Interesting Email Metadata

by @edent | # # # | 3 comments | Read ~513 times.

For many years, my email footer said "Sent via my Casio cPhone" - my attempt to poke fun at the users who hadn't updated their iPhone's default email signature.

This leads to an interesting question:

Because 2016 is maximum news, I'm sure there are some interesting stories based on email releases which have been missed. Metadata tells stories.

So, what metadata can we pick up from an email?

In GMail, it's quite easy to see all the raw data sent with an email as it travels through the Internet.

show original in gmail

Let's take a look at some of the more interesting fields.

Here's an email that I've sent from my mobile - I've redacted some bits for my privacy.

Received: from [192.168.1.42] (oxfd.cable.virginm.net. [82.6.ZZZ.ZZZ])
 by smtp.gmail.com with ESMTPSA id l6sm9069017wmg.11.2016.10.08.09.37.57
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 08 Oct 2016 09:37:58 -0700 (PDT)

Well, first off we can see the sender's internal IP address. That gives us a little insight into their network topology. Of more interest is the sender's external IP address.

This can leak all sorts of interesting information. Location, service provider, connection speed - even ISP contract details in some cases.

Let's suppose someone sends an email which says "Sorry, at home with the flu today." You check the IP address and find that they're connected to the WiFi at Disney World. Isn't that interesting...

A little further down the headers, we find (again, redacted)

Message-ID: <[email protected]>

Oh ho! What do we have here? The Message-ID is a unique string. Most email clients will choose a unique suffix.

This means, if you received this message from me, you could tell which email program I used and (possibly) which device.

So if I send you an email saying "sorry, my phone is broken" - you'll be able to tell if that's a lie.

There's another leak of client information at the multipart boundary

Content-Type: multipart/alternative; boundary="--_com.syntomo.email_596674815977850"

----_com.syntomo.email_596674815977850
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

SGVyZSB3ZSBnbyEg

Much more

This brief blog post only scratches the surface of what can be found - and what you could do with the information.

Other "interesting" metadata includes:

  • User's Timezone - not as accurate as an IP address, but if their phone says they're at GMT+2 but they claim to be at GMT-7, is that interesting?
  • Reply threading - was this email originally a reply?
  • What language their equipment is set to. Some email headers contain Accept-Language: and Content-Language: information. Why is your "Urgent email from the FBI" sent from computer that's set to Chinese?
  • Software versions - do the sender's servers have known vulnerabilities?
  • Operating System - is the sender's equipment up to date?

I'm sure there are several other pieces of information which could prove interesting.

Manipulation

This is not a cast iron investigative tool. It is possible for programs to mangle the metadata - either deliberately or not. Some people will take care to mask their email footprint, others will not.

Metadata is everywhere. While your emails are unlikely to get leaked to the press (I hope!) you should consider just how easy it is for a little white lie to be uncovered.

Sent from my iPhone.

3 thoughts on “Interesting Email Metadata

  1. mike says:

    Some mail clients put a User-Agent string in the headers. E.g.

    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
    Thunderbird/45.4.0

    User-Agent: Alpine 2.20 (LFD 67 2015-01-07)

    There's an Add-On for Thunderbird which will (usually) tell you what mail client the send used.
    https://addons.mozilla.org/en-GB/thunderbird/addon/display-mail-user-agent/

  2. mike says:

    Just after I clicked post on my previous comment it occurred to me in posting a comment I've probably just told you where I am right now. Still, you seem like a nice guy. I'm sure you won't use the information gleaned from people commenting on your blog for evil. 😉 Or inadvertently expose it all by leaving a copy on a train (probably one running late), or by being hacked…

  3. Alan Griggs says:

    For a while I had a signature on my emails like this:

    "This email was composed on my desktop PC, so please excoriate me for any typos."

    That was a sarcastic response to the sigs that say "This email was composed on my mobile, so please excuse any typos."

    Not many people got the sarcasm, so I took it off.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.