2)This is the actual sender. So check for this field. If you do not know this sender, then take your learned decision.