phishandchips.io

What are Email Headers?

Emails have become an integral part of our personal and professional lives. While we usually focus on the content of an email, there’s a wealth of information hidden in its header. Email headers contain crucial details about the email’s origin, delivery path, and authenticity.

Head, what?

Email headers, also known as message headers, are a block of text at the beginning of an email that provides essential metadata about the email’s journey. To view an email’s headers, you can usually find an option like “View Message Source” or “Show Original” in your email client.

Here is an example of a RAW header from a pretty bogus-looking message:

Delivered-To: phishandchips.io@gmail.com
Received: by 2002:a05:7000:704c:b0:518:6939:5a47 with SMTP id t12csp2267847mat;
        Wed, 20 Sep 2023 20:27:49 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFlYgh6cSUYc5vF0uwuiA/TjmWnfkjBIWVaaOrJm2Fnkjt4x668N5PScciUJJrH8ex14K77
X-Received: by 2002:aa7:c614:0:b0:530:f880:ca74 with SMTP id h20-20020aa7c614000000b00530f880ca74mr3610809edq.28.1695266869411;
        Wed, 20 Sep 2023 20:27:49 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1695266869; cv=pass;
        d=google.com; s=arc-20160816;
        b=XXXXX
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:precedence:subject:cc:message-id:list-unsubscribe:from
         :list-id:list-id:date:mime-version:to;
        bh=f9JKLxsmxVEDS8HfdQZuiBvO3txjQarfOuTylLcMQdw=;
        fh=e69IIXWAFhL7Gv60vfGA8nV4JOjkyr9JYr37FBPFklI=;
        b=XXXX
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) smtp.helo=EUR01-VE1-obe.outbound.protection.outlook.com
Return-Path: <>
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp20207.outbound.protection.outlook.com. [2a01:111:f400:7e01::207])
        by mx.google.com with ESMTPS id bm17-20020a0564020b1100b0052e9eff1e61si384400edb.395.2023.09.20.20.27.49
        for <phishandchips.io@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Sep 2023 20:27:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) client-ip=2a01:111:f400:7e01::207;
Authentication-Results: mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) smtp.helo=EUR01-VE1-obe.outbound.protection.outlook.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XXXXX
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XXXXXX
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 45.79.81.156) smtp.rcpttodomain=gmail.com smtp.helo=notes.io; dmarc=none action=none header.from=eafdvcsdvc.onmicrosoft.com; dkim=none (message not signed); arc=none
X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 45.79.81.156) smtp.helo=notes.io; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=EAFDVCSDVC.onmicrosoft.com;
To: <phishandchips.io@aol.com>
MIME-Version: 2.0
Date: Thu, 21 Sep 2023 05:25:05 +0200
X-Feedback-ID: 1781223:SG
List-ID: <7202588.xt.local>
List-ID: <.7289367.xt.local>
From: SolarBill <infoygwszzlnyhfpvdjvpztee@eafdvcsdvc.onmicrosoft.com>
X-Mailer: BM23 Mail
List-Unsubscribe: <maiANlto:1cxmbtz2tak6wbt21fgmhn8rshqzt5f-u@comms.teamsnap.com>, <http://comms.teamsnap.com/public/webform/render_form/default/XXXXX>
Content-Type: multipart/alternative; boundary="_36adda4e-755a-4bf6-b3f6-570ea8903171_"
X-campaignID: bm23_bbmqysfahtjioxvqkuvfgymqygehbfg
Message-ID: <e01f7ce7-c7fb-47fb-rnfvdyarenbsmngcvrw-743d24f27996@atl1s07mta2411.xt.local>
Cc: <phishandchips.io@gmail.com>
Subject: Re:
Precedence: bulk
Feedback-ID: 325-anexp#nret-fa:account-notifier
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB5PEPF00014B9E:EE_|PA4PR02MB6861:EE_
X-MS-Office365-Filtering-Correlation-Id: 51d4ce3b-3f03-4ef4-9595-08dbba52ba9a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: [block]
X-Forefront-Antispam-Report: CIP:45.79.81.156;CTRY:US;LANG:en;SCL:5;SRV:;IPV:CAL;SFV:SPM;H:notes.io;PTR:45-79-81-156.ip.linodeusercontent.com;CAT:OSPM;SFS:(13230031)(376002)(39860400002)(346002)(136003)(396003)(1800799009)(451199024)(1690799017)(7200799017)(5400799018)(82310400011)(46966006)(83380400001)(70206006)(42186006)(336012)(19810500001)(110136005)(26005)(70586007)(42882007)(82740400003)(3480700007)(166002)(47076005)(35950700001)(40480700001)(33964004)(41320700001)(17440700003)(40140700001)(34070700002)(46730400001)(508600001)(9686003)(81166007)(2906002)(84970400001)(8400799017)(8676002)(4326008)(8936002)(78352004)(41300700001)(5660300002)(7116003)(1406899027)(5006899006)(104086003)(42472002)(38122002);DIR:OUT;SFP:1501;
X-OriginatorOrg: EAFDVCSDVC.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Sep 2023 03:27:48.1178 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 51d4ce3b-3f03-4ef4-9595-08dbba52ba9a
X-MS-Exchange-CrossTenant-Id: 2b44a31f-6747-4f4c-ad1f-f3dad63dc557
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2b44a31f-6747-4f4c-ad1f-f3dad63dc557;Ip=[45.79.81.156];Helo=[notes.io]
X-MS-Exchange-CrossTenant-AuthSource: DB5PEPF00014B9E.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR02MB6861

–_36adda4e-755a-4bf6-b3f6-570ea8903171_


–_36adda4e-755a-4bf6-b3f6-570ea8903171_
Content-Type: text/html; charset=utf-8

 
–_36adda4e-755a-4bf6-b3f6-570ea8903171_
Content-Type: text/html; charset=utf-8

Save Your Money With SOLAR

<CeNteR>
<IMG sRc="https://sdfsdf3.s3.eu-west-3.amazonaws.com/wresdf.png#yJMrDv1DOP3F" useMaP="#IOPIUY465789"><MAp NAMe=IOPIUY465789>
<arEa hReF="https://sdfsdf3.s3.eu-west-3.amazonaws.com/sedfgvs.html?tsNeVNv4qP8LE2atDhRjYqd2boVUtHtAVoyWzrSbyik6UpgyNl0dHYkSZsj5It3zviTFbij28OZm8qJ43sMK2M9ugE7DzDrsAVaa#cl/3332_md/18/3860/296/3/252119" COORDs="1,0,599,1200" SHape=rect>
<ArEa HRef=https://sdfsdf3.s3.eu-west-3.amazonaws.com/sedfgvs.html?MBgGSyDGcagp3a5Ix3b6qxuY1lHBSxLebvd5WKTtuIKpU3EduVPiC9220JEzZsTMkRmmtFIxdh2Mav1gzPsJSiwrC8WKzpEaRR2I#un/3332_md/18/3860/296/3/252119 cOOrDS="561,1218,533,1206" shape=0>
</CeNteR>
<object>
<ApplEt>




<p>Mayor Mike Blake<br />65 Stone Street<br />Cocoa, FL 32922<br />Dear Tree City USA Community Member,<br />On behalf of the Arbor Day Foundation, I&rsquo;m thrilled to congratulate Cocoa on earning recognition as a<br />2022 Tree City USA. Residents of Cocoa should be proud to live in a community that makes the planting<br />and care of trees a priority.<br />Founded in 1976, Tree City USA is a partnership between the Arbor Day Foundation, the U.S. Forest<br />Service, and the National Association of State Foresters. Cocoa is part of an incredible network of more<br />than 3,600 Tree City USA communities nationwide, with a combined population of 155 million.<br />Over the last few years, the value and importance of trees has become increasingly clear. Cities and towns<br />across the globe are facing issues with air quality, water resources, personal health and well-being, and<br />energy use. Cocoa has taken steps to create to a brighter, greener future.<br />We hope you are as excited as we are to share this accomplishment with your local media and your<br />residents. Enclosed in this packet is a press release for you to distribute at your convenience.<br />We&rsquo;re excited to celebrate your commitment to the people and trees of Cocoa. Thank you, again, for your<br />efforts.<br />Best Regards,<br />Dan Lambe<br />Arbor Day Foundation Chief Executive<br />FOR IMMEDIATE RELEASE<br />Contact:<br />Leighton Eusebio<br />Arbor Day Foundation<br />402-473-2103<br />lesuebio@arborday.org<br />Arbor Day Foundation Names Cocoa a 2022 Tree City USA&reg;<br />LINCOLN, Nebraska (12/13/2022) &ndash; Cocoa was named a 2022 Tree City USA by the Arbor Day<br />Foundation to honor its commitment to effective urban forest management.<br />Cocoa achieved Tree City USA recognition by meeting the program’s four requirements: maintaining a<br />tree board or department, having a tree care ordinance, dedicating an annual community forestry budget of<br />at least $2 per capita, and hosting an Arbor Day observance and proclamation.<br />The Tree City USA program is sponsored by the Arbor Day Foundation, in partnership with the U.S.<br />Forest Service and the National Association of State Foresters.<br />&ldquo;Tree City USA communities see the positive effects of an urban forest firsthand,&rdquo; said Dan Lambe, chief<br />executive of the Arbor Day Foundation. &ldquo;The trees being planted and cared for by Cocoa are ensuring that<br />generations to come will enjoy to a better quality of life. Additionally, participation in this program brings<br />residents together and creates a sense of civic pride, whether it&rsquo;s through volunteer engagement or public<br />education.&rdquo;<br />If ever there was a time for trees, now is that time. Communities worldwide are facing issues with air<br />quality, water resources, personal health and well-being, energy use, and extreme heat and flooding.<br />Cocoa is doing its part to address these challenges for residents both now and in the future.<br />More information on the program is available at arborday.org/TreeCityUSA.<br />About the Arbor Day Foundation<br />Founded in 1972, the Arbor Day Foundation has grown to become the largest nonprofit membership<br />organization dedicated to planting trees, with more than one million members, supporters and valued<br />partners. Since 1972, almost 500 million Arbor Day Foundation trees have been planted in neighborhoods,<br />communities, cities and forests throughout the world. Our vision is to lead toward a world where trees are<br />used to solve issues critical to survival.<br />As one of the world’s largest operating conservation foundations, the Arbor Day Foundation, through its<br />members, partners and programs, educates and engages stakeholders and communities across the globe to<br />involve themselves in its mission of planting, nurturing and celebrating trees. More information is<br />available at arborday.org.</p>

–_36adda4e-755a-4bf6-b3f6-570ea8903171_–

RAW Message Header of some spam

What is the meaning of all this?

Let’s break it all down:

Delivered-To: phishandchips.io@gmail.com:

  • This field indicates that the email was delivered to the specified Gmail address.

Received: by 2002:a05:7000:704c:b0:518:6939:5a47 with SMTP id t12csp2267847mat; Wed, 20 Sep 2023 20:27:49 -0700 (PDT):

  • This line shows the email’s delivery status, mentioning the Gmail server’s IP and timestamp.

X-Google-Smtp-Source: AGHT+IFlYgh6cSUYc5vF0uwuiA/TjmWnfkjBIWVaaOrJm2Fnkjt4x668N5PScciUJJrH8ex14K77:

  • This field may contain additional information about the email’s source, possibly for Gmail’s internal tracking purposes.

X-Received: by 2002:aa7:c614:0:b0:530:f880:ca74 with SMTP id h20-20020aa7c614000000b00530f880ca74mr3610809edq.28.1695266869411; Wed, 20 Sep 2023 20:27:49 -0700 (PDT):

  • Similar to the second field, this provides information about the email’s receipt and routing.

ARC-Seal: i=2; a=rsa-sha256; t=1695266869; cv=pass; d=google.com; s=arc-20160816; b=XXXXX:

  • This field is related to ARC (Authenticated Received Chain), a protocol that helps authenticate email messages. It confirms the email’s integrity.

ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:precedence:subject:cc:message-id:list-unsubscribe:from list-id:list-id:date:mime-version:to; bh=f9JKLxsmxVEDS8HfdQZuiBvO3txjQarfOuTylLcMQdw=; fh=e69IIXWAFhL7Gv60vfGA8nV4JOjkyr9JYr37FBPFklI=; b=XXXX:

  • This section is related to ARC and its cryptographic signatures. It verifies the email’s authenticity and integrity.

ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) smtp.helo=EUR01-VE1-obe.outbound.protection.outlook.com:

  • This field confirms that the email passed authentication checks, including SPF (Sender Policy Framework).

Return-Path: <>:

  • The “Return-Path” is empty, indicating that it’s a bounce or non-delivery notification.

Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp20207.outbound.protection.outlook.com. [2a01:111:f400:7e01::207])…:

  • This line shows that the email originated from an Outlook.com server and provides server information.

Received-SPF: pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) client-ip=2a01:111:f400:7e01::207;:

  • SPF passed, indicating that the email sender’s domain (outlook.com) authorized the server’s IP address to send emails on its behalf.

Authentication-Results: mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of postmaster@eur01-ve1-obe.outbound.protection.outlook.com designates 2a01:111:f400:7e01::207 as permitted sender) smtp.helo=EUR01-VE1-obe.outbound.protection.outlook.com:

  • This confirms the email’s authentication results, including ARC and SPF.

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XXXXX:

  • Another ARC-related seal, confirming the authenticity and integrity of the email.

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XXXXXX:

  • An ARC-related message signature, ensuring the email’s authenticity.

X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 45.79.81.156) smtp.helo=notes.io; dkim=none (message not signed); arc=none:

  • Additional authentication results mentioning SPF softfail, indicating that the email didn’t fully pass SPF checks.

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Sep 2023 03:27:48.1178 (UTC):

  • This line shows the original arrival time of the email in Coordinated Universal Time (UTC).

From: SolarBill infoygwszzlnyhfpvdjvpztee@eafdvcsdvc.onmicrosoft.com:

  • The “From” field indicates the sender’s name and email address.

Subject: Re::

  • The subject line of the email.

Date: Thu, 21 Sep 2023 05:25:05 +0200:

  • The date and time when the email was sent.

Cc: phishandchips.io@gmail.com:

  • The email address in the “Cc” field, indicating additional recipients.

Content-Type: multipart/alternative; boundary=”36adda4e-755a-4bf6-b3f6-570ea8903171:

  • The content type and boundary information for the email.

The provided email appears to be from “SolarBill” and has passed some authentication checks like SPF and ARC, although there was a SPF soft-fail reported. The header confirms its route and origin from an Outlook.com server.
Would you click on any links in this message? 🙄

Posted

in

,

Tags:

Framework
Site Map
Glossary
TackleBox