Interesting Email Metadata

For many years, my email footer said "Sent via my Casio cPhone" - my attempt to poke fun at the users who hadn't updated their iPhone's default email signature.

This leads to an interesting question:

Marc Blank-Settle @bbcmarc on Threads

@MarcSettle

Is there an easy way to see what device an email is sent from? If I type the attached on an email on my PC, can the truth be shown easily? pic.x.com/i8impwkxlo

---

Because 2016 is maximum news, I'm sure there are some interesting stories based on email releases which have been missed. Metadata tells stories.

So, what metadata can we pick up from an email?

In GMail, it's quite easy to see all the raw data sent with an email as it travels through the Internet.

Let's take a look at some of the more interesting fields.

Here's an email that I've sent from my mobile - I've redacted some bits for my privacy.

Received: from [192.168.1.42] (oxfd.cable.virginm.net. [82.6.ZZZ.ZZZ])
 by smtp.gmail.com with ESMTPSA id l6sm9069017wmg.11.2016.10.08.09.37.57
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 08 Oct 2016 09:37:58 -0700 (PDT)

Well, first off we can see the sender's internal IP address. That gives us a little insight into their network topology. Of more interest is the sender's external IP address.

This can leak all sorts of interesting information. Location, service provider, connection speed - even ISP contract details in some cases.

Let's suppose someone sends an email which says "Sorry, at home with the flu today." You check the IP address and find that they're connected to the WiFi at Disney World. Isn't that interesting...

A little further down the headers, we find (again, redacted)

Message-ID: <yqwertyuigm4u5v.1471234534@com.syntomo.email>

Oh ho! What do we have here? The Message-ID is a unique string. Most email clients will choose a unique suffix.

This means, if you received this message from me, you could tell which email program I used and (possibly) which device.

So if I send you an email saying "sorry, my phone is broken" - you'll be able to tell if that's a lie.

There's another leak of client information at the multipart boundary

Content-Type: multipart/alternative; boundary="--_com.syntomo.email_596674815977850"

----_com.syntomo.email_596674815977850
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

SGVyZSB3ZSBnbyEg

Much more

This brief blog post only scratches the surface of what can be found - and what you could do with the information.

Other "interesting" metadata includes:

• User's Timezone - not as accurate as an IP address, but if their phone says they're at GMT+2 but they claim to be at GMT-7, is that interesting?
• Reply threading - was this email originally a reply?
• What language their equipment is set to. Some email headers contain Accept-Language: and Content-Language: information. Why is your "Urgent email from the FBI" sent from computer that's set to Chinese?
• Software versions - do the sender's servers have known vulnerabilities?
• Operating System - is the sender's equipment up to date?

I'm sure there are several other pieces of information which could prove interesting.

Manipulation

This is not a cast iron investigative tool. It is possible for programs to mangle the metadata - either deliberately or not. Some people will take care to mask their email footprint, others will not.

Metadata is everywhere. While your emails are unlikely to get leaked to the press (I hope!) you should consider just how easy it is for a little white lie to be uncovered.

Sent from my iPhone.