Email header Encryption

I. Introduction

This section details all aspects of the email header. It mainly provides users with a theoretical basis for setting up email servers and provides administrators with a real source for discovering spam in case of email spam. Based on the knowledge of the mail header, it helps to discover forged emails. It is also helpful for users who want to know How emails are transmitted over the network.

Although the discussion tries to avoid forging an email, the content in the discussion may be used by malicious readers as the basis for creating forged emails. As examples are required in this article, there are several Fictitious Domain Names and randomly assigned IP addresses in this article. These domain names and IP addresses are randomly selected and forged, and have nothing to do with the real domain names and IP addresses on the Internet.

Ii. Email transmission process

This section contains a simple analysis of an email's lifecycle. This is a very important background information for understanding what information the mail header can provide for you.

On the surface, it seems that an email is directly transmitted from the sender's machine to the recipient's address, but this is usually not the case. A typical email must go through at least four computers in its lifecycle.

This is because most enterprises or organizations have a dedicated server called "email server" to process emails, which is generally not the computer on which users read emails. For ISP, a user calls a computer from the home to access the ISP network. Here, the computer in the user's home is called a client, and the computer that the ISP specifically processes the mail is called a mail server. When a user sends an email, he usually edits the email on his computer and sends the email to the ISP's email server. The client has completed its work, and the subsequent work is completed by the ISP's email server. The ISP mail server first finds the IP address of the email server specified by the recipient, and then sends the email to the target server. Now, emails are stored on the recipient's email server, waiting for receiving from the recipient. When the recipient obtains the email sent to him from the receiving email server to his PC, the email is usually deleted.

Assume several fictitious users <zhangsan@263.net> and <lisi@zky.ac.cn>. Zhangsan is the dialing user of the ISP 263. Use the customer program outook express to send and receive emails. Lisi is a fictitious user of the Chinese Emy of sciences. He uses a workstation to connect to the Internet through a LAN.

If lisi wants to send an email to zhangsan, he edits the email on the workstation (assuming the name is alpha.zky.ac.cn) and the edited letter is sent from the workstation to the mail server mail.zky.ac.cn of the Chinese Emy of sciences. Once a mail is sent to mail.zky.ac.cn, the subsequent mail sending process will have nothing to do with lisi. The CAS email server finds that this is a mail sent to a user of 263.net. It communicates with 263 of email servers, such as mail.263.net, and delivers the mail to it. Now the mail is stored on mail.263.net until zhangsan connects to the 263 network by dialing on its own PC to view and receive the mail. Then mail.263.net delivers the stored mail to zhangsan's PC.

In this process, the mail header will be added to the mail three times: added by the mail client program during editing; added by mail.zky.ac.cn when the mail is transmitted to mail.zky.cn; mail.263.net is added when the mail is sent from mail.zky.ac.cn to mail.263.net. Generally, the mail header is not added when the customer receives the mail. Next we will take a closer look at how these mail headers are generated.

When lisi's email client program edits the email and sends it to mail.zky.ac.cn, the Mail content is as follows. These contents are added by the mail Editor (outlook express:

From: lisi@zky.ac.cn (Li Si)
To: zhangsan@263.net
Date: Tue, Mar 18 1997 14:36:14 PST
X-Mailer: Outlook Express 5.5
Subject: Lunch?

After an email is sent from mail.zky.ac.cn to mail.263.net, the content of the email changes to (the newly added content is changed from mail.zky.ac.cn ):

Received: from alpha.zky.ac.cn (alpha.zky.ac.cn [124.211.3.11]) by mail.zky.ac.cn (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17-0800 (PST)
From: lisi@zky.ac.cn (Li Si)
To: zhangsan@263.net
Date: Tue, Mar 18 1997 14:36:14 PST
Message-Id: <lisi031897143614-00000298@mail.zky.ac.cn>
X-Mailer: Outlook Express 5.5
Subject: Lunch?

When mail.263.net receives a letter and stores the Message Waiting For zhangsan to receive it, the Mail content changes to (the newly added content is added by mail.263.com ):

Received: from region (mail.zky.ac.cn [124.211.3.78]) by mail.263.net (8.8.5/8.7.2) with ESMTP id LAA20869 for <zhangsan@263.net>; Tue, 18 Mar 1997 14:39:24-0800 (PST)
Received: from alpha.zky.ac.cn (alpha.zky.ac.cn [124.211.3.11]) by mail.zky.ac.cn (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17-0800 (PST)
From: lisi@zky.ac.cn (Li Si)
To: zhangsan@263.net
Date: Tue, Mar 18 1997 14:36:14 PST
Message-Id: <lisi031897143614-00000298@mail.zky.ac.cn>
X-Mailer: Outlook Express 5.5
Subject: Lunch?

The content of the last letter is what zhangsan collects and reads. The following is a detailed analysis of the content:

Received: from mail.zky.ac.cn
The preceding content indicates that the email is sent from a server claiming to be mail.zky.ac.cn.

(Mail.zky.ac.cn [124.211.3.78])
This statement indicates that the real name of the server is indeed mail.zky.ac.cn, that is, its self-claimed identity is correct, and its IP address is 124.211.3.78.

By mail.263.net (8.8.5/8.7.2)
The machine that receives the email is mail.263.net. The running mail program is sendmail, and the version is 8.8.5/8.7.2.

With ESMTP id LAA20869
The server that receives the email has the ID number LAA20869 (This number is usually used internally by the email server, but the administrator can search for information about the email in the log file based on this ID number, but usually this number is meaningless ).

For <zhangsan@263.net>;
This message is sent to the address zhangsan@263.net. You can see that the email header does not have To: related content.

Tue, 18 Mar 1997 14:39:24-0800 (PST)
This email transmission takes place at Tuesday, March 18,199 7, at 14:39:24 (Pacific time, because it is 8 hours later than Greenwich mean time, so it is "-0800 ").

Received: from alpha.zky.ac.cn (alpha.zky.ac.cn [124.211.3.11]) by mail.zky.ac.cn (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17-0800 (PST)
This header records the transfer of the email from alpha.zky.ac.cn (lisi workstation) to mail.zky.ac.cn. The transfer occurred at 14:36:17 Pacific Time. The sender's computer claimed to be alpha.zky.ac.cn. Its real name was indeed alpha.zky.ac.cn, its IP address was 124.211.3.11, and the mail server software was sendmail v8.8.5. The ID number assigned by mail.zky.ac.cn of the email server is 004A21.

From: lisi@zky.ac.cn (Li Si)
The message is sent by the lisi@zky.ac.cn and its name is Li Si.

To: zhangsan@263.net
The mail destination address is: zhangsan@263.net.

Date: Tue, Mar 18 1997 14:36:14 PST
The email editing Time is 14:36:14 Pacific Standard Time on Tuesday, March 18,199 7.

Message-Id: <lisi031897143614-00000298@mail.zky.ac.cn
Mail.zky.ac.cn assigned this number to the email to identify it. It is different from the SMTP server esmtp id number in the Received ed header. Because this number is always accompanied by the entire email. Other IDs are associated only in the mail Transmission Phase on a specific mail server. Therefore, the ID number of this machine is meaningless to other machines. Sometimes Message-ID contains the sender's email address.

X-Mailer: Outlook Express 5.5
The message is sent using Outlook Express with the version 5.5.

Subject: Lunch?
Email title.

Iii. Email Protocol

This part is more rational than other parts, mainly discussing how emails are transmitted from one point to another. You don't need to understand every sentence, but being familiar with this content helps you understand the problem when mail Transmission encounters strange phenomena. Spam senders often deliberately create strange situations to hide their identities, so it is very useful to understand these strange phenomena to deal with these guys.

To transmit data over the network, the computer network protocol uses an access portal called a port. You can regard a port as a channel through which the computer can listen to network communication to provide services. To listen to multiple communications at the same time, the computer needs to use port numbers to identify multiple different ports to differentiate these communications. The Port Related to email transmission is 25.

Normal

Let's discuss the above example again, but this time we only care about the communication process between mail.zky.ac.cn and mail.263.net. First, mail.zky.edu.cn opens a connection to port 25 of mail.263.net, and then sends emails through this connection. Of course, there are some management command interaction processes in the mail sending process. Commands in interaction are more or less readable. Commands are stipulated by the SMTP protocol. If two