Week 11: Lab2 - Email Header Analysis
Please review each header and try to answer the questions for each one.
Answers will be provided at the end of the lab You may use one of the following tools
1. Email Header 1
Header:
From: admin@barclays.co.uk
To: victim@example.com
Subject: Urgent: Your Bank Account is Locked
Received: from mail.barclays.co.uk (mail.barclays.co.uk. [185.125.198.1]) by smtp.example.com with ESMTP id 12345
X-Sender: admin@barclays.co.uk
Date: Wed, 19 Mar 2025 14:30:00 +0000
Message-ID: <a1b2c3d4e5f678g9h0@barclays.co.uk>
SPF: pass (mail.barclays.co.uk is authorised to send mail)
DKIM: fail (signature verification failed)
DMARC: fail (policy for domain barclays.co.uk is reject)
Questions:
- What can you infer from the "Received" line about the source of the email?
- Is the "From" email address legitimate? Investigate whether "admin@barclays.co.uk" is the expected sender for this bank.
- What does the SPF result ("pass") indicate about the mail server's authorisation?
- Why did the DKIM verification fail? What could this suggest?
- What does the DMARC fail message mean, and how does it help in detecting fraudulent emails?
2. Email Header 2
Header:
From: support@gov.uk
To: john.doe@example.com
Subject: Update on Your Tax Return Status
Received: from mail.gov.uk (mail.gov.uk. [51.140.12.34]) by smtp.example.com with ESMTP id 34567
X-Spam-Status: No, score=0.5 (low spam score)
Date: Sun, 16 Mar 2025 09:05:00 +0000
Message-ID: <abc123@gov.uk>
SPF: pass (mail.gov.uk is authorised to send mail)
DKIM: pass (signature verification successful)
DMARC: pass (policy for domain gov.uk is none)
Questions:
- The email claims to be from a government source. Is the sender domain legitimate?
- What role does the low spam score play in determining the email's trustworthiness?
- How do the SPF, DKIM, and DMARC results confirm the authenticity of this email?
- What could the lack of an attachment or suspicious link mean for this email’s security?
3. Email Header 3
Header:
From: noreply@updates.microsoft.co.uk
To: user1234@example.com
Subject: Important: Your Software Needs an Update
Received: from mail-oi1-f45.google.com (mail-oi1-f45.google.com. [209.85.128.45]) by smtp.example.com with ESMTP id 67890
X-Spam-Status: Yes, score=9.5 (high spam score)
Date: Tue, 18 Mar 2025 08:00:00 +0000
Message-ID: <xyz789@updates.microsoft.co.uk>
SPF: fail (mail-oi1-f45.google.com is not authorised to send mail for microsoft.co.uk)
DKIM: fail (signature verification failed)
DMARC: fail (policy for microsoft.co.uk is reject)
Questions:
- The email has a high spam score. What does this tell you about the legitimacy of the message?
- Is the sender's domain trustworthy? Investigate whether "updates.microsoft.co.uk" is linked to legitimate software companies.
- How does the "Received" line help confirm the origin of this email?
- What does the SPF failure tell you about the sender?
- What does the DKIM failure suggest, and how does it relate to email forgery?
- How does the DMARC failure help confirm the email is likely fraudulent?
4. Email Header 4
Header:
From: jane.doe@bbc.co.uk
To: user789@example.com
Subject: Monthly Financial Report
Received: from mail.bbc.co.uk (mail.bbc.co.uk. [212.58.246.110]) by smtp.example.com with ESMTP id 23456
X-Attachment-Id: 56789
Date: Mon, 17 Mar 2025 11:15:00 +0000
Message-ID: <123abc456@bbc.co.uk>
SPF: pass (mail.bbc.co.uk is authorised to send mail)
DKIM: pass (signature verification successful)
DMARC: pass (policy for domain bbc.co.uk is none)
Questions:
- Does the email appear to be legitimate based on the sender and domain?
- The email contains an attachment. What additional information in the headers can you use to verify if the attachment is safe?
- What does the “Received” line indicate about the transmission of the email?
- What could the attachment's ID suggest about its contents?
Best,
Ali.